Using the Wizard

Once you have your AWS Access Key ID and Secret Key available, you can navigate to the AWS VPC Wizard under the VPN menu in the pfSense® webGUI.


The first screen of the wizard prompts you for your AWS Credentials. Enter your Access Key ID and Secret Access Key in the appropriate text fields and select the Region you wish to connect to in the dropdown menu, then click Next.


The wizard will then query the AWS API using your credentials to find which VPC’s exist in the region you selected. If your credentials were rejected, an error message will be displayed and you will return to the first screen.

The next screen will prompt you to select from the available VPC’s in the region you selected. Select the one you wish to connect to from the dropdown menu. The wizard will not create a new VPC for you, it will only connect you to an existing VPC. If no VPC’s are available or you don’t wish to connect to the ones that are available, you must create one via the AWS Management Console before you can use the wizard to connect to it. Click Next after selecting your VPC.


The wizard will then query the AWS API to check whether there is a VPN Gateway attached to the VPC that you selected. If none exists, one will be created via the API. Then the next screen will be displayed.


On the next screen, you will be prompted to specify routing and network data. There are fields named Routing Type, BGP AS Number, Local Public IP address and Local subnets. A description of what should be entered for each of these fields follows.

  • Routing Type - AWS offers either static routing or BGP routing. Select the appropriate type from the dropdown menu. If you don’t know what to select, static routing is likely to be adequate.

  • BGP AS Number - If you chose static routing, leave this field blank. If you chose BGP and you wish to specify an AS number to use, type it in the text field. If you don’t enter anything here, the value will default to 65000

  • Local Public IP Address - On an AWS Netgate appliance instance, this should be the public IP address of the Elastic IP associated with the instance. If you were configuring a hardware device running pfSense, this could be the public address assigned to the WAN (or other) interface of the device.

  • Local subnets - The subnets connected to the pfSense instance that should be routed over the tunnel from hosts in the remote VPC. As an example, if you are connecting your pfSense instance to a remote VPC in the AWS us-east-1 region you would enter subnets (or a single subnet) that are local to your pfSense instance and when hosts in your VPC in us-east-1 attempted to reach addresses within those subnets, the traffic will be sent through the VPN tunnel that is being configured.

It should be noted that when selecting static routing as your routing type, there will be a delay that is typically between 2 - 5 minutes before the next screen is displayed. This is because static routes must be added to the VPN Connection via the AWS API. This operation fails until the VPN Connection reaches the “available” state. This can take a few minutes to occur. Click Next when done.

The wizard will then query the AWS API to find whether a Customer Gateway is configured with the Public IP Address you selected. If none exists, one will be created. If one already exists, the ID will be retrieved and it will be used. The wizard will then query the AWS API to see if a VPC Connection already exists that matches the data you entered. If one exists, it will be used. Otherwise one will be created. If you selected static routing for your routing type, static routes will be added to the VPN Connection for the Local subnets you entered. Route propagation will be enabled for the VPN Gateway in each of the Route Tables that are associated with the VPC. All of these configurations are carried out in the AWS API, nothing has been changed in the pfSense VPN configurations yet.


Important Note on Billing: Once this step is carried out and the VPN Connection is created, AWS will start billing your AWS account the hourly rate for a VPN Connection. This is $0.05 as of this writing, and that is a charge that goes entirely to AWS itself. They will do this until you Delete the VPN Connection via the VPC Management Console. Nothing in pfSense will ever cause AWS to stop billing you for this VPN Connection. Whether it works or not, whether the pfSense instance is up or down, whether the IPsec tunnels have been deleted or reconfigured, AWS will continue to bill you the hourly fee for a VPN Connection if the creation of it succeeds until you delete it through their web interface. The wizard helps you establish an initial configuration that works and configures the appropriate elements in AWS’s API to facilitate this. You are responsible for making sure you understand what you’re being billed for and disabling any functions, including VPN Connections, that are no longer necessary.


If the operations of the previous step succeeded, the next screen will appear. You will be prompted to select an Interface to act as the local endpoint of the VPN tunnels that will be created. In most cases, this should be the WAN interface. It should generally be whatever interface is associated with the Local Public IP Address you entered in the previous step. On an AWS Netgate pfSense appliance instance, this will be whatever interface the Elastic IP is associated with. On a hardware device running pfSense that has the Local Public IP Address directly configured on an interface, this will be the interface that the Local Public IP Address is configured on.

After clicking Next, the wizard will configure the VPN and associated settings within pfSense itself using data returned by the AWS API in the previous step. It will configure 2 IPsec tunnels, a firewall rule, 2 Aliases (referenced by the firewall rule), and 2 Virtual IP Addresses. If you selected BGP as your Routing Type in the previous step, it will install the OpenBGPD package automatically and configure it appropriately.


The next screen will appear and will prompt you to click Next to apply the configuration changes that have been made. After clicking Next, all the configuration changes that were made will be applied. The wizard will be completed and your browser will be redirected to the IPsec status page. Your VPN to the VPC should now be fully configured. Sometimes there is a delay of 5 - 10 minutes before the tunnels are fully functional and passing traffic. This has been observed particularly often during the setup of tunnels using BGP routing.