Use VPN to connect LoRa gateways to your Amazon Web Services account - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use VPN to connect LoRa gateways to your Amazon Web Services account

To connect your gateways on premises to your Amazon Web Services account, you can use either a Site-to-Site VPN connection or a Client VPN endpoint.

Before you can connect your on premises gateways, you must have created the VPC endpoint, and configured a private hosted zone and inbound resolver so that traffic from the gateways don't go over the public internet. For more information, see Create VPC interface endpoint and private hosted zone.

Site-to-Site VPN endpoint

If you don't have the gateway hardware or want to test the VPN connection using a different Amazon Web Services account, you can use a Site-to-Site VPN connection. You can use Site-to-Site VPN to connect to the VPC endpoints from the same Amazon Web Services account or another Amazon Web Services account that you might be using in a different Amazon Web Services Region.


If you've the gateway hardware with you and want to set up a VPN connection, we recommend that you use Client VPN instead. For instructions, see Client VPN endpoint.

To set up a Site-to-Site VPN:

  1. Create another VPC in the site from which you want to set up the connection. For VPC-A, you can reuse the VPC that you created previously. To create another VPC (for example, VPC-B), use a CIDR block that doesn't overlap with the CIDR block of the VPC you created previously.

    For information about setting up the VPCs, follow the instructions described in Amazon setup Site-to-Site VPN connection.


    The Site-to-Site VPN VPN method described in the document uses OpenSWAN for the VPN connection, which supports only one VPN tunnel. If you use a different commercial software for the VPN, you might be able to set up two tunnels bettween the sites.

  2. After you set up the VPN connection, update the /etc/resolv.conf file by adding the inbound resolver's IP address from your Amazon Web Services account. You use this IP address for the nameserver. For information about how to obtain this IP address, see Configure Route 53 inbound resolver. For this example, we can use the IP address that was assigned when you created the Route 53 Resolver.

    options timeout:2 attempts:5 ; generated by /usr/sbin/dhclient-script search region.compute.internal nameserver
  3. We can now test whether the VPN connection uses the Amazon PrivateLink endpoint instead of going over the public internet by using an nslookup command. The following shows an example of running the command.


    The following shows an example output of running the command, which shows a private IP address indicating that the connection has been established to the Amazon PrivateLink LNS endpoint.

    Server: Address: Non-authoritative answer: Name: Address:

For information about using a Site-to-Site VPN connection, see How Site-to-Site VPN works.

Client VPN endpoint

Amazon Client VPN is a managed client-based VPN service that enables you to securely access Amazon resources and resources in your on-premises network. The following shows the architecture for the client VPN service.

                            Image showing how you can use Amazon Client VPN to connect your LoRa gateway 
                            on premises.

To establish a VPN connection to a Client VPN endpoint:

  1. Create a Client VPN endpoint by following the instructions described in Getting started with Amazon Client VPN.

  2. Log in to your on-premises network (for example, a Wi-Fi router) by using the access URL for that router (for example,, and find the root name and password.

  3. Set up your LoRaWAN gateway by following the instructions in the gateway's documentation and then add your gateway to Amazon IoT Core for LoRaWAN. For information about how to add your gateway, see Onboard your gateways to Amazon IoT Core for LoRaWAN.

  4. Check whether your gateway's firmware is up to date. If the firmware is out of date, you can follow the instructions provided in the on-premises network to update your gateway's firmware. For more information, see Update gateway firmware using CUPS service with Amazon IoT Core for LoRaWAN.

  5. Check whether OpenVPN has been enabled. If it has been enabled, skip to the next step to configure the OpenVPN client inside the on-premises network. If it hasn't been enabled, follow the instructions in Guide to install OpenVPN for OpenWrt.


    For this example, we use OpenVPN. You can use other VPN clients such as Amazon VPN or Amazon Direct Connect to set up your Client VPN connection.

  6. Configure the OpenVPN client based on information from the client configuration and how you can use OpenVPN client using LuCi.

  7. SSH to your on-premises network and update the /etc/resolv.conf file by adding the IP address of the inbound resolver in your Amazon Web Services account (

  8. For the gateway traffic to use Amazon PrivateLink to connect to the endpoint, replace the first DNS entry for your gateway to the inbound resolver's IP address.

For information about using a Site-to-Site VPN connection, see Getting started with Client VPN.

Connect to LNS and CUPS VPC endpoints

The following shows how you can test your connection to the LNS and CUPS VPC endpoints.

Test CUPS endpoint

To test your Amazon PrivateLink connection to the CUPS endpoint from your LoRa gateway, run the following command:

curl -k -v -X POST https://xxxx.cups.region.iotwireless.iot:443/update-info --cacert --cert cups.crt --key cups.key --header "Content-Type: application/json" --data '{ "router": "xxxxxxxxxxxxx", "cupsUri": "", "cupsCredCrc":1234, "tcCredCrc":552384314 }' —output cups.out
Test LNS endpoint

To test your LNS endpoint, first provision a LoRaWAN device that will work with your wireless gateway. You can then add your device and perform the join procedure after which you can start sending uplink messages.