Stop Overpaying for Cloud Networking: Build a Single Egress IP over Site-to-Site VPN

Cloud-native doesn’t always mean cloud-managed. Managed gateways promise a “set-and-forget” experience, but they often fall short when you need fine-grained control for complex site-to-site integrations.

By combining Linux networking with StrongSwan IPsec, you can build a custom egress point that performs Source Network Address Translation (SNAT) before encryption. This approach not only reduces costs, it also gives you the visibility and control that managed services usually hide.

The "Hidden" Cost of Cloud Networking
Cloud providers like AWS and Azure make it easy to start, but "managed" services come with a heavy tax:

• Managed Private NAT Gateway: ~$32/month + $0.045 per GB processed.
• VPN Gateway: ~$36/month + data transfer fees.

The Problem: If you have 50 instances in a private subnet, the partner network on the other side of the VPN usually doesn't want to whitelist 50 different IP addresses. They want only one trusted IP.

Architecture diagram

AWS Network

Ubuntu VPN Gateway: 35.171.197.185
Local LAN: 172.16.10.0/24
NAT Source IP: 172.16.3.171/32

Partner Network

Partner Gateway: 54.73.143.148
Remote Network: 10.4.2.0/24
Remote Server: 10.4.2.148/32

Solution

Deploying a StrongSwan IPsec Site-to-Site VPN on an Ubuntu Server with Private NAT, ensuring that all internal hosts communicate with the remote network using a single source IP address.

By using a single Ubuntu instance as your gateway, you can "masquerade" your entire internal network. To the partner, every request looks like it’s coming from a single ip address

Infrastructure Provisioning

This requires a VPC with both public and private subnets.

Public Subnet: This hosts your StrongSwan Gateway. It needs an Elastic IP (EIP) to communicate with the remote partner's VPN peer over the internet.

Private Subnet: This hosts your internal local servers. These instances have no direct internet access and must route all traffic through the StrongSwan Gateway to reach the partner network.

Disable Source/Destination Checking

By default, an EC2 instance only accepts traffic destined for itself. Since your StrongSwan node is acting as a "middleman" (NAT/VPN gateway), you must disable this check on the gateway instance.

Security Groups

Ensure that the below security rules are applied on the StrongSwan server to enable IKE SA from the remote IP address

Add these rules to your inbound settings:

• UDP Port 500: Used to start the connection (IKE).
• UDP Port 4500: Used to send the actual encrypted data (NAT-T).
• Allow inbound from the private network subnet based on traffic (port) to the partner network

A step-by-step procedure

• Step 1: System Requirements

  • Ubuntu Server 20.04 / 22.04 / 24.04
  • Elastic Public IP address
  • A minimum of 2 vCPU, 4G RAM Server spec
  • A minimum of 20 GB Storage

• Step 2: Install StrongSwan
  

sudo apt update
sudo apt install strongswan

Verify installation:
ipsec version

• Step 3: Enable IP Forwarding The server must route traffic between the local network and the VPN.

sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl net.ipv4.conf.default.rp_filter=0
sudo sysctl net.ipv4.conf.default.accept_source_route=0

• Step 4: Configure StrongSwan Edit IPsec configuration using the following commands: sudo nano /etc/ipsec.conf

config setup
        strictcrlpolicy=yes
        charondebug="all"
        uniqueids = yes

conn site-to-site
    authby=secret
    left=%defaultroute
    leftid=35.171.197.185
    right=54.73.143.148
    rightid=54.73.143.148
    type=tunnel
    leftsubnet=172.16.3.171/32
    rightsubnet=10.4.2.148/32
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256-modp2048!
    keyexchange=ikev2
    keyingtries=%forever
    ikelifetime=1h
    lifetime=8h
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart
    auto=start 

Understanding the configuration parameters;

leftid= Local VPN Gateway
right= Remote VPN Gateway same as rightid
leftsubnet= 172.16.3.171/32  Local Host IP
rightsubnet= 10.4.2.148/32   Remote Host IP
ike= aes256-sha256-modp2048!     Phase 1: aes256/sha256 /dh grp14
esp= aes256-sha256-modp2048!     Phase 2: aes256/sha256/pfs grp 14
ikelifetime=1h                   Phase 1: 3600 seconds
lifetime=8h                  Phase 2: 28800 seconds
dpddelay=30 
dpdtimeout=120  
keyexchange=ikev2                Internet Key Exchange Version 2
auto=start                       To force immediate connection

• Step 5: Configure Pre-Shared Key using this format:

local-gateway-ip remote-gatway-ip : PSK "PreSharedSecretKey"

Edit the secrets file:

sudo nano /etc/ipsec.secrets
35.171.197.185 54.73.143.148 : PSK "MyPreSharedSecretKey@123"

• Step 6: Configure NAT for Single Source IP

The system will translate all local network hosts to one IP address before entering the tunnel.
Add SNAT Rule

sudo iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -d 10.4.2.148 -j SNAT --to-source 172.16.3.171

Verify iptables rules:

sudo iptables -t nat -L -v

Update route table for private servers to forward via the ipsec-server ENI

• Step 7: Start StrongSwan Restart service:

sudo ipsec restart 

• Step 8: Verify VPN Tunnel Check tunnel status:

sudo ipsec up site-to-site

• Step 9: Testing Connectivity

From a private network server to the partner application server:

ping 10.4.2.148

Check NAT translation on the Strongswan server:

sudo iptables -t nat -L -v