Site-to-Site VPN with dynamic WAN address (LTE, Starlink, etc)


Heyo! I'm trying to create a Site-to-Site VPN between two sites without static WAN addresses. My backup plan is just to create the VPN server on an ec2 instance with a static external IP.

The Client VPN Endpoints seem like a possibility but I don't think those will work since I have multiple networks I need to connect at each site and can't NAT through the endpoint. I'm looking at the documentation for Customer Gateways and seeing that specifying the external IP address is optional, so I'm hoping it may connect as a client if I don't specify that? If so I'm having some issues with the certificates that I'll need help with, but I should probably make a dedicated post for that.

Is there another method for what I'm trying to do, or should I just spin up the EC2 instance and install my VPN server of choice and do this that way?

Thanks so much for any help!

1 Answer
Accepted Answer


You are correct, if you are using cert based authentication for VPN (and not PSK) the CGW IP is optional. That being said every time the CGW external (dynamic IP) changes the Tunnel will be torn down and need to be re-initiated. Please note tunnel initiation from CGW is supported only with IKEv2.

(Optional) The IP address of the customer gateway device's external interface.

The IP address must be static.

If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT-traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See Firewall Rules for more info.

An IP address is not required when you are using a private certificate from AWS Certificate Manager Private Certificate Authority.

If there is a way for you to do Static NAT (1:1) that might be a better way, with this the CGW external IP would be Static.

Q: Can I NAT my customer gateway behind a router or firewall?

A: You will use the public IP address of your NAT device.

Hope this helps.

profile pictureAWS
answered 2 years ago
profile pictureAWS
reviewed 2 years ago
  • Thanks for confirming that, I'll make a new post specific to my issue with the ACM stuff. The external address will mostly be changing when the CGW is offline, so there shouldn't be any issues with the tunnel automatically connecting at startup, right?

  • Correct, IP changing will not matter because authentication will be certificate based, Startup action from CGW side is only supported via IKEv2.

  • Am I able to use an ACM created private cert for this implementation, or do I need to generate my own and sign it off my ACM PCA?

  • Hello, Please see this KC article for guidance on this topic:

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions