L3 SSH Site-to-Site tunnel

We will be creating SSH tunnel between AWS VPC and local LAB. We need two Linux VMs to begin with. One in our VPC and one in the LAB

VM A will be in the LAB
VM B will be in AWS VPC

We will be using standard SSH client to establish the tunnel and we will make some changes to routing tables on both machines. We will also modify the firewall rules on VM A and create masquerade to modify IP headers on flight and replace AWS VPC IP addresses with VM A address for all packets being routed to the LAB.

1) We establish the tunnel first from VM A with the following command: screen ssh -w any root@10.251.21.87 (there is a reason why we are using 'screen' here)
2) We can modify the firewall rules on VM A at this stage as well: iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
3) we need to add new static route to forward all traffic to VM B via local gateway in the LAB: ip r a 10.251.21.87 via 10.216.252.1 (this has to be added on VM A)
4) Make sure IPv4 forwarding is enabled on both machines
5) After establishing SSH tunnel we can configure IP addresses for the new 'tunX' interfaces automatically created with SSH nd we bring them up: ip a a 10.5.5.1 peer 10.5.5.2 dev tun0 && ip l set tun0 up
6) We need to add one more static route to AWS VPC subnet from VM A via new tun0 interface: ip r a 10.251.21.80/28 via 10.5.5.2
7) Now we need to add new static routes to LAB VLANs on VM B via tun0: ip r a 10.216.254.0/24 via 10.5.5.1

All credits to Bohdan Sydor :-)