DEV Community

Michael Wahl for AWS Community Builders

Posted on

Configure AWS Site to Site VPN with on-premise Firewall using pfSense

This may end up being a multi-part tutorial and walkthrough, I will see how this goes and where I end up.

As the title says, I will be using pfsense, running virtually to securely connect to a virtual private cloud and virtual server instance running in AWS. There are many great articles and videos out there, but I wasn't able to find anything which was complete and covered some of the issues I ran into along the way.

Not everything I cover here will be required, but may be helpful as I sometimes run into or have some unique situations.

PfSense

Download the latest stable version from https://www.pfsense.org/download/

Image description

One of the cool things about running pfsense is you can run it on pretty much anything. In my specific case, I am running on MacOS with an Apple M1 process. Using UTM, we can simply run the AMD64 bit version of pfsense on the M1 processor.

For my setup, I ended up with three interfaces. When I created the pfsense instance within UTM, I used a single network interface running in bridged mode.

Interfaces

Image description

Interface Assignments

The PrivateWAN is my interface or endpoint which communicates with the AWS VPN endpoint. LAN is my on-premise private subnet, HASync is used with a second HA pfsense virtual server instance which is also running on UTM.

Image description

VLANs

Image description

Firewall Rules

Allowing traffic to flow over the PRIVATEWAN to the AWS VPC private subnet

Image description

Allowing ICMP to flow over the IPsec from the AWS VPC private subnet back to LAN

Image description

VPN Tunnels

When we build a site to site VPN within AWS, two tunnels will be setup and configured by AWS, you will have an option to download the VPN config, selecting pfsense as the type of platform used on for the on-premise side.

Tunnel Phase 1 Config Sample

Image description

Image description

Phase 2 Config Sample

Image description

AWS VPC-VPN

VPC

-VPC will be 10.10.0.0/16
-VPC private subnet will be 10.10.11.0/24 - us-east-1a
-VPC public subnet will be 10.10.20.0/24 - us-east-1a
-VPC private subnet will use a separate public route table for pfsense
-VPC public subnet will use a separate private route table for pfsense
-Outbound Internet traffic goes through an AWS nat gateway
-For testing only, EC2 Server Security group allows all ports/protocols from 192.168.86.0/24 (On-Premise LAN) and 44.44.44.44/32 (example WAN or public IP address for on-premises)
-Allocated Elastic IP, associated with nat gateway instance for public internet access.

Image description

Image description

AWSVPN

  1. Create a new customer gateway. Name, BGP ASN 65000, type ipsec.1, for IP address that is the on-premise source public IP you will be connecting the AWS VPN to.

  2. Create a new virtual private gateway, the type is ipsec.1, the Amazon ASN is 64512, the VPC will be for you to select, in my environment, i created a new separate VPC for this project.

  3. Create a new VPN connection, specifying the VPC, target gateway type as virtual private gateway, customer gateway as existing, download the configuration select pfsense and IKE version.

pfsense

With the downloaded AWS VPN configuration downloaded, this information is used within pfsense to add the two IPsec Tunnels. This includes the phase 1 and phase 2 entries.

If all goes well, you be able to select connect p1 and p2 and see the tunnel(s) come up and connect successfully.

Image description

On-Premise Information/Considerations

-Public IP example will be 44.44.44.44/32
-On-Premise LAN IP subnet example 192.168.86.0/24

Adding a static route

I needed to add a static route on my MacOS to be able to access my virtual servers running in an AWS VPC.

10.10.11.0/24 is a private subnet within my AWS VPC, 192.168.80.227 is a private LAN subnet where I am running my pfsense virtual server instance.

sudo route -n add -net 10.10.11.0/24 192.168.80.227

Other Thoughts

You may decide to only allow traffic from on-premises only, such as a secure remote access to an AWS EC2 server instance. However, you dont want the AWS EC2 server instance to be able to communicate with on-premise servers. Or maybe, like in my case I only wanted to allow ICMP traffic from the AWS VPC over the VPN back to the on-prem private LAN subnet.

No problem, this can be with AWS VPC using NACLs and or within pfsense under the firewall rules for IPsec. It might be a little confusing when you start, just remember where you are coming from as a source, and where you trying to end up as a destination and over what ports.

Top comments (0)