AWS Site-to-Site VPN using MikroTik RouterOS

There are two ways of approaching this challenge. (#1) running MikroTik virtual appliance (CHR) in AWS (#2) using Virtual Private Gateway, a “cloud-native” networking solution provided by AWS. Each solution has its own benefits.

Let’s get my hands dirty with deep dive (?) networking. My ultimate favorite upcoming exam is AWS Certified Advanced Networking – Specialty Certification | AWS Certification | AWS (amazon.com) can’t wait to get there…

Cost: 300 USD / Format: 65 questions, either multiple choice or multiple responses

On-premises physical MikroTik hardware (or virtualized CHR) running RouterOS

This is what I have at home and use to connect to multiple clouds. It worked very nice with Azure, now connecting with AWS. Will find the way to GCP as well.

Amazon.com: MikroTik hAP ac2 RBD52G-5HacD2HnD-TC Dual-Concurrent 2.4/5GHz Access Point, 802.11a/b/g/n/ac, 5 x Gigabit Ethernet ports International Version : Electronics

Cost: 89.98 USD / Format: 1 router, MikroTik hAP ac2

Actually, you can buy three (3) pieces of this lovely router for the price of the AWS Advanced Networking exam 🙂

This is a customer gateway device that supports IPSEC based VPN tunnels. Works very nicely with public clouds and is widely used in home/lab environments for testing purposes.

MikroTik can handle production workloads as well, they offer enterprise-scale devices as well. An example is below: Amazon.com: Mikrotik CCR1036-8G-2S+ 36 core CPU, Cloud Core Router, 8x Gigabit ports, 2x SFP+ ports, Color touchscreen LCD, 4GB. : Electronics

Cost: 1,026 USD / Format: Mikrotik CCR1036-8G-2S+ 36 core CPU, Cloud Core Router, 8x Gigabit ports, 2x SFP+ ports, Color touchscreen LCD, 4GB

If you fail the Networking Speciality exam two (2) times, you are nearly here with investments 🙂

(#1) MikroTik Cloud Hosted Router (CHR) on AWS t2.micro (Free Tier) instance

If you go in this direction, you are going to deploy a tiny t2.micro instance (this is AWS Free Tier item, 750 hours/month of free usage) to run MikroTik RouterOS.

This virtual appliance (instance) will work just like your on-premises MikroTik, same OS, same commands. When you configure Site2Site VPN, you do the same method as connecting 2 on-premises datacenters. Learn more here: Manual:Interface/SSTP – MikroTik Wiki

Obviously, this is recommended by MikroTik since you need to purchase another Mikrotik CHR license and bring it to the Cloud. Mikrotik CHR BYOL license is fairly priced, $45 (one-time payment) for the 1Gbit connection. Learn more about Mikrotik licensing here Manual:CHR – MikroTik Wiki

In order to deploy this solution, visit AWS Marketplace: Cloud Hosted Router (amazon.com)

AWS marketplace has Mikrotik CHR in the shop.
Free Tier is nice. However, it is more realistic to calculate t2.micro prices for your lab. You need at least one more – target VM to test the connection.
Source: Manual:CHR – MikroTik Wiki

Use AWS Pricing Calculator select EC2 and find out t2.micro cost.

Default 30GB for Linux root disk is overkill for MikroTik, I tried with 1GB EBS (VM disk), estimated price is 5.36 USD/mo (as of today). Quite good.

MikroTik appliance instance for ~5 USD, managed VPN gateway is for ~30 USD

(#2) Using Virtual Private Gateway – this is a “cloud-native” networking solution provided by AWS

If you go in this direction, you are going to use an AWS managed service to terminate the VPN tunnel in AWS from your local MikroTik box.

The clear benefit is you do not need to manage MikroTik on AWS, and AWS Virtual Private Gateway is supported by many other appliances, including cross-cloud configurations to Azure or GCP.

When it comes to the configuration steps, I am building on others to get my LAB connected.

It is a great idea to have reusable RouterOS scripts to get the configuration done, but unfortunately, someone needs to maintain scripts and provide community support and that’s always hard (for free).

AWS Site-to-Site VPN – User Guide (amazon.com)

What is AWS Site-to-Site VPN? – AWS Site-to-Site VPN (amazon.com)

AWS Site-to-Site VPN with MikroTik (RouterOS) | by Danny Rehelis | Medium (November 2020: I will try this)

GitHub – smartupio/aws-vpn-mikrotik: Shell script to transform a Generic AWS VPN configuration guide to MikroTik specific set up commands that can be copy pasted into a mikrotik console to set up the customer end of the connection. (July 2017: not sure if it still works)

Amazon AWS VPN — A Working Configuration Example and Bug – MikroTik (August 2014: what bug, hopefully not the case anymore)

Updating your Mikrotik to 6.44.3

This AWS article is about the supported customer gateway devices. Mikrotik is listed:

Your customer gateway device – AWS Site-to-Site VPN (amazon.com)

Mikrotik RouterOS 6.44.3 is supported by AWS. That’s all we need.

Officially Azure does not support MikroTik, however, it works very nicely with zero issues; we configured it multiples times when building Azure-based labs. Very similar config to AWS.

About VPN devices for connections – Azure VPN Gateway | Microsoft Docs

At Microsoft, Synology (for example MR2200ac) is a promising alternative solution for home labs How do I set up Site-to-Site VPN between my Synology Router and Microsoft Azure? – Synology Knowledge Center

At GCP I liked the idea of connecting AWS or Azure sites.

Using third-party VPNs with Cloud VPN  |  Google Cloud

Before any configuration, I installed the 6.44.3 version to make sure, I am running on the supported version.

To grab the images, go to the MikroTik archives page or use the links below (they point to the MikroTik website).

routeros-x86-6.44.3.npkx86
all_packages-x86-6.44.3.zipx86
mikrotik-6.44.3.isox86
netinstall-6.44.3.zipx86
install-image-6.44.3.zipx86
chr-6.44.3.img.zipx86
chr-6.44.3.vmdkx86
chr-6.44.3.vhdxx86
chr-6.44.3.vdix86
dude-6.44.3.npkx86
dude-install-6.44.3.exex86
routeros-mipsbe-6.44.3.npkmipsbe
all_packages-mipsbe-6.44.3.zipmipsbe
routeros-powerpc-6.44.3.npkppc
all_packages-ppc-6.44.3.zipppc
routeros-tile-6.44.3.npktile
all_packages-tile-6.44.3.ziptile
dude-6.44.3-tile.npktile
routeros-smips-6.44.3.npksmips
all_packages-smips-6.44.3.zipsmips
routeros-arm-6.44.3.npkarm
all_packages-arm-6.44.3.ziparm
dude-6.44.3-arm.npkarm
routeros-mmips-6.44.3.npkmmips
all_packages-mmips-6.44.3.zipmmips
dude-6.44.3-mmips.npkmmips

Related posts

Comparison of VMware relocation options in public cloud

I keep researching this topic from several perspectives: regional availability, provided architecture, most popular use cases, VMware software versions, provided hardware configuration, and finally the price of a 3-node vSphere cluster in the Cloud.

AWS MiGratioN, GCP Migrate4Cloud, and Azure Migrate pros and cons

It’s been more than 5 years since I am testing and comparing 1st party migration tools. I have seen these tools getting better over the years, with major improvements by acquisitions, end-of-life products, continuous changes, and improvements not just the tools but the methodology around, well-architected, CaF, the concept of the landing zone, 5Rs become 7Rs. In this article, I am sharing my experiences with the most commonly used cloud migration tools.

Oracle Database service for Azure – connecting Azure VM and Power App

I have connected a Database Admin Azure VM running Oracle’s SQL Developer (Windows version) and a Microsoft Power Platform application displaying Oracle’s HR demo schema (via on-premises data gateway on Azure VM connecting with Power Platform’s Oracle Premium Connector) to the same Oracle Database hosted on OCI.

Oracle Database service for Azure – linking subscriptions

As part of my multi-cloud research, I wanted to test Oracle Database Service for Azure. In this article, you will see how to sign up for the new service and how to link Oracle and Azure accounts. I used Frankfurt datacenters, Azure MSDN, and OCI paid account (Free Tier does not work) using my private Azure Active Directory.

Why multi-cloud is the way to go? VMware and Oracle perspective.

While cloud migration is still a popular topic during customer discussions, I have noticed that more and more customers are considering an exit plan from one cloud (vendor lock-in) to another cloud meaning there is an increase in multi-cloud migration demand. VMware, Oracle, and SAP are the major workloads in on-premises data centers today. Based on my research both VMware and Oracle are very vocal about the importance of having a multi-cloud strategy.

AWS Site-to-Site VPN using MikroTik RouterOS

There are two ways of approaching this challenge. (#1) running MikroTik virtual appliance (CHR) in AWS (#2) using Virtual Private Gateway, a “cloud-native” networking solution provided by AWS. Each solution has its own benefits.