Over a million developers have joined DZone.

Setting Up a Raspberry Pi 3 as an AWS VPN Customer Gateway

DZone's Guide to

Setting Up a Raspberry Pi 3 as an AWS VPN Customer Gateway

Time to turn your Raspberry Pi into an AWS VPN Customer Gateway! See how to set up a secure bridge to your remote AWS VPC subnets.

· IoT Zone ·
Free Resource

Learn how integrating security into DevOps to deliver "DevSecOps" requires changing mindsets, processes and technology.

In my previous article, I showed you how to use a VPN software solution like OpenVPN to create a secure tunnel to your AWS private resources. In this post, I will walk you through step by step to set up a secure bridge to your remote AWS VPC subnets from your home network with a Raspberry Pi as a Customer Gateway.

Image title

To get started, find your home router's public-facing IP address:

Image title

Next, sign into the AWS Management Console, navigate to the VPC dashboard and create a new VPN Customer Gateway:

Image title

Next, create a Virtual Private Gateway:

Image title

And attach it to the target VPC:

Image title

Then, create a VPN Connection with the Customer Gateway and the Virtual Private Gateway:

Image title

Note: Make sure to add your home CIDR subnet to the Static IP Prefixes section.

Once the VPN Connection is created, click on the “Tunnel Details” tab. You should see two tunnels for redundancy:

Image title

It may take a few minutes to create the VPN connection. When it’s ready, select the connection and choose "Download Configuration." Then, open the configuration file and write down your pre-shared-key and tunnel IP:

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
   pre-shared-key irCAIDE1NFxyOiE4w49ijHfPMjTW9rL6

I used a Raspberry Pi 3 (Quad Core CPU 1.2 GHz, 1 GB RAM) with Raspbian, with SSH server enabled (default username & password: pi/raspberry). You can log in and start manipulating the Pi:

Image title

IPsec kernel support must be installed. Therefore, you must install openswan on your Pi:

sudo apt-get install -y openswan lsof

Update the /etc/ipsec.conf file as below:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Enable core dumps (might require system changes, like ulimit -C)
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # OE is now off by default. Uncomment and change to on, to enable.
        # which IPsec stack to use. auto will try netkey, then klips then mast

include /etc/ipsec.d/*.conf

Create a new IPsec Connection in /etc/ipsec.d/home-to-aws.conf :

conn home-to-aws

  • left: Your Raspberry Pi private IP.
  • leftid: Your home router public-facing IP.
  • leftsubnet: CIDR of your home subnet.
  • right: Virtual Private Gateway tunnel IP.
  • rightsubnet: CIDR of your VPC.

Add the tunnel pre-shared key to /var/lib/openswan/ipsec.secrets.inc:

89.95.X.Y : PSK "irCAIDE1NFxyOiE4w49ijHfPMjTW9rL6"

To enable the IPv4 forwarding, edit /etc/sysctl.conf, and ensure the following lines are uncommented:

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

Run sysctl -p to reload it. Then, restart IPsec:

service ipsec restart

Verify if the service is running correctly:

Image title

If you go back to your AWS Dashboard, you should see the 1st tunnel status changed to UP:

Image title

Add a new route entry that forwards traffic to your home subnet through the VPN Gateway:

Image title

Note: Follow the same steps above to set up the 2nd tunnel for resiliency and high availability of VPN connectivity.

Launch an EC2 instance in the private subnet to verify the VPN connection:

Image title

Allow SSH only from your home gateway CIDR:

Image title

Connect via SSH using the instance private IP address:

Image title

Image title

Congratulations! You can now connect securely to your private EC2 instances.

To take it further and connect from other machines in the same home network, add a static route as described below.


route add MASK

Image title


sudo up route add -net netmask gw

Mac OS X:

sudo route -n add

Test it out:

Image title

Learn how enterprises are using tools to automate security in their DevOps toolchain with these DevSecOps Reference Architectures.

iot ,raspberry pi 3 ,aws ,customer gateway ,tutorial

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}