AWS Site-to-Site VPN using MikroTik RouterOS

April 7, 2022
AWS
Site2SiteVPN

There are two ways of approaching this challenge. (#1) running MikroTik virtual appliance (CHR) in AWS (#2) using Virtual Private Gateway, a “cloud-native” networking solution provided by AWS. Each solution has its own benefits.

Let’s get my hands dirty with deep dive (?) networking. My ultimate favorite upcoming exam is AWS Certified Advanced Networking – Specialty Certification | AWS Certification | AWS (amazon.com) can’t wait to get there…

Cost: 300 USD / Format: 65 questions, either multiple choice or multiple responses

On-premises physical MikroTik hardware (or virtualized CHR) running RouterOS

This is what I have at home and use to connect to multiple clouds. It worked very nice with Azure, now connecting with AWS. Will find the way to GCP as well.

Amazon.com: MikroTik hAP ac2 RBD52G-5HacD2HnD-TC Dual-Concurrent 2.4/5GHz Access Point, 802.11a/b/g/n/ac, 5 x Gigabit Ethernet ports International Version : Electronics

Cost: 89.98 USD / Format: 1 router, MikroTik hAP ac2

Actually, you can buy three (3) pieces of this lovely router for the price of the AWS Advanced Networking exam 🙂

This is a customer gateway device that supports IPSEC based VPN tunnels. Works very nicely with public clouds and is widely used in home/lab environments for testing purposes.

MikroTik can handle production workloads as well, they offer enterprise-scale devices as well. An example is below: Amazon.com: Mikrotik CCR1036-8G-2S+ 36 core CPU, Cloud Core Router, 8x Gigabit ports, 2x SFP+ ports, Color touchscreen LCD, 4GB. : Electronics

Cost: 1,026 USD / Format: Mikrotik CCR1036-8G-2S+ 36 core CPU, Cloud Core Router, 8x Gigabit ports, 2x SFP+ ports, Color touchscreen LCD, 4GB

If you fail the Networking Speciality exam two (2) times, you are nearly here with investments 🙂

(#1) MikroTik Cloud Hosted Router (CHR) on AWS t2.micro (Free Tier) instance

If you go in this direction, you are going to deploy a tiny t2.micro instance (this is AWS Free Tier item, 750 hours/month of free usage) to run MikroTik RouterOS.

This virtual appliance (instance) will work just like your on-premises MikroTik, same OS, same commands. When you configure Site2Site VPN, you do the same method as connecting 2 on-premises datacenters. Learn more here: Manual:Interface/SSTP – MikroTik Wiki

Obviously, this is recommended by MikroTik since you need to purchase another Mikrotik CHR license and bring it to the Cloud. Mikrotik CHR BYOL license is fairly priced, $45 (one-time payment) for the 1Gbit connection. Learn more about Mikrotik licensing here Manual:CHR – MikroTik Wiki

In order to deploy this solution, visit AWS Marketplace: Cloud Hosted Router (amazon.com)

AWS marketplace has Mikrotik CHR in the shop.

Free Tier is nice. However, it is more realistic to calculate t2.micro prices for your lab. You need at least one more – target VM to test the connection.

Use AWS Pricing Calculator select EC2 and find out t2.micro cost.

Default 30GB for Linux root disk is overkill for MikroTik, I tried with 1GB EBS (VM disk), estimated price is 5.36 USD/mo (as of today). Quite good.

MikroTik appliance instance for ~5 USD, managed VPN gateway is for ~30 USD

(#2) Using Virtual Private Gateway – this is a “cloud-native” networking solution provided by AWS

If you go in this direction, you are going to use an AWS managed service to terminate the VPN tunnel in AWS from your local MikroTik box.

The clear benefit is you do not need to manage MikroTik on AWS, and AWS Virtual Private Gateway is supported by many other appliances, including cross-cloud configurations to Azure or GCP.

When it comes to the configuration steps, I am building on others to get my LAB connected.

It is a great idea to have reusable RouterOS scripts to get the configuration done, but unfortunately, someone needs to maintain scripts and provide community support and that’s always hard (for free).

AWS Site-to-Site VPN – User Guide (amazon.com)

What is AWS Site-to-Site VPN? – AWS Site-to-Site VPN (amazon.com)

AWS Site-to-Site VPN with MikroTik (RouterOS) | by Danny Rehelis | Medium (November 2020: I will try this)

GitHub – smartupio/aws-vpn-mikrotik: Shell script to transform a Generic AWS VPN configuration guide to MikroTik specific set up commands that can be copy pasted into a mikrotik console to set up the customer end of the connection. (July 2017: not sure if it still works)

Amazon AWS VPN — A Working Configuration Example and Bug – MikroTik (August 2014: what bug, hopefully not the case anymore)

Updating your Mikrotik to 6.44.3

This AWS article is about the supported customer gateway devices. Mikrotik is listed:

Your customer gateway device – AWS Site-to-Site VPN (amazon.com)

Mikrotik RouterOS 6.44.3 is supported by AWS. That’s all we need.

Officially Azure does not support MikroTik, however, it works very nicely with zero issues; we configured it multiples times when building Azure-based labs. Very similar config to AWS.

About VPN devices for connections – Azure VPN Gateway | Microsoft Docs

At Microsoft, Synology (for example MR2200ac) is a promising alternative solution for home labs How do I set up Site-to-Site VPN between my Synology Router and Microsoft Azure? – Synology Knowledge Center

At GCP I liked the idea of connecting AWS or Azure sites.

Using third-party VPNs with Cloud VPN | Google Cloud

Build HA VPN connections between Google Cloud and AWS | Cloud Architecture Center

CloudVPNGuide-UsingCloudVPNwithAzureVPN.pdf (google.com)

Before any configuration, I installed the 6.44.3 version to make sure, I am running on the supported version.

To grab the images, go to the MikroTik archives page or use the links below (they point to the MikroTik website).

	routeros-x86-6.44.3.npk	x86
	all_packages-x86-6.44.3.zip	x86
	mikrotik-6.44.3.iso	x86
	netinstall-6.44.3.zip	x86
	install-image-6.44.3.zip	x86
	chr-6.44.3.img.zip	x86
	chr-6.44.3.vmdk	x86
	chr-6.44.3.vhdx	x86
	chr-6.44.3.vdi	x86
	dude-6.44.3.npk	x86
	dude-install-6.44.3.exe	x86
	routeros-mipsbe-6.44.3.npk	mipsbe
	all_packages-mipsbe-6.44.3.zip	mipsbe
	routeros-powerpc-6.44.3.npk	ppc
	all_packages-ppc-6.44.3.zip	ppc
	routeros-tile-6.44.3.npk	tile
	all_packages-tile-6.44.3.zip	tile
	dude-6.44.3-tile.npk	tile
	routeros-smips-6.44.3.npk	smips
	all_packages-smips-6.44.3.zip	smips
	routeros-arm-6.44.3.npk	arm
	all_packages-arm-6.44.3.zip	arm
	dude-6.44.3-arm.npk	arm
	routeros-mmips-6.44.3.npk	mmips
	all_packages-mmips-6.44.3.zip	mmips
	dude-6.44.3-mmips.npk	mmips

Attila Macskasy

My calling is moving prem VMware workloads to Cloud.

All articles

Oracle Database service for Azure – connecting Azure VM and Power App

2022.11.02.

I have connected a Database Admin Azure VM running Oracle’s SQL Developer (Windows version) and a Microsoft Power Platform application displaying Oracle’s HR demo schema (via on-premises data gateway on Azure VM connecting with Power Platform’s Oracle Premium Connector) to the same Oracle Database hosted on OCI.

Oracle Database service for Azure – linking subscriptions

2022.11.01.

As part of my multi-cloud research, I wanted to test Oracle Database Service for Azure. In this article, you will see how to sign up for the new service and how to link Oracle and Azure accounts. I used Frankfurt datacenters, Azure MSDN, and OCI paid account (Free Tier does not work) using my private Azure Active Directory.

Why multi-cloud is the way to go? VMware and Oracle perspective.

2022.10.20.

While cloud migration is still a popular topic during customer discussions, I have noticed that more and more customers are considering an exit plan from one cloud (vendor lock-in) to another cloud meaning there is an increase in multi-cloud migration demand. VMware, Oracle, and SAP are the major workloads in on-premises data centers today. Based on my research both VMware and Oracle are very vocal about the importance of having a multi-cloud strategy.