Configure VPN tunneling with Pfsense On-prem and AWS

March 22, 2023

AWS

The document explains to setup the site-to-site vpn between on-prem pfsense with AWS. you have pfsense firewall in your on-prem and want to connect all of your aws servers in secure method.

Prerequisites for this setup:

  1. AWS site-to-site vpn setup
    • Customer gateway
    • Virtual Private gateway
    • VPN connection
  2. Pfsense firewall
    • Ipsec configuration

Create a Customer Gateway:

  1. Name(optional): Enter the name of the internet gateway relevant to your client name. If you have many customer, it can help you to identify – it is an optional

Ex:

  1. BGB ASN: If you don’t have a public ASN, you can use a private ASN in the range of 64,512–65,534. The default ASN is 65000
  2. IP Address: Enter the ip address of the customer gateway.
  3. Certificate ARN (optional): If you want to use certificate based authentication, provide the ARN of an ACM private certificate that will be used on your customer gateway device.

Sample Config of Customer Gateway:

Create a target gateway, We need a VPN connection between AWS and the on-prem network, for that we should have a target gateway in AWS.

  1. Enter a name for your virtual private gateway (optional).
  2. We can keep the AWS default ASN, or can choose Custom ASN and enter a value. For a 16-bit ASN, the value must be in the 64512 to 65534 range.

Sample config of Virtual Private Gateway

After creating Virtual Private Gateway , attach the VPC. Right click on Virutal Private Gateway and Attach to VPC, Choose your VPC, Create VPN Connection

A Site-to-Site VPN connection offers two VPN tunnels between a virtual private gateway on the AWS side, and a customer gateway on the pfsense end.

  1. Name: enter a name for your Site-to-Site VPN connection. Doing so creates a tag with a key of Name and the value that you specify
  2. Target gateway type: Choose the virtual gateway that you created earlier.
  3. Customer gateway type: select Existing, then choose the customer gateway that you created earlier from the drop-down list under Customer gateway ID.
  4. Routing options: Choose Static , Local IPv4 network CIDR – optional , Remote IPv4 network CIDR – optional will be default – 0.0.0.0/0
  5. Finally Click Create VPN Connection.

Pfsense configuration:

After creating the site-to-site VPN connection, select your VPN connection and download configuration:

For Vendor and Platform choose pfSense. For Software, choose pfsense 2.2.5+(GUI). Click on Download

Download the file and it has all the configuration details.

Pfsense Setup:

Login into the Pfsense , go to VPN → IPSec

Click on Add P1

As per the downloadable file, enter the informations and save it

Add Phase 2 entries

Check the status of IPSec

Firewall configuration in Pfsense:

  1. We need to create the firewall rule for Allow the VPC network in the pfsense to the local network
  2. Goto Firewal → Rules → IPSec
  3. Click Add
  4. Allow any traffic from IPSec network

Save the configurations.

Firewall rules in AWS:

  1. To allow the traffic from pfsense to your vpc.
  2. Go to AWS Console → VPC → Security Groups
  3. Select your security group and inbound edit , allow all traffic for pfsense network

Route table:

  1. Configure the routing the traffic between the VPC from pfsense
  2. On Routes propagation , edit route propagation and add the virtual private gateway
  3. Add the pfsense network on add the routes option
  4. Enter the pfsense network in Add destination
  5. Enter Virtual private gateway in Target
  6. Save the propagation.

Verify the setup:

  1. Ssh into any of your instance with private ip.
  2. Configure Gateway failover in Pfsense

Author:

This blog post is written by Geetha S, our DevOps Lead.