How to set up a Site-to-Site VPN connection

Please note that this post, first published over a year ago, may now be out of date.

What is a VPN?

A Virtual Private Network (VPN) allows to route network traffic over a public network (typically the Internet) in a private and secure way. In fact, a VPN uses a private tunnel connection enabling traffic flow between your local network and another network.

There are three main use cases for using a VPN:

  • Corporate environment: a VPN is used to access a corporate network from a branch office, at a lower cost than a dedicated line.
  • Privacy and anonymity: a VPN lets you mask your current IP address and location, using encryption to keep the connection confidential.
  • Connecting data centres: a VPN is used to connect two different data centres or cloud regions.

In this tutorial we are going to focus on the first use case. In particular, I’m going to explain how to set up a VPN connection between a local network and resources deployed in a VPC within the AWS network. In AWS jargon this is referred to as an AWS Site-to-Site VPN. The diagram below shows what we are going to build.

Local site
Local site
AWS account
AWS account
(Linux PC)
Viewer does not support full SVG 1.1

A typical scenario for this setup is a CI/CD build runner executing in a local network with a requirement to encrypt traffic between the office network and the AWS cloud.

The components involved in a Site-to-Site VPN connection to an AWS VPC are:

  • A Customer Gateway (CGW) on the local network
  • A Virtual Private Gateway (VGW) on the AWS network
  • A VPN tunnel to connect CGW and VGW

I’m going to guide you through a step-by-step procedure where we will:

  • Create a Customer Gateway
  • Create a Virtual Private Gateway
  • Create a VPN tunnel
  • Test the network configuration

Note that this tutorial uses a computer running Linux as the customer gateway.

Create a Customer Gateway

Access to the internet in an office network is typically provided through a business contract with an Internet Service Provider (ISP). The ISP allocates one or more public IP addresses to your office network and you need to grab the public IPv4 address to follow this tutorial. You can find out your current public IPv4 address via online services like whatismyip or via the command line with curl

Note that you can practice this tutorial even if you are connecting from home. However, bear in mind that in general ISPs dynamically allocate IP addresses to consumer contracts. This means that your home router gets an IP address which can change over time (restart your router and you will usually be allocated a different IP address). Some ISPs offer a static IP address allowing to have a dedicated and stable IP address for your home network, although this usually comes with an extra fee. For the sake of this tutorial, I just assume you have a public IP address but be aware of this caveat in case you practice this at home and your VPN connection doesn’t work the following day.

Armed with your public IP address head to the AWS console and navigate to VPCVirtual Private Network (VPN)Customer Gateways and click on Create Customer Gateway.

Set a name for your customer gateway, choose Static under Routing, paste your IP under IP address (here I’m using, and click on Create Customer Gateway.

This screenshot shows an example of my settings:

Create Customer Gateway

Create a Virtual Private Gateway

The next step is to create a virtual private gateway. Navigate to VPCVirtual Private Network (VPN)Virtual Private Gateways, click on Create Virtual Private Gateway, give it a name tag and under ASN select Amazon default ASN. Finally, click on Create Virtual Private Gateway.

Create Virtual Private Gateway

Initially the virtual private gateway has a detached status and we need to attach it to a VPC. Select the newly created virtual private gateway, click the Actions button and select Attach to VPC. Finally, click on Yes, Attach and wait until the status changes to attached.

Attach VPG to VPC

Create a VPN

We now need to create a VPN tunnel linking the customer gateway with the virtual private gateway. Navigate to VPCVirtual Private Network (VPN)Site-to-Site VPN Connections and click on Create a VPN connection. Give it a name tag, choose Virtual Private Gateway under Target Gateway Type, and under Virtual Private Gateway select from the drop-down menu the virtual private gateway we created in the previous step.

In the customer gateway settings under Customer Gateway select Existing and under Customer Gateway ID select from the drop-down menu the customer gateway we created in the first step. On the Routing Options select Static and under Static IP Prefixes select the IP address of your local network (in my case Note that this is the same IP address we used in the first step. We keep the default tunnel options, so that two separate VPN tunnels are automatically created for redundancy.

This screenshot shows an example of my settings:

Create VPN Connection

Finally, click on Create VPN Connection and wait several minutes until the VPN connection is created and displays the state as available.

VPN Connection Available

If you click on the tab Tunnel Details, you notice that the VPN connection is using two tunnels but their status is currently down. We are going to bring them up by connecting our local network with AWS. To do that click on the button Download Configuration and select Generic under Vendor which automatically populates the other options. Finally, click on Download.

Download Configuration

Keep this file at hand as we will need it later. Also, take care to keep its contents confidential.

Test the Network Configuration

Install libreswan

We are now going to set up the local network side of the VPN tunnel using libreswan. This is an open source tool that implements IPSec, a secure network protocol used in VPNs. You can install libreswan on Linux systems with:

# on rpm based systems (RedHat, CentOS, AmazonLinux, etc.)
sudo yum install libreswan
# on Debian based systems (Ubuntu, Debian, etc.)
sudo apt install libreswan

If you are on MacOS or Windows have a look at StrongSwan although the configuration steps below may be different.

A default installation of libreswan comes with two configuration files under /etc/ipsec.conf and /etc/ipsec.secrets. If you inspect these files you can notice they import any custom configuration and secret included with the directory /etc/ipsec.d. We’re now going to add a custom configuration in this directory but first we need to grab some data to create these files.

IPSec Configuration

The first piece of data is the CIDR subnet of the local network and we call this the leftsubnet. First, find the local router’s internal IP address as follows:

$ ip r | grep default
default via dev enx00133ba9ee0d proto dhcp metric 100

So if your router’s internal IP address is, you can set the leftsubnet value to in order to pick up a large number of IP addresses within your local network. Take note of this as we will use it in the next steps.

The second piece of data is the IP address of the VPN tunnel; we are going to call this value right. Go back to the AWS console, navigate to VPCVirtual Private Network (VPN)Site-to-Site VPN Connections, and select the VPN connection created in the previous steps.

Click on the tab Tunnel Details as shown below:

Tunnel Details

I’m going to pick up the first tunnel which has an outside IP address of and this is the value of right.

The third piece of data is the CIDR subnet of the VPC where we created the virtual private gateway and we call this the rightsubnet. Go back to the AWS console, navigate to VPCVirtual Private Network (VPN)Virtual Private Gateways and select the virtual private gateway created in the previous steps. Under the field VPC you can see in which VPC the virtual private gateway has been created. Click on the VPC ID and you can see the VPC settings, including the IPv4 CIDR:


This is the CIDR subnet of the VPC (in my case and this is the value for rightsubnet.

So to recap we have:


Armed with these values, we can create a new custom configuration file /etc/ipsec.d/myconnection.conf. You can use your preferred editor to create this file but make sure to edit it as root or with a tool like sudoedit as this directory is owned by root and you won’t be able to add a file in there without superuser permissions. This is how my /etc/ipsec.d/myconnection.conf looks like:

conn myconnection

Save the file and let’s move to the creation of the secret.

IPSec Secrets Configuration

For creating the secret for our connection we need one piece of data from the VPN configuration. You remember we downloaded this configuration when we created the VPN connection in AWS. The beginning of that downloaded file should look similar to this (I omitted the comments):

Amazon Web Services
Virtual Private Cloud

VPN Connection Configuration
IPSec Tunnel #1
  - IKE version              : IKEv1 
  - Authentication Method    : Pre-Shared Key 
  - Pre-Shared Key           : sJGhGU3KxyzbpZXb7JTn5.jUU4t6iyEl
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Diffie-Hellman           : Group 2

Open your VPN configuration file and look under IPSec Tunnel #1 for the value of Pre-Shared Key. In my case it is sJGhGU3KxyzbpZXb7JTn5.jUU4t6iyEl. Note also the IKE version (IKEv1) and this is the reason why we had to set ikev2=no in myconnection.conf. Recent versions of libreswan use IKEv2 by default so make sure you check this value.

Armed with your pre-shared key and with the right value containing the IP address of your first VPN tunnel (look back to myconnection.conf if you forgot it) we can now create /etc/ipsec.d/myconnection.secrets. As usual, create it with sudo and add the following line where is the value of right and sJGhGU3KxyzbpZXb7JTn5.jUU4t6iyEl is the value of the pre-shared key. %any: PSK "sJGhGU3KxyzbpZXb7JTn5.jUU4t6iyEl"

For my case, I didn’t need to make any changes to packet filtering rules. However, if you have a firewall or other configuration, you’ll need to make sure it allows both the IKE datagrams and the IPSec-protected data. The way you set this up depends a lot on the equipment and / or software you’re using, so I won’t cover it further here.

Establishing the VPN Connection

We can now test our connection. First, make sure to verify the syntax of your connection files and other networking settings in libreswan by running:

$ sudo ipsec verify
Version check and ipsec on-path                         [OK]
Libreswan 3.29 (netkey) on 5.4.0-48-generic
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

If you get an error related to pluto not running, make sure you start libreswan with:

sudo systemctl start ipsec

If you get errors related to send_redirects and accept_redirects being disabled you can easily fix them by enabling the redirects with:

echo 0 | sudo tee /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 | sudo tee /proc/sys/net/ipv4/conf/default/accept_redirects

Once the verify command returns all good, you can add your custom connection and restart libreswan:

sudo ipsec auto --add myconnection
sudo systemctl restart ipsec

You can check the status of your connection with:

sudo ipsec status

This should return an output ending with something similar to this (I omitted a few lines):

000 Connection list:
000 "myconnection":<>===; erouted; eroute owner: #2
000 "myconnection":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "myconnection":   IKEv1 algorithm newest: AES_CBC_128-HMAC_SHA1-MODP2048
000 "myconnection":   ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=<Phase1>
000 Total IPsec connections: loaded 1, active 1
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000 #1: "myconnection":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 454s; newest ISAKMP; lastdpd=3s(seq in:0 out:0); idle;
000 #2: "myconnection":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25895s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "myconnection" esp.cd325459@ esp.a755d864@ tun.0@ tun.0@ ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 

Next to Total IPsec connections you should get loaded 1, active 1 which shows that the connection has been established. If you don’t get an active connection, the last lines of the output tell you what has gone wrong so you can debug it, modify your configuration, and restart libreswan.

You can verify that the VPN tunnel is up by heading to the AWS console under VPCVirtual Private Network (VPN)Site-to-Site VPN Connections, selecting your VPN connection and checking the tab Tunnel Details:


Note that this is not immediate and you may need to wait up to a minute to see the status of the tunnel switching to up after a successful connection.

Test the Connection

We are now going to test the connection by pinging from our local network the private IP address of an EC2 instance deployed in the AWS network. But first we need to add some configuration in the VPN routing table so that the traffic can flow between our local network and the AWS network.

Head to VPCVirtual Private Network (VPN)Site-to-Site VPN Connections, select your VPN connection and click on the tab Static Routes. Click on the Edit button, add a rule by adding the CIDR under IP Prefix, and click on Save. This allows your local network CIDR subnet.


Afterwards go to VPCYour VPCs and select the VPC where your private gateway is located. Scroll on the right to find the main route table and click on its id. This lands you in the settings for Route Table. Go to tab Routes and click on Edit routes. Add a new route with Add route, put your local network CIDR subnet under Destination (, select Virtual Private Gateway under Target and choose the virtual private gateway set up in the previous steps.

Click on Save Routes and you should end up with something similar to this:


We can now start an EC2 instance in the VPC where we deployed the VPN connection and ping it from our local network to see if it’s reachable. When you start the EC2 instance make sure to add an inbound rule to the security group allowing the protocol ICMP from your local network CIDR subnet (in my case This allows to use the ping command to reach the EC2 instance.


Now grab the private IP address of the EC2 instance running in the VPC (here I use and ping it from your local network with:

$ ping       
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=254 time=95.8 ms
64 bytes from icmp_seq=2 ttl=254 time=96.1 ms
64 bytes from icmp_seq=3 ttl=254 time=95.5 ms

And voilà! You can now reach the AWS network from your local network via a VPN.

Wrap up

I hope you managed to get to the end of this tutorial and set up your VPN connection correctly. For production deployments, we’d always recommend that you configure the second VPN tunnel for redundancy purposes and that you use infrastructure as code for setting up VPN connections. If you want to dig deeper and discover the different networking options you can use in a VPN, read the AWS documentation on Site-to-Site VPN.

If you’re interested in another approach to connect your network with the AWS network check out the AWS Transit Gateway or look at solutions like OpenVPN and WireGuard.

Designing effective systems security for your SaaS business can feel like a distraction from delivering customer value. Book a security review today.

This blog is written exclusively by The Scale Factory team. We do not accept external contributions.

Free Healthcheck

Get an expert review of your AWS platform, focused on your business priorities.

Book Now

Discover how we can help you.

Consulting packages

Advice, engineering, and training, solving common SaaS problems at a fixed price.

Learn more >

Growth solutions

Complete AWS solutions, tailored to the unique needs of your SaaS business.

Learn more >

Support services

An ongoing relationship, providing access to our AWS expertise at any time.

Learn more >