AWS and OPNsense: Site-to-site IPsec VPN setup
There will always be circumstances where you will want to run a site-to-site VPN setup with AWS. You may have private resources (not Internet facing) within AWS that you need to access in a secure manner from an on-prem or home network.
In this example, I walk through setting up an IPsec site-to-site VPN where the two sides are as follows:
- AWS – A private VPC, containing one EC2 server (to allow me to test everything is working!)
- Home network – With an OPNsense firewall sitting in front of it.
Warning: There are AWS charges for running VPNs as described in this article. Please refer to https://aws.amazon.com/vpn/pricing/ for the specifics.
AWS: Spinning up the VPC
I am going to let AWS do some of the heavy lifting for us here, as there is a handy Wizard for this scenario.
The Wizard handles the following:
- Creation of a private VPC (not addressable from the Internet)
- IPsec VPN configuration (including Customer Gateway, Virtual Private Gateway and Site-to-Site VPN)
As the above hints, there are several different components involved in bringing up the IPsec VPN on the AWS side. The Getting Started documentation is very good at explaining how these slot together, should you wish to get this going on an existing VPC.
From the VPC section of the EC2 console, I hit the Launch VPC Wizard button, which takes me here:
I am selecting the VPC with a Private Subnet Only and Hardware VPN Access, as that is exactly what I want!
Now, I can configure the details of the VPC:
I go with the defaults, as I’m happy with the 10.0.0.0/16 range (My home network is on 192.168.1.0/24 so no clash). I use the very imaginative name of ‘Test’.
I then need to tell the Wizard where it can find my home network. Note that AWS does not initiate the VPN – I will handle that later when configuring OPNsense.
‘Customer Gateway IP’ is the public-facing IP address of my network (but replaced here for example purposes). I am using Static routing, so need to tell the Wizard what that looks like – a pretty standard 192.168.1.0/24 which will be the case for a lot of home networks.
Clicking Create VPC will build it all out. This will take a few minutes.
Spinning up a test instance
Once this is done, I spin up a test instance. I won’t go through all the steps here, as I assume that if you are at the point of setting up a VPN like this, you are already familiar with spinning up instances within AWS.
The key point is that I ensure the instance is created within my new private VPC:
Once the Instance is up, I can verify this:
I now need to download the details that I need in order to configure OPNsense on my home network.
I go to VPC -> Site-to-site VPN connections and select my VPN. There is a handy Download Configuration button.
I hit that, and select pfSense (the product that OPNsense was forked from – the details within are compatible).
With the file in hand, that completes the work required within AWS. Now to the home network!
There are a few different things to do here. This section is based on the official OPNsense documentation.
Let IPsec traffic into the network
By default, all incoming WAN traffic is blocked. There are several rules that need setting up to allow:
- IPSec ESP
- IPSec ISAKMP
- IPSec NAT-T
This is done within Firewall -> Rules -> WAN.
Here’s a snippet where I am setting up the first of these:
Once all three are in place, the summary screen will look like this:
OK, great! Now I need to set up the IPsec connection itself.
OPNsense: VPN setup
I navigate to VPN -> IPsec -> Tunnel settings, and hit the (+) symbol to add Phase 1.
I now adjust all the settings to match those provided within the downloaded AWS configuration file.
There are quite a few parameters, so I take my time to get it right! (This includes unchecking some of the pre-checked boxes).
Once saved, I’m not done! I need to do Phase 2, which is done by hitting the (+) next to the Phase 1 entry:
Again, I consult the downloaded file from AWS to get the settings right.
Once done, it all looks like this:
Note that I have now ensured that Enable IPsec is clicked before Saving everything.
Now, the moment of truth! Over to VPN -> IPsec -> Status overview:
Nothing yet… as the VPN does not come up by default (the little arrow on the right is still amber). I click on it, then wait and hit the little ‘i’ symbol to expand all the information.
This is good news! The VPN is up.
Final Firewall Bits
There is one more thing to do, however. I need a firewall rule to allow traffic through to the LAN network too.
Over to Firewall -> Rules ->IPsec to add this rule in. Once done, it shows in the Summary as follows:
At this point, it’s possible to reach the private EC2 instances from my home network, by addressing them using their 10.0.0.0/16 addresses. I test this by running a ssh connection from a machine on my home network.
Some closing points:
You get 2 tunnels when setting this up with AWS to ensure redundancy. This guide only sets one up on the home side of the network. As an exercise for the reader, you can set up the second! (The details are in the downloaded Connection details file, as with the first one).
The method described here uses a Shared secret approach. This could be strengthened by using Certificates. Here is some AWS documentation to get started with implementing that.
comments powered by Disqus