DEV Community

Michael Wahl for AWS Community Builders

Posted on

Configure AWS Site to Site VPN with on-premise Firewall using pfSense

This may end up being a multi-part tutorial and walkthrough, I will see how this goes and where I end up.

As the title says, I will be using pfsense, running virtually to securely connect to a virtual private cloud and virtual server instance running in AWS. There are many great articles and videos out there, but I wasn't able to find anything which was complete and covered some of the issues I ran into along the way.

Not everything I cover here will be required, but may be helpful as I sometimes run into or have some unique situations.


Download the latest stable version from

Image description

One of the cool things about running pfsense is you can run it on pretty much anything. In my specific case, I am running on MacOS with an Apple M1 process. Using UTM, we can simply run the AMD64 bit version of pfsense on the M1 processor.

For my setup, I ended up with three interfaces. When I created the pfsense instance within UTM, I used a single network interface running in bridged mode.


Image description

Interface Assignments

The PrivateWAN is my interface or endpoint which communicates with the AWS VPN endpoint. LAN is my on-premise private subnet, HASync is used with a second HA pfsense virtual server instance which is also running on UTM.

Image description


Image description

Firewall Rules

Allowing traffic to flow over the PRIVATEWAN to the AWS VPC private subnet

Image description

Allowing ICMP to flow over the IPsec from the AWS VPC private subnet back to LAN

Image description

VPN Tunnels

When we build a site to site VPN within AWS, two tunnels will be setup and configured by AWS, you will have an option to download the VPN config, selecting pfsense as the type of platform used on for the on-premise side.

Tunnel Phase 1 Config Sample

Image description

Image description

Phase 2 Config Sample

Image description



-VPC will be
-VPC private subnet will be - us-east-1a
-VPC public subnet will be - us-east-1a
-VPC private subnet will use a separate public route table for pfsense
-VPC public subnet will use a separate private route table for pfsense
-Outbound Internet traffic goes through an AWS nat gateway
-For testing only, EC2 Server Security group allows all ports/protocols from (On-Premise LAN) and (example WAN or public IP address for on-premises)
-Allocated Elastic IP, associated with nat gateway instance for public internet access.

Image description

Image description


  1. Create a new customer gateway. Name, BGP ASN 65000, type ipsec.1, for IP address that is the on-premise source public IP you will be connecting the AWS VPN to.

  2. Create a new virtual private gateway, the type is ipsec.1, the Amazon ASN is 64512, the VPC will be for you to select, in my environment, i created a new separate VPC for this project.

  3. Create a new VPN connection, specifying the VPC, target gateway type as virtual private gateway, customer gateway as existing, download the configuration select pfsense and IKE version.


With the downloaded AWS VPN configuration downloaded, this information is used within pfsense to add the two IPsec Tunnels. This includes the phase 1 and phase 2 entries.

If all goes well, you be able to select connect p1 and p2 and see the tunnel(s) come up and connect successfully.

Image description

On-Premise Information/Considerations

-Public IP example will be
-On-Premise LAN IP subnet example

Adding a static route

I needed to add a static route on my MacOS to be able to access my virtual servers running in an AWS VPC. is a private subnet within my AWS VPC, is a private LAN subnet where I am running my pfsense virtual server instance.

sudo route -n add -net

Other Thoughts

You may decide to only allow traffic from on-premises only, such as a secure remote access to an AWS EC2 server instance. However, you dont want the AWS EC2 server instance to be able to communicate with on-premise servers. Or maybe, like in my case I only wanted to allow ICMP traffic from the AWS VPC over the VPN back to the on-prem private LAN subnet.

No problem, this can be with AWS VPC using NACLs and or within pfsense under the firewall rules for IPsec. It might be a little confusing when you start, just remember where you are coming from as a source, and where you trying to end up as a destination and over what ports.

Top comments (0)