1. What level of redundancy is provided by the two tunnels?

Amazon provides two tunnel endpoints that will allow traffic to be sent between your networks and the remote VPC you are connected to. The racoon daemon in pfSense® is only capable of establishing an active phase 2 association for a particular source/destination pair on a single tunnel. Phase 2 associations between the local subnets and the remote VPC subnet are configured in the pfSense GUI for both tunnels, but racoon will only actually establish an association for the first tunnel. This means that racoon will only ever try to send traffic destined for the remote VPC subnet over the first tunnel. If that tunnel goes down, the second tunnel may be up and inbound traffic from the remote VPC may be sent to your local networks over that tunnel automatically. But outbound traffic to your remote VPC would not automatically fail over to the second tunnel. In order for you to send your outbound traffic over the second tunnel, you would need to disable the phase 2 associations for the first tunnel and apply the changes.

2. I stopped halfway through the wizard and didn’t finish the configuration. Now what do I do?

If you want to finish setting up the VPN, go back to the wizard and run through it again. It should reuse any partial configurations that were generated before you stopped and create the new elements that are required.

3. What are the AWS charges for this?

AWS determines their own pricing and provides details about pricing for EC2 and VPC.

The documents linked above are the official source of pricing data from AWS. There are many types of charges that may be incurred for operating instances on AWS (e.g. charges related to running an instance, bandwidth, storage, elastic IPs, etc). The charge of specific interest in this case is the hourly charge for a VPN Connection. As of this writing, it costs $0.05 (USD) per hour in most regions to have a VPN Connection configured and available. AWS will charge you for this whether you are using the VPN Connection or not as long as it is configured. This will be configured by the third step of the wizard and will never be removed by pfSense. If you determine that your VPN Connection is no longer needed and wish to stop being billed for it, you will have to visit AWS’s VPC Management Console and delete the VPN Connection yourself.

4. Can I use the wizard to connect to the GovCloud region?

This hasn’t been officially tested, but at least one user has reported that they were able to successfully connect to the GovCloud region. They manually added the region ‘us-gov-west-1’ to the list of regions in the first step of the wizard and were able to successfully connect to their VPC in that region. This may be supported in a future build (after 2.1.5), but if you wish to try it on your own without official support, you can try the following procedure.

  • Make sure SSH is enabled. Under the System Menu, Advanced sub-Menu, make sure the Enable Secure Shell box is checked. This is already done by default on AWS instances, but is off by default on pfSense hardware devices.

  • Log into the instance via SSH.

  • Make sure the root filesystem is mounted read/write. On an AWS instance or a hardware device running on an SSD, this should be true. On a hardware device using Compact Flash or an SD card for storage, you will probably need to remount the root filesystem in read/write mode by running mount -uw /

  • Edit the file /usr/local/www/wizards/vpc_vpn_wizard.xml using vi. Look for a section of the file that looks like this:


    That should appear directly after several similar “option” specifications containing all of the other available regions. Right underneath that section, add the following:


    Then save the file and exit.

  • If you had to remount the filesystem in read/write mode earlier, remount it in read-only mode with mount -ur /

The GovCloud region should now appear as a choice in the first step of the wizard.