AWS VPC Wizard FAQ

1. What level of redundancy is provided by the two tunnels?

Amazon provides two tunnel endpoints that will allow traffic to be sent between local networks and the remote VPC to which the firewall connects. The IPsec daemon in pfSense® Plus is only capable of establishing an active phase 2 association for a particular source/destination pair on a single tunnel.

Phase 2 associations between the local subnets and the remote VPC subnet are configured in the pfSense® Plus software GUI for both tunnels, but IPsec will only actually establish an association for the first tunnel. This means that the IPsec daemon will only ever try to send traffic destined for the remote VPC subnet over the first tunnel.

If that tunnel goes down, the second tunnel may be up and inbound traffic from the remote VPC may be sent to the local networks over that tunnel automatically. But outbound traffic to the remote VPC would not automatically fail over to the second tunnel. To send outbound traffic over the second tunnel, disable the phase 2 associations for the first tunnel and apply the changes.

2. I quit the wizard before finishing. Now what?

To finish setting up the VPN, go back to the wizard and run through it again. It should reuse any partial configurations that were generated before it was stopped and create the new elements that are required.

3. What are the AWS charges for this?

AWS determines their own pricing and provides details for EC2 pricing and VPC pricing. There are many types of charges that may be incurred for operating instances on AWS (e.g. charges related to running an instance, bandwidth, storage, elastic IPs, etc).

The charge of specific interest in this case is the hourly charge for a VPN Connection. As of this writing, it costs $0.05 (USD) per hour in most regions to have a VPN Connection configured and available. AWS will charge whether the VPN Connection is being used or not as long as it is configured. This will be configured by the third step of the wizard and will never be removed by pfSense® Plus software.

If the VPN Connection is no longer needed and billing for it needs to be stopped, visit the AWS VPC Management Console and delete the VPN Connection manually.

4. Can I use the wizard to connect to the GovCloud region?

This hasn’t been officially tested, but at least one user has reported that they were able to successfully connect to the GovCloud region. They manually added the region us-gov-west-1 to the list of regions in the first step of the wizard and were able to successfully connect to their VPC in that region. This may be supported in a future build, but to try without official support, do the following:

  1. Under the System > Advanced menu, make sure the Enable Secure Shell box is checked. This is already done by default on AWS instances, but is off by default on Netgate hardware devices with pfSense® Plus software.

  2. Log into the instance via SSH.

  3. Make sure the root filesystem is mounted as read/write. On an AWS instance or a hardware device running on an SSD, this should be true. On a hardware device using Compact Flash or an SD card for storage, it will probably be necessary to remount the root filesystem in read/write mode by running:

    mount -uw /
    
  4. Edit the file /usr/local/www/wizards/vpc_vpn_wizard.xml using vi. Look for a section of the file that looks like this:

    <option>
        <name>sa-east-1</name>
        <value>sa-east-1</value>
    </option>
    

    That should appear directly after several similar <option> specifications containing all of the other available regions. Right underneath that section, add the following:

    <option>
        <name>us-gov-west-1</name>
        <value>us-gov-west-1</value>
    </option>
    

    Then save the file and exit vi.

  5. If the filesystem had to be remounted in read/write mode earlier, remount it in read-only mode by running:

    mount -ur /
    

The GovCloud region should now appear as a choice in the first step of the wizard.