# AWS **For a more detailed tutorial refer to** [**Site-to-Site with IPsec**](https://docs.pritunl.com/kb/vpn/tutorials/pritunl-link) First create a IAM Instance Role with full VPC access. This is needed to allow the Pritunl Link client to modify the VPC routing table. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Ft6wteRYdTbT0zXvoq1a2%2Flink1.png?alt=media\&token=fb43bc3c-85f5-44c7-bbf2-438c8ba2292a) Below is a more specific IAM JSON policy for the instance role. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:ReplaceRoute", "ec2:DeleteRoute" ], "Resource": "*" } ] } ``` Create a security group and open `UDP` ports `500` and `4500` to allow IPsec traffic. The clients must also have HTTPS access to the Pritunl cluster. **Optionally TCP port 9790 can also be opened for host to host checking. This allows each pritunl-link host to ping other hosts to measure latency and availability. These checks are used to detect network partitions and discover the best link to activate in a high availability configuration.** ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FSBhL2QWM2JNiYqEgpGsh%2Flink4.png?alt=media\&token=150d4868-1cb4-46e6-8aaf-68b41b2fa1ca) Launch an Amazon Linux 2023 server in the VPC that is going to be linked. Select the IAM role created earlier. Use the startup script below. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FTEaemIDpigI8mlWxWmt5%2Flink10.png?alt=media\&token=3806b020-cca4-4a55-a056-149a0487a30c) Below is the startup script that can be put it in the *User data* or run manually. The first pritunl-link command needs to be run if the Pritunl server does not have a signed HTTPS certificate. The data will be signed and encrypted with AES independently an unsigned certificate will not effect security. The second command sets the provider to `aws`. The third command will add the URI, this needs to be replaced by clicking *Get URI* in the Pritunl web console. This command can be run multiple times if more then one link is configured. The `pritunl-link verify-off` line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI. 
#!/bin/bash
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Stable Repository
baseurl=https://repo.pritunl.com/stable/yum/amazonlinux/2023/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF

sudo yum -y update
sudo yum -y install pritunl-link

sudo pritunl-link verify-off
sudo pritunl-link provider aws
sudo pritunl-link add pritunl://token:secret@test.pritunl.com
If an IPv6 link is being configured the sysctl commands below must be run at the instance startup to configure IPv6 autoconf. ```shell sudo sysctl -w net.ipv6.conf.all.accept_ra=2 sudo sysctl -w net.ipv6.conf.default.accept_ra=2 sudo sysctl -w net.ipv6.conf.eth0.accept_ra=2 ``` Right click on the instance and select *Networking* then *Change Source/Dest. Check* to disable the source/dest check. This is needed to allow the instance to transmit network traffic from other networks. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FawKDfILglzCY665olIHj%2Flink3.png?alt=media\&token=c6e4a7ea-b583-4170-9b09-35a7be72cfb8) The commands below can be run to check the logs and status of the link. The `pritunl-link` service will already be running and connected once the URI is added. ```shell journalctl -u pritunl-link sudo ipsec status ```