i want to setup a VPN to further protect our infra from public. but i wanted a VPN that can connect to multiple regions instead of 1 VPN server for each region.
will strongswan work for this ?
For client VPN we use OpenVPN (only 1 VPC/ 1 region), for site-to-site we have multiple tunnels configured from our office router to separate VPCs in separate regions.
Look into Transit gateway…you may be able to tunnel into a transit gateway and then get routed to the appropriate destination VPC.
Never heard of strongswan. But I think wireguard should work for this since you can have multiple peers connected at the same time.
Just make sure the CIDR ranges doesn’t overlap between regions. And then tweak the allowed ips accordingly.
I use AWS Client VPN. It works well, but it’s pretty expensive.
strongswan will work, but it’s extremely complicated respect to the above named wireguard …
You should take a look at Teleport or Hashicorp Boundary. VPN’s are old school.
You could do some cool tunneling through SSM if you just need access to specific machines, rather than a bigger stable tunnel. This doc has RDP, but you could do any port. https://awscloudsecvirtualevent.com/workshops/module1/rdp/
And this, for those who like videos better. https://www.youtube.com/watch?v=AVpM4r2OzQY
Another option is to create a single Transit Gateway. It allows multiple S2S ipsec VPNs from multiple onprem offices to connect to it. TG will also allow complete access to all vpc regions at once, and if routes added it will do the mesh network peering at ones. So much better than peering vpcs.
Often created in its own VPC with attachments to all regions and vpcs at once .
TG replaces VirtualPrivate Gateway, and many onprem could connect to that single TG. Even support multiple ipsecs with loadballancing for increased thoroughput.
For single box/user to aws again TG simplifies the task by reducing the peering vpcs, and if you have more than two peering/ipsecs its most cost efficient.
For single boxes also Tailscale (based on wireguard protocol) with mesh global network (with flexible restrictions of needed)
What about Direct Connect instead?
FYI strongswan is the primary IPSec implementation used by Linux/xBSD systems. I’ve used it successfully many times to connect to AWS VPC IPSec peers.
i agree. especially if you leave your VPN on 24/7
oh… new thing… thanks!! will cehck it out
There’s a non-configurable 1 hour server-side activity timeout, which helps. Hopefully they make that configurable someday. I’ve added a client-side 10 minute timeout which I hit regularly even with AmazonProvidedDNS as the DNS server.