# Site-to-Site with WireGuard or IPsec

This tutorial will explain creating an WireGuard or IPsec peering connection between VPCs on AWS, Google Cloud and Oracle Cloud. Additionally a VPN server will be created to allow VPN clients to access all the VPCs. Below is the topology for this tutorial. The purple lines represent a connection from the Pritunl servers to the MongoDB replica set. The green lines represent HTTPS connections from the Pritunl Link clients to the Pritunl server. The red lines represent WireGuard or IPsec connections between the Pritunl Link clients. The yellow lines represent OpenVPN connections from remote users to the Pritunl servers. The clouds represent connections that occur over the internet. Once done instances in any of the VPCs will be able to communicate with instances in the other VPCs over a WireGuard or IPsec connection. For high availability multiple Pritunl Link clients can be configured in each VPC to provide failover. Before starting note the subnets below and change the corresponding subnets throughout this tutorial to match your cloud infrastructure.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FtGvyoR4LGBTPSg32OWEW%2Flinks.png?alt=media\&token=03dacb6a-6353-466d-b02d-2da5504e150d)

### Pritunl

In the *Links* tab click *Add Link*. Then name the link and set the *Type* to *Site-to-site*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F628te5nyF0Mrk60Zo4Ew%2Flinks7.png?alt=media\&token=a9b71986-a3c4-45b2-9cd2-d574bc48849b)

Then click *Add Location* and set the name to `aws`. Select the *Link* created above then click *Add*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fq8k1mgMPWWfYhmJ66NJQ%2Flinks8.png?alt=media\&token=d2670520-4708-4aae-b841-2d3c9c5beabd)

Click *Add Route* in the *aws* location and enter the VPC subnet. In this example this is `10.150.0.0/16`. Then click *Add*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FdHoACRq0lHpVNh5LEkji%2Flinks9.png?alt=media\&token=46e3ee6a-f862-4031-a96f-173b716dd87c)

Next click *Add Host* in the *aws* location and set the name to `aws0`. Then click *Add*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FNILhZYNwxZqYzT8eeiMt%2Flinks10.png?alt=media\&token=5c5ff0f5-e636-4d86-af7c-5eede56d2b34)

Then repeat these steps for the Google Cloud and Oracle Cloud. Once done the link configuration should look similar to the example below. If the HTTPS port is not already open on the Pritunl server add it to the security group to allow the pritunl-link instances to access the Pritunl server. The pritunl-link instances will only need HTTPS access to the Pritunl server. Instances will be created in each VPC next.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FqTWcrD03hukEq3ApTl5V%2Flinks11.png?alt=media\&token=4b70eea9-00fa-4eb0-b4a8-02542879b3c7)

### AWS

Open the *IAM* dashboard and click *Roles* on the left. Then click *Create Role*. The select *AWS service* and *EC2*. Once done click *Next: Permissions*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F9Y7yh6LwEHyPoQUvmbfl%2Flinks0.png?alt=media\&token=f33d75c7-a0f5-4824-8fbd-1ffa74a58dda)

Search for and select *AmazonVPCFullAccess*. Then click *Next: Review*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FWjfcPR72DHiX4mYbcRdq%2Flinks1.png?alt=media\&token=c9b2170d-1faa-4d02-bc6f-ae4eabfbcf69)

Name the role `pritunl-link` and click *Create*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FD1hl5ZkFgxb2DW68kbX5%2Flinks2.png?alt=media\&token=62c15435-ad37-457c-bffc-037ec52501c3)

In the *EC2* dashboard click *Launch Instance*. Then select *Amazon Linux 2*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FLwPPUb7t20BDR5SvNRQF%2Flinks3.png?alt=media\&token=19c82b3d-dce8-426c-9921-e7c641519a5a)

Select an instance type then select the VPC you are peering. If you are using private VPC subnets create the instance in the public subnet. Then select the IAM role created above.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F8ChPpDhdIC2OT5vcOHGu%2Flinks4.png?alt=media\&token=be066cc2-fa4f-472b-a733-23f49f8ea400)

On the security group page create a security group and open UDP ports `500` and `4500` to `0.0.0.0/0`. Then open all traffic to all the peered VPC networks, in this example `10.0.0.0/8` covers all the VPC networks.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FasPcg0VvqveA186n7Osd%2Flinks5.png?alt=media\&token=4b963794-ec5c-44c8-89eb-c0b0758b3c39)

Once done launch the instance. Then right click the instance and select *Change Source/Dest. Check* under *Networking*. Then disable the source/dest check.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FMG55KBjy1c7Qh2I9SNWA%2Flinks6.png?alt=media\&token=ae729297-1d24-4e7a-9f2d-afdcbe1abb8f)

From the Pritunl web console click *Get URI* on the *aws0* host created earlier. Copy the *Host URI Link* for the commands below.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FLRq3Wfer2U363EyP78h4%2Flinks12.png?alt=media\&token=2ce45281-9b3b-482c-97bf-e287f96e9937)

SSH to the public address on the instance and run the commands below to install pritunl-link. Replace the URI below with the one copied above. The `sudo pritunl-link verify-off` line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI.

```shell
sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl
baseurl=https://repo.pritunl.com/stable/yum/amazonlinux/2/
gpgcheck=1
enabled=1
EOF

sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl-link

sudo pritunl-link verify-off
sudo pritunl-link provider aws
sudo pritunl-link add pritunl://token:secret@test.pritunl.com
```

After the commands are run the *aws0* host should switch from *Unavailable* to *Active*. If not run `sudo cat /var/log/pritunl_link.log`.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FX5c8uQly78HBDXMuNGHR%2Flinks13.png?alt=media\&token=8154e5e5-2d17-43a9-ba01-8cbda521c064)

### Google

In the *VPC network* dashboard open *Firewall rules*. Then click *Create Firewall Rule*. Set the *Name* to `ipsec` and select the *Network* that will be peered. Add `ipsec` to the *Target tags*. Add `0.0.0.0/0` to the *Source IP ranges* and set the *Protocols and ports* to `udp:500; udp:4500`. Then click *Create*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FFLBovfg3tjvA3sFzgDp6%2Flinks14.png?alt=media\&token=a8c05ef9-3242-4b3d-8377-e070165dfcca)

Click *Create Firewall Rule* again and set the *Name* to `pritunl-link`. Then select the *Network* that will be peered. Add `pritunl-link` to the *Target tags* and `10.0.0.0/8` to the *Source IP ranges*. If you are peering VPCs outside of `10.0.0.0/8` those subnets will also need to be added. Set *Protocols and ports* to *Allow all*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FUmTzn5N5ONEv4EFyJ7vS%2Flinks15.png?alt=media\&token=da44a792-a96a-4b40-9988-5473a53f15f8)

From the *Compute Engine* dashboard click *Create Instance*. Set the *Name* to `pritunl-link` and select a *Zone* and *Machine type*. Then set the *Boot disk* to *CentOS 7*. Set *Access scopes* in *Identity and API access* to *Allow full access to all Cloud APIs*. In the *Networking* tab set *Network tags* to `pritunl-link ipsec`. Select the *Network* that will be peered and set *IP forwarding* to *On*. Then click *Create*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FqaE0OARGYDGLv5IZIPG4%2Flinks16.png?alt=media\&token=db6ff44c-3af6-4fe8-b065-54773016a139)

From the Pritunl web console click *Get URI* on the *google0* host created earlier. Copy the *Host URI Link* for the commands below.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FbTdUbOfH52rhc0tR6qnU%2Flinks17.png?alt=media\&token=e5d66dee-bc4f-4c5d-8df6-e517f86af828)

SSH to the public address on the instance and run the commands below to install pritunl-link. Replace the URI below with the one copied above. The `sudo pritunl-link verify-off` line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI.

```shell
sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl-link

sudo pritunl-link verify-off
sudo pritunl-link provider google
sudo pritunl-link add pritunl://token:secret@test.pritunl.com
```

After the commands are run the *google0* host should switch from *Unavailable* to *Active*. If not run `sudo cat /var/log/pritunl_link.log`.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FARlyAurXHDKrAhmCw6ZX%2Flinks18.png?alt=media\&token=20943665-1bfc-4286-adab-ab501642eea2)

### Oracle

From the *Virtual Cloud Networks* dashboard click *Create Security List* then set the *Name* to `pritunl-link`. For the first *Ingress* rule set the *Source CIDR* to `10.0.0.0/8` and *IP Protocol* to *All Protocols*. If you are peering VPCs outside of `10.0.0.0/8` those subnets will also need to be added. For the second *Ingress* rule set the *Source CIDR* to `0.0.0.0/0` and *IP Protocol* to *UDP*. Then set the *Destination Port Range* to `500`. For the third *Ingress* rule set the *Source CIDR* to `0.0.0.0/0` and *IP Protocol* to *UDP*. Then set the *Destination Port Range* to `4500`.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FlJbiWEnZZea6BYJtbdIO%2Flinks19.png?alt=media\&token=a5f3740e-aa20-437b-8714-3d755765c80b)

From any Linux server run the commands below to generate an API key.

```shell
openssl genrsa -out oci_key.pem 2048
openssl rsa -pubout -in oci_key.pem -out oci_pub.pem
cat oci_pub.pem
```

Open the *Users* section of the *Identity* console and select a user that will be used to authenticate with the Oracle Cloud API. Then copy the *OCID* in the user info, this will be needed later.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FQEtWcnwVQTP5CEamQnG5%2Foraclecloud4.png?alt=media\&token=d725492c-6c9e-47c0-9d1f-a360a938855e)

From the *identity* dashboard open *Users* and select an administrator user. The click *Add Public Key*. Copy the public key from above into the *Public Key* then click *Add*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F7uCD9wedflXHn7nlnRgm%2Flinks22.png?alt=media\&token=ec26d4a3-9663-4831-8c7c-9686f1bb2925)

Next run the command below to get the Base64 encoded private key generated above. This will be needed below. Once done run the second command to delete the key.

```shell
openssl base64 -in oci_key.pem | tr -d "\n"
rm oci_*.pem
```

From the *Compute* dashboard click *Launch Instance*. Set the name to `pritunl-link` then select an *Availability Domain*. Set the *Image Operating System* to *Oracle Linux 7* and select a *Shape*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FfxbT4teGjYDbxTu6PapW%2Foraclecloud3.png?alt=media\&token=e561cac7-0bad-4281-84c1-15f876f19efe)

From the Pritunl web console click *Get URI* on the *oracle0* host created earlier. Copy the *Host URI Link* for the commands below.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FORUBQ3wHO7Fu0Hye6577%2Flinks27.png?alt=media\&token=c163d70d-82d1-4714-9a25-67befa4a69a1)

SSH to the public address on the instance and run the commands below to install pritunl-link and disable firewalld. Replace the user ocid and the private key with the Base64 encoded key above. The `sudo pritunl-link verify-off` line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI.

```shell
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/7/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y update
sudo yum -y install pritunl-link

sudo systemctl stop firewalld
sudo systemctl disable firewalld

sudo pritunl-link oracle-user-ocid ocid1.user.oc1..aaaaaaaagfbc5x7qsrq...
sudo pritunl-link oracle-private-key LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBL...
sudo pritunl-link verify-off
sudo pritunl-link provider oracle
sudo pritunl-link add pritunl://token:secret@test.pritunl.com
```

After the commands are run the *oracle0* host should switch from *Unavailable* to *Active*. If not run `sudo cat /var/log/pritunl_link.log`.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FDYbKfrvt2432YdaDzIeo%2Flinks28.png?alt=media\&token=7cb0c38e-61e7-4555-9f09-ca77ec566d5c)

### Firewalls and Testing

At this point the link hosts should all be active and the peering connections should also be established. Before other instances in each VPC can access other VPCs the firewalls for each instance need to be updated to allow traffic to and from the other VPCs. In this tutorial this has already been done for the pritunl-link instances but it will also need to be done for other instances that need access. Once this is done instances should be able to ping instances in the other VPCs. If there are issues check the Pritunl logs in the top right of the web console and run the commands below on the pritunl-link instances.

```shell
sudo cat /var/log/pritunl_link.log
sudo ipsec statusall
```

### VPN Server

This optional part will explain configuring a VPN server that will allow users to access all the VPCs. This VPN server will be configured without NAT so VPN users will have a VPN IP address when accessing instances. When doing this the firewalls will need to be configured to allow the VPN subnet. From the Pritunl console click *Add Server* and set the *Name* to `peering`. Then set the *Virtual Network* to `10.200.0.0/16`, this network should not conflict any existing networks.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FwemgS295khhCTy9CAAQz%2Flinks29.png?alt=media\&token=083c0529-71ff-4c31-a4b0-4a77313afb3a)

Attach an organization to the *peering* server.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FI0WjswrQNZQhW44G556p%2Flinks30.png?alt=media\&token=cb53c4e0-a93d-433e-8687-75b046062770)

Remove the `0.0.0.0/0` route from the server and add the VPN networks. These should match the networks added to the link configuration. For this example the first network is `10.150.0.0/16`. When adding the routes uncheck *NAT*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FsYkbGThkwDGDzBduCqHj%2Flinks31.png?alt=media\&token=b3910d58-58c3-420e-8b91-11ea5b7e4f4c)

Repeat this for all the networks in the link configuration. Once done the server configuration should look similar to the example below.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FxGMEwdwGm80A4GOFpzWU%2Flinks32.png?alt=media\&token=af85c7fc-a19e-4b75-92a2-df0df0d9c62c)

If the Pritunl instance was not configured with an instance role with VPC control open the *EC2* dashboard. Then right click the instance and select *Instance Settings* then *Attach/Replace IAM Role*. You can reuse the *pritunl-link* role from above or create a new one with *AmazonVPCFullAccess*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FsiKN31whGDOsWJoAQIkc%2Flinks33.png?alt=media\&token=13c449e9-f366-4969-8d4c-d9ca0b245b4b)

Next from the Pritunl console click the *Settings* in the top right. Then set the *Cloud Provider* to *AWS* and set the access key and secret key to `role` for the region that the Pritunl server is running in. This will use the IAM role instead of an access key.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FrkUglZaqzRgEs9m8lDpZ%2Flinks34.png?alt=media\&token=5085216f-fb01-4070-8ad6-8e022ae8b547)

From the *peering* server select the route labeled *Virtual Network* and enable *Route Advertisement*. Then select the region and VPC that was peered in the link configuration. If the VPCs are not shown check the IAM role configuration and the logs in the top right. Once done click *Save*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F59QouYs7maV5NoPcX6b6%2Flinks35.png?alt=media\&token=58d762f4-d2a3-4dd1-bf00-b901e343967e)

On the *Links* page in the *peering* link configuration click *Add Route* in the *aws* location. Then enter the virtual network subnet that was advertised from above.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FacWQsMMeL4xSgtw4R4nL%2Flinks36.png?alt=media\&token=92893591-3d7b-4355-a4f0-e1f90d150a2a)

Once done start the *peering* server and connect to it using the Pritunl Client.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FeYbNtSfi1DFOqDqfzc9M%2Flinks37.png?alt=media\&token=c99be143-7d39-4f6f-a3f1-ba1e2ec2698e)

Once connected the client should be able to ping instances in any of the VPCs. The network traffic going to the instances will originate from the clients IP address on the VPNs virtual network.

### Replication

This tutorial only showed single link hosts. For high availability multiple link hosts should be configured in different availability zones. When the failover link hosts are configured the status should be shown as *Available* indicating the link host is available for failover.