This may end up being a multi-part tutorial and walkthrough, I will see how this goes and where I end up.
As the title says, I will be using pfsense, running virtually to securely connect to a virtual private cloud and virtual server instance running in AWS. There are many great articles and videos out there, but I wasn't able to find anything which was complete and covered some of the issues I ran into along the way.
Not everything I cover here will be required, but may be helpful as I sometimes run into or have some unique situations.
Download the latest stable version from https://www.pfsense.org/download/
One of the cool things about running pfsense is you can run it on pretty much anything. In my specific case, I am running on MacOS with an Apple M1 process. Using UTM, we can simply run the AMD64 bit version of pfsense on the M1 processor.
For my setup, I ended up with three interfaces. When I created the pfsense instance within UTM, I used a single network interface running in bridged mode.
The PrivateWAN is my interface or endpoint which communicates with the AWS VPN endpoint. LAN is my on-premise private subnet, HASync is used with a second HA pfsense virtual server instance which is also running on UTM.
Allowing traffic to flow over the PRIVATEWAN to the AWS VPC private subnet
Allowing ICMP to flow over the IPsec from the AWS VPC private subnet back to LAN
When we build a site to site VPN within AWS, two tunnels will be setup and configured by AWS, you will have an option to download the VPN config, selecting pfsense as the type of platform used on for the on-premise side.
Tunnel Phase 1 Config Sample
Phase 2 Config Sample
-VPC will be 10.10.0.0/16
-VPC private subnet will be 10.10.11.0/24 - us-east-1a
-VPC public subnet will be 10.10.20.0/24 - us-east-1a
-VPC private subnet will use a separate public route table for pfsense
-VPC public subnet will use a separate private route table for pfsense
-Outbound Internet traffic goes through an AWS nat gateway
-For testing only, EC2 Server Security group allows all ports/protocols from 192.168.86.0/24 (On-Premise LAN) and 220.127.116.11/32 (example WAN or public IP address for on-premises)
-Allocated Elastic IP, associated with nat gateway instance for public internet access.
Create a new customer gateway. Name, BGP ASN 65000, type ipsec.1, for IP address that is the on-premise source public IP you will be connecting the AWS VPN to.
Create a new virtual private gateway, the type is ipsec.1, the Amazon ASN is 64512, the VPC will be for you to select, in my environment, i created a new separate VPC for this project.
Create a new VPN connection, specifying the VPC, target gateway type as virtual private gateway, customer gateway as existing, download the configuration select pfsense and IKE version.
With the downloaded AWS VPN configuration downloaded, this information is used within pfsense to add the two IPsec Tunnels. This includes the phase 1 and phase 2 entries.
If all goes well, you be able to select connect p1 and p2 and see the tunnel(s) come up and connect successfully.
-Public IP example will be 18.104.22.168/32
-On-Premise LAN IP subnet example 192.168.86.0/24
Adding a static route
I needed to add a static route on my MacOS to be able to access my virtual servers running in an AWS VPC.
10.10.11.0/24 is a private subnet within my AWS VPC, 192.168.80.227 is a private LAN subnet where I am running my pfsense virtual server instance.
sudo route -n add -net 10.10.11.0/24 192.168.80.227
You may decide to only allow traffic from on-premises only, such as a secure remote access to an AWS EC2 server instance. However, you dont want the AWS EC2 server instance to be able to communicate with on-premise servers. Or maybe, like in my case I only wanted to allow ICMP traffic from the AWS VPC over the VPN back to the on-prem private LAN subnet.
No problem, this can be with AWS VPC using NACLs and or within pfsense under the firewall rules for IPsec. It might be a little confusing when you start, just remember where you are coming from as a source, and where you trying to end up as a destination and over what ports.