Situation: I’m dealing with some remote sites that rely on Starlink for connectivity to the AWS cloud. The challenge here is that Starlink doesn’t provide static IPs, and unless you’re on their business plan, you don’t even get a routable IP. Given this, I’m not sure if we can use IPSec due to the static IP requirement. Instead, I’m considering an SSL/TLS Site-to-Site VPN.
- Is SSL/TLS Site-to-Site VPN the only viable choice considering the absence of static or routable IPs?
- In AWS, should I opt for an AWS Virtual Private Gateway (VGW), or would it be better to set up an overlay network like Tailscale or Netmaker? What are the pros and cons?
- If I go with the VGW, what software firewall (or any client software) should I install on the client side? Would something like pfSense or IPFire be suitable?
Certificate-based AWS site-site VPN can be used with changing IPs as you describe.
big fan of tailscale, it’s incredible flexible. Also netmaker looks absolutely awesome too but its reliance on caddy (last I looked at it) was a no go for me.
So these are sites not people. I use openvpn and a raspberry pi and it works great. If you already have a firewall maybe whatever it has built in. If not, a pi or small dell micro or intel nuc or whatever works wonders on the cheap.
Edit to add that I like straight up rasberry pi os because I like it simple. But I can manage everything with scripts and keep everything in version control and all of that. If you have on site staff that are not as experienced or comfortable something like pfsense does make life easier. I specifically don’t want anyone touching anything in a gui or to have to even worry about a gui. But we had a couple of remote offices and used pfsense a lot, way better than a cisco asa/firepower (although got forced to use them as well for compliance).
Also you don’t need both ends to have a static IP for ipsec. Not my preferred method because logging and troubleshooting is just infinitely easier with openvpn. But if you already are comfortable just go that route.
Do you have devices at the remote sites that can terminate a VPN connection?
I’ve been using Starlink for several years now. I use ZeroTier to connect to cloud networks seamlessly. You can set up a system as a router, in each location, and then set up a routing table (on both sides) to forward traffic destined for AWS VPCs through the router, and vice versa.
Hello! I use AWS as a cloud engineer daily and work from home on starlink.
Every Enterprise org I’ve done this for has used the Cisco Any connect VPN client.
I have a new one using FortiNet VPN Client.
If I was doing it myself I would use openVPN running on the nat instance in the public vpc (to minimize costs, run it as a t3.micro and blah).
Or something like that.
Best of luck!
No ones asked yet, but why do you need a vpn? What in AWS are they actually connecting to that warrants a VPN?
You might look at Verified Access as an option to get to cloud resources. Secure Remote Access - AWS Verified Access - AWS
Use fqdns instead of ip addressing to avoid OP issue.