aws EC2 gaming networking openvpn pfsense steam steamlink vmware

Streaming Steam games from Amazon EC2 to Steam Link over OpenVPN tunnel featuring Pfsense and VMware

Posted by Johan on Tuesday, July 3, 2018

Oh have I longed to write this blog post, ever since I bought a Steam Link for myself as a christmas gift I’ve been wanting to make use of it. I’m the kind of person who sometimes (a bit too often) buys stuff first and motivates the purchase later (sometimes with a bit too much infrastructure).

Anyways this blog post was a starting point for me: Revised and much faster, run your own high-end cloud gaming service on EC2!

Back in February I gave it a try but never got it to work, I wasn’t able to ping my local machines from my EC2 machine over my OpenVPN tunnel. This confused me a lot and I left it for a while. Tried again last week and got it to work, the magic was that since I’m running my Pfsense instance in VMWare I had to set my network card in promiscuous mode (yes it’s called that and it means basically that it sends packets everywhere).

After network card was in promiscuous mode everything just worked out, I downloaded a couple of games and when I started a Steam client on my local network it just said that I could start streaming from the Windows machine I had in EC2.

In the blog post above the connection is made from your local machine to EC2 but I’m doing it in the other direction so I’m going to explain that in more detail here. Also since the premade EC2 Gaming AMI is a couple of years old I had to update Windows, Steam and Nvidia drivers but I’ll go through that too.

EC2

These are the steps needed to get the machine up and running in EC2, refer back to the original blog post for details.

  1. Launch the ec2gaming machine in EC2 as a g2.2xlarge spot instance, this is documented in the blog post already. I create a Security Group with full access for my public IP address, you can of course be more restrictive by only allowing RDP.
  2. Connect to the PC (this works even on a Mac with Microsoft Remote Desktop)
  3. Change the password on first login (you don’t have a choice)
  4. Run Windows update (this will download about 1 GB of updates as of July 2018)
  5. Download Nvidia drivers NVIDIA GRID K520/K340 RELEASE 320 from here and upgrade them
  6. Uninstall OpenVPN (from the Start menu) and download a newer version from here. Don’t install OpenVPN Service, it’s not needed.
  7. Now is the time to take a snapshot of the machine since a spot instance is always terminated when you turn it off. You can do this manually from the AWS Console or using the gaming-down.sh script as described no the blog, if using the scripts in the future it’s a good idea to create an IAM user with limited access since the credentials are in clear text in the script.

I’ve created a pretty narrow policy for the IAM user that runs gaming-up.sh and gaming-down.sh

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DeleteSnapshot",
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeSpotPriceHistory",
                "ec2:CancelSpotInstanceRequests",
                "ec2:DeregisterImage",
                "ec2:DescribeInstances",
                "ec2:RequestSpotInstances",
                "ec2:CreateImage",
                "ec2:DescribeSpotInstanceRequests"
            ],
            "Resource": "*"
        }
    ]
}

Pfsense

I’m using Pfsense at home instead of a normal router, it runs in VMWare ESXi (5.1 at the moment but upgrade is coming) and works like a charm. I will not go into details about Pfsense since I assume if you’re reading this you are kind a geek anyways. Follow the steps below to set up a OpenVPN server in Pfsense that your EC2 machine can connect to.

I used the information in this blog post to set up OpenVPN: Create a stretched LAN between your site and vCloud using pfSense

  1. Create the OpenVPN server according to these settings, instead of using screenshots I printed my configuration page as a PDF. Most of it is standard and it’s all described in the blog post about the stretched LAN
  2. Go to Interfaces / Interface Assignments and assign the aws-lan-bridged Network port as OPT1 or whatever name you like
  3. The firewall will probably have created some rules for you OpenVPN server so might not have to create the ones for the inbound traffic (WAN port 1194) but create the other rules as described in the blog post.
  4. Create the Bridge as described (it should consist of LAN and OPT1

That’s what you need on the Pfsense side of things but if you’re like me using VMWare as a hypervisor you will need to do 1 more thing as I found here after serious Googling why I couldn’t reach my internal network from EC2.

Login to your ESXi and from the command line you need to issue a command kind of like this:
esxcli network vswitch standard policy security set –allow-promiscuous=true –vswitch-name=vSwitch0

Assuming your vswitch is named vSwitch0, I only had 1 so it wasn’t that hard but please refer to the VMWare documentation. Your version might differ from mine since I’m on ESXi 5.1.

Connecting

We have an EC2 machine and we have Pfsense OpenVPN server. Now we need a client configuration for the Windows machine and it looks like this:
dev tap persist-key cipher AES-128-CBC auth SHA1

resolv-retry infinite
proto udp
remote YOUR-PFSENSE-HOSTNAME 1194
keepalive 10 60
ping-timer-rem
<secret>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
THIS BLOCK SHOULD BE COPIED FROM
Shared Key
IN THE 
Cryptographic Settings
SECTION OF THE OPENVPN SERVER
CONFIGURATION IN PFSENSE
-----END OpenVPN Static key V1-----
</secret>

Create a file called client.ovpn and on your Windows Server then right-click on the OpenVPN GUI taskbar icon and chose Import file…

Right click the OpenVPN GUI icon again and you should have a menu option client and under that connect. Chose connect and you should be connected to your LAN.

Steam

We left the fun stuff for last, open Steam and login with your credentials and make sure it’s configured for streaming, this is described in the first blog link. On your local network your other Steam client(s) should pick up that there’s a new device available for streaming.

Boot up your Steam Link and enjoy gaming!

Beware of shutting down the streaming server from Steam Link, this will terminate the instance since it’s a Spot Instance.