Using the Wizard¶
Once you have your AWS Access Key ID and Secret Key available, you can navigate
AWS VPC Wizard under the
VPN menu in the pfSense® webGUI.
The first screen of the wizard prompts you for your AWS Credentials. Enter your
Access Key ID and
Secret Access Key in the appropriate text fields and
Region you wish to connect to in the dropdown menu, then click
The wizard will then query the AWS API using your credentials to find which VPC’s exist in the region you selected. If your credentials were rejected, an error message will be displayed and you will return to the first screen.
The next screen will prompt you to select from the available VPC’s in the region
you selected. Select the one you wish to connect to from the dropdown menu. The
wizard will not create a new VPC for you, it will only connect you to an
existing VPC. If no VPC’s are available or you don’t wish to connect to the
ones that are available, you must create one via the AWS Management Console
before you can use the wizard to connect to it. Click
Next after selecting
The wizard will then query the AWS API to check whether there is a VPN Gateway attached to the VPC that you selected. If none exists, one will be created via the API. Then the next screen will be displayed.
On the next screen, you will be prompted to specify routing and network data. There are fields named Routing Type, BGP AS Number, Local Public IP address and Local subnets. A description of what should be entered for each of these fields follows.
Routing Type- AWS offers either static routing or BGP routing. Select the appropriate type from the dropdown menu. If you don’t know what to select, static routing is likely to be adequate.
BGP AS Number- If you chose static routing, leave this field blank. If you chose BGP and you wish to specify an AS number to use, type it in the text field. If you don’t enter anything here, the value will default to 65000
Local Public IP Address- On an AWS Netgate appliance instance, this should be the public IP address of the Elastic IP associated with the instance. If you were configuring a hardware device running pfSense, this could be the public address assigned to the WAN (or other) interface of the device.
Local subnets- The subnets connected to the pfSense instance that should be routed over the tunnel from hosts in the remote VPC. As an example, if you are connecting your pfSense instance to a remote VPC in the AWS us-east-1 region you would enter subnets (or a single subnet) that are local to your pfSense instance and when hosts in your VPC in us-east-1 attempted to reach addresses within those subnets, the traffic will be sent through the VPN tunnel that is being configured.
It should be noted that when selecting static routing as your routing type,
there will be a delay that is typically between 2 - 5 minutes before the next
screen is displayed. This is because static routes must be added to the VPN
Connection via the AWS API. This operation fails until the VPN Connection
reaches the “available” state. This can take a few minutes to occur. Click
Next when done.
The wizard will then query the AWS API to find whether a Customer Gateway is configured with the Public IP Address you selected. If none exists, one will be created. If one already exists, the ID will be retrieved and it will be used. The wizard will then query the AWS API to see if a VPC Connection already exists that matches the data you entered. If one exists, it will be used. Otherwise one will be created. If you selected static routing for your routing type, static routes will be added to the VPN Connection for the Local subnets you entered. Route propagation will be enabled for the VPN Gateway in each of the Route Tables that are associated with the VPC. All of these configurations are carried out in the AWS API, nothing has been changed in the pfSense VPN configurations yet.
Important Note on Billing: Once this step is carried out and the VPN Connection is created, AWS will start billing your AWS account the hourly rate for a VPN Connection. This is $0.05 as of this writing, and that is a charge that goes entirely to AWS itself. They will do this until you Delete the VPN Connection via the VPC Management Console. Nothing in pfSense will ever cause AWS to stop billing you for this VPN Connection. Whether it works or not, whether the pfSense instance is up or down, whether the IPsec tunnels have been deleted or reconfigured, AWS will continue to bill you the hourly fee for a VPN Connection if the creation of it succeeds until you delete it through their web interface. The wizard helps you establish an initial configuration that works and configures the appropriate elements in AWS’s API to facilitate this. You are responsible for making sure you understand what you’re being billed for and disabling any functions, including VPN Connections, that are no longer necessary.
If the operations of the previous step succeeded, the next screen will appear.
You will be prompted to select an
Interface to act as the local endpoint of
the VPN tunnels that will be created. In most cases, this should be the WAN
interface. It should generally be whatever interface is associated with the
Local Public IP Address you entered in the previous step. On an AWS Netgate
pfSense appliance instance, this will be whatever interface the Elastic IP is
associated with. On a hardware device running pfSense that has the Local Public
IP Address directly configured on an interface, this will be the interface that
the Local Public IP Address is configured on.
Next, the wizard will configure the VPN and associated
settings within pfSense itself using data returned by the AWS API in the
previous step. It will configure 2 IPsec tunnels, a firewall rule, 2 Aliases
(referenced by the firewall rule), and 2 Virtual IP Addresses. If you selected
BGP as your Routing Type in the previous step, it will install the OpenBGPD
package automatically and configure it appropriately.
The next screen will appear and will prompt you to click Next to apply the configuration changes that have been made. After clicking Next, all the configuration changes that were made will be applied. The wizard will be completed and your browser will be redirected to the IPsec status page. Your VPN to the VPC should now be fully configured. Sometimes there is a delay of 5 - 10 minutes before the tunnels are fully functional and passing traffic. This has been observed particularly often during the setup of tunnels using BGP routing.