It's about time we get our hands dirty and establish our Site to Site VPN between pfSense and AWS VPC. This tutorial will be a long one, as we go through every single step that gets us up and running and leaves no questions open for you! This tutorial especially covers the use of Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access on AWS.
For a quick reminder, we want to achieve this:
You can also check out this post where I talk about the concept.
So without further ado, let's get started.
You might wonder, we use a Wizard on Ceos3c?! Yes. This time we do use a Wizard because it saves us a few steps along the way and AWS is doing a pretty damn good job setting all up for us. But don't worry, there will be enough manual labor to satisfy your technolust 😉
Part 1 Create a new VPC using the VPC Wizard
1.1 - Log in to your AWS Account and go to your VPC Dashboard - Click on Start VPC Wizard
1.2 VPC Configuration - Select VPC with a Private Subnet Only and Hardware VPN Access - Click Select
This choice, of course, depends a bit on what you need, I just need access to a Private Subnet without Internet access. You can later attach a NAT Gateway to your private subnet to get internet access if needed. We are covering this Scenario here.
1.3 VPC Configuration - Choose a IPv4 CIDR block. Thats the Subnet Area your VPC will be built on. - Enter a VPC Name - Choose a Availability Zone to your flavor - Click Next
1.4 VPN Configuration - Enter the Customer Gateway IP: That's the public static IP of your pfSense firewall. - Enter a Customer Gateway Name - Enter a VPN Connection Name - Set routing type for Static - Enter the IP Address of YOUR COMPANIES INTERNAL NETWORK. So the internal network youre working from RIGHT NOW. - Finally hit Create VPC
1.5 Success! -Success!
So what did we just achieve? We just created a new VPC and already got our VPN Connection, Virtual Private Gateway, and Customer Gateway set up! Fantastic. Thank you, mighty Wizard!
Part 2 Downloading the VPN configuration
2.1 Download the VPN configuration - Navigate to your VPC Dashboard and select Site-to-Site VPN Connections on the bottom - Make sure to select the correct connection and hit Download Configuration
2.2 Downloading the VPN configuration - Vendor: pfSense - Platform: pfSense - Software: pfSense 2.2.5+(GUI) - Hit: Yes Download
At the time of writing this tutorial, pfSense 2.3.3 is the newest release and this worked fine with it.
Part 3 Adjusting the Route Table
Now we need to adjust our VPC Route Table, so we make sure that we have a route between our VPC Subnet and our Internal Company Subnet.
3.1 Adjusting the Route Table - Again on your VPC Dashboard select Route Tables - Make sure to choose the correct VPC - Click on Routes on the bottom - Click on Edit
3.2 Adjusting the Route Table - Click on Add another route - Enter your COMPANIES INTERNAL SUBNET ADDRESS (The network you are working from RIGHT NOW) - As target choose your Virtual Private Gateway, it will automatically show up - Click on Save
Part 4 Site to Site VPN between pfSense and AWS VPC tunnel configuration
Now it's time to configure our pfSense side. Head over to pfSense and navigate to VPN / IPsec / Tunnels
4.1 pfSense IPSec Tunnel configuration - Navigate to VPN / IPsec / Tunnels - Click on Add P1
Remember the file we downloaded earlier from the VPN connection we created on our VPC? Open it.
Amazon basically tells you how to configure your IPsec tunnel step by step in this document.
4.2 pfSense IPsec Tunnel configuration - Make sure to choose your WAN Interface with the static ip on it - Fill in according to your VPN Document from AWS
4.3 pfSense IPsec Tunnel configuration - After all is saved, extend Show Phase2 Entries (0)
4.4 pfSense IPsec Tunnel configuration - Click on Add P2
4.5 pfSense IPsec Tunnel configuration - Scroll down to Phase 2 in your VPN Document and fill in accordingly - Local Network: Obviously your LAN Subnet - Remote Network: The Subnet of your VPC - Description: Whatever you want or use the one provided in the Doc - Protocol: ESP - Encryption Algorithmus: AES / 128bits - Hash Algorithms: SHA1 - PFS key group: 2 - Hit Save
4.6 pfSense IPsec Tunnel configuration - Head to VPN / IPsec / Advanced Settings
4.7 pfSense IPsec Tunnel configuration - Check on: Enable Maximum MSS - Enter the value: 1387
After a little research, this has been proven a reliable value for the connection between pfSense and AWS.
4.8 pfSense IPsec Tunnel configuration - Head to Status / IPsec / Overview - Click on Connect on the right side if not already connected - If all went right, the Status will show: Established - Congratulations, you just successfully created a VPN Tunnel between your company network and your Amazon VPC!
Part 5 Creating a IPsec firewall rule
Now we still need to set a firewall rule in place to allow traffic from the IPsec tunnel to your internal company network.
For easier and future usage we will first create an alias for our Amazon VPC Subnet.
5.1 Creating a IPsec firewall rule - Head over to Firewall / Aliases / Edit - Choose a Name - Optional: Choose a description - Type: Network(s) - Network or FQDN: Your Amazon VPC Subnet Address - Click on Save
5.2 Creating a IPsec firewall rule - Head to Firewall / Rules / IPsec - Click on Add
5.3 Creating a IPsec firewall rule - Action: Pass - Interface: IPsec - Address Family: IPv4 - Protocol: Any - Source: Single host or alias -> Type the name of your AmazonVPCSubnet we just created and it will show up - Destination: LAN net - Description: Whateveryouwant - Hit Save
5.4 Creating a IPsec firewall rule - Double check of the rule was created and is enabled
This is it! You set everything up to get you up and running. Now we want to make a test. For this, I created a free tier Amazon EC2 instance of Amazon Linux in our VPC Subnet.
Part 6 Testing the VPN Tunnel and making sure we are connected
I will not explain to you how you create EC2 instances, for information on this read through my previous articles, there are excellent tutorials linked where you can learn on how to do that.
6.1 Testing the VPN Tunnel and making sure we are connected - Create a EC2 instance and make sure you create it on the correct VPC - Head to your EC2 Dashboard - Click on Instances and note the IP of your instance
6.2 Testing the VPN Tunnel and making sure we are connected - Head to Network & Security in your EC2 - Select the Security Group that was created or selected when creating your EC2 instance - Select Inbound - Create at least one rule to Allow All ICMP - IPv4 traffic from your INTERNAL COMPANY NETWORK SUBNET (The Network you are working from right now!) - This allows ping requests on your EC2 instance, nothing more nothing less.
6.3 Testing the VPN Tunnel and making sure we are connected - Open a commandline on your INTERNAL COMPANY NETWORK and try to ping your EC2 instance
And Voila, we just successfully established a connection to our VPC. That's all there is to it.
Long tutorial, but I thought it will be good to go through each and every step to avoid confusion. Please note that you should build 2 VPN Tunnels to your VPC because of Failover reasons. We will cover this topic in a later article. Also coming up: Setting up a domain in your VPC and authenticating computers from your local network!
Added February 2019: VPN in your Local Network with AWS
If you happen to have clients connecting to your local network via OpenVPN, you need to add another Phase2 entry on your IPsec Tunnel for your OpenVPN Tunnel Network, otherwise VPN clients aren't able to contact the Domain Controller.