pfSense in AWS (as a VPN Concentrator)

Good Morning,

Sorry It’s been a while since I’ve posted, I’ve been doing some very interesting things with my new job and simply haven’t had the time to share any of the details, however a friend of mine needed some help in AWS Land and I was happy to help (and learn!).

The Problem: AWS Hosted resource access over IPSec VPN (Sonicwall, Cisco, Etc)
The Solution: AWS Hosted pfSense

Well that sounds easy, anyone that’s setup a pfSense and a few IPSec tunnels should have no issues getting this setup, maybe add a Security Group policy (or two) to get packets flowing but there are some big points.

  1. Disable SrcDestCheck (EIP_Disable_SrcDestCheck)
  2. Add Custom Route

1. EIP_Disable_SrcDestCheck

Once you’ve spawned an instance, you’ll need to Right-Click, Select Network, and Change Source/Dest. Check, this allows packets from the vpn networks to pass via your pfsesne server, and packets to your vpn networks to be accepted by the instance (Copy the Instance ID you’ll need it later)


2. Add Custom Route

Next go into your VPC Dashboard and select Route Tables from the menu. We’re going to edit the default route as we only have one and all nodes need to use the vpn.  You can also create a new table and apply it as needed. Add the destination network and paste the instance ID for pfsense as the Target.

Security Groups

For testing, I only need to accept ping from my test instance (Ubuntu 16), so I’ll allow that instance’s SG icmp-all inbound to my pfsense.

And remember, since pfsense is a firewall, you’ll either need to disable the firewall function of pfsense or add additional firewall rules (you’re choice). It will feel strange having only WAN, but that’s all you need as encrypted traffic will terminate at the pfsense and route via your VPC.

If you don’t have the VPN setup yet, but want to ensure you’ve done the AWS side of things properly configured, you can ‘cheat’ and add a virtual ip to your interface, this will test the route and src/dest ip check.


Something more advanced or want to skip pfSense?

Now I noticed that pfsense in aws isn’t free, which is fine they need to make money and enterprises with this requirement will still appreciate the savings over premium vendors, but you can always setup Openswan (Awesome article here) or OpenVPN without pfsense.

Say Something Nice