AWS Site-to-Site VPN with Ubiquiti Gateway

dv

2 min read

Ubiquiti is a bit of a red-hair step child when it comes to VPN support for AWS. We'll walk through setting up a single-tunnel VPN. AWS does periodic VPN maintenance, so you may occasionally lose connectivity for a couple minutes without the redundancy.

Start off by configuring the VPN on the AWS side.

Configure AWS VPN

Prerequisites

  • Fetching your IP address...

  • Your internal network (e.g. 192.168.0.0/16)

Create Customer Gateway

Create a new customer gateway in the VPC console. The IP Address should be the public IP address of your Ubiquiti Gateway. If you are currently behind your gateway, your public IP should be above.

aws ec2 create-customer-gateway --public-ip {PublicIP} --type ipsec.1

Create Virtual Private Gateway

Create a new Virtual Private Gateway (VPG). Using the Amazon default ASN is fine. Attach the newly created VPG to the VPC you want to create a site-to-site VPN with.

Create AWS VPN Connection

Create a new AWS VPN Connection with the following settings:

  • Name -> {Anything}
  • Target Gateway Type -> Virtual Private Gateway
  • Virtual Private Gateway -> {VPG created in previous step}
  • Customer Gateway -> Existing
  • Customer Gateway ID -> {Customer Gateway created in previous step}
  • Routing Options -> Static
  • Static IP Prefixes -> {Your internal Network you want AWS to route to}
  • Tunnel 1 options -> Default
  • Tunnel 2 options -> Default

Once the AWS VPN is created, download the configuration. Select "Generic" for vendor and platform.

Configure Ubiquiti VPN

This configuration assumes that your USG is your edge device, and has a Public, routable, IP Address assigned from your ISP.

AWS VPN Configuration File

The AWS VPN Configuration file your downloaded contains instructions for two tunnels. We'll only focus on using the configuration for one tunnel. I'll try to delineate where in the generic config to find this data.

Configure VPN

  1. Log in to your Unifi Portal
  2. Navigate to Settings -> VPN -> Site-to-Site VPN
  3. Create a new VPN, using the following settings:
    1. Type -> IPsec
    2. Name -> {Anything}
    3. Pre-Shared Key -> {Config -> Internet Key Exchange Configuration -> Pre-Shared Key}
    4. Local IP -> Select the Active WAN interface.
    5. VPN Type -> Route Based
    6. Tunnel IP -> {Config -> Tunnel Interface Configuration -> Inside IP Addresses -> Virtual Private Gateway}
    7. Remote IP/Host -> {Config -> Tunnel Interface Configuration -> Outside IP Addresses -> Virtual Private Gateway}
    8. Remote Networks -> {VPC Subnet CIDR}
    9. Key Exchange Version -> IKEv2
      1. IKE -> {Match Config -> IPSec Configuration}
      2. ESP -> {Match Config -> IPSec Configuration}
    10. Local Authentication ID -> Auto
    11. Remote Authentication ID -> Auto
    12. MTU -> Auto

Create Static Route

  1. Navigate to Settings -> Routing -> Static Routes
  2. Create a new Static Route with the following settings:
    1. Name -> {Anything}
    2. Distance -> 1
    3. Destination Network -> {VPC Subnet CIDR}
    4. Type -> Next Hop
    5. Value -> {Config -> Static Routing Configuration -> Static Route Configuration Options -> Next Hop}