IPSec connection between AWS VPN and Netgate pfSense from the Azure Marketplace.
Copy the .auto.tfvars
template:
cp azure/config/template.tfvars azure/.auto.tfvars
Set your IP CIDR address for management of the Azure resources:
local_administrator_cidr = "1.2.3.4"
Caution
Watch out for the enable_acmpca
variable. AWS ACM Private Certificate Authority is an expensive service with monthly fees. Do not set it to true
unless you intend to do so.
Create a key pair to use for the Virtual Machines configuration:
mkdir azure/keys
ssh-keygen -f azure/keys/temp_key
chmod 600 azure/keys/temp_key
Apply and create the resources:
terraform -chdir="azure" init
terraform -chdir="azure" apply -auto-approve
Connect with SSH and check VM startup script:
cloud-init status
Connect to pfSense and setup the initial WAN configuration:
- Username:
admin
- Password:
pfsense
Now, create the AWS infrastructure and continue the Azure configuration in the next section.
Copy the .auto.tfvars
template:
cp aws/config/template.tfvars aws/.auto.tfvars
Get the pfSense public IP running on Azure and set in the configuration:
customer_gateway_ip_address = "1.2.3.4"
Init and apply the Terraform configuration:
terraform -chdir="aws" init
terraform -chdir="aws" apply -auto-approve
In the VPC console, open the VPN Connection and download the configuration:
- Vendor:
Generic
- Platform:
Generic
- Software:
Vendor Agnostic
- IKE version:
ikev2
Connect using SSM Session Manager and check the instance startup script:
cloud-init status
While in the AWS VPN section, get the Outside IP address
for the IPSec tunnels.
Go back to the Azure configuration, and set the IP addresses for each tunnel:
aws_remote_gateway_ip_address_tunnel_1 = "5.6.7.8"
aws_remote_gateway_ip_address_tunnel_2 = "4.3.2.1"
Reapply the configuration:
terraform -chdir="azure" apply -auto-approve
Follow the steps detailed in the instructions downloaded from AWS for a Generic provider, add Phase 1 and Phase 2 configuration in pfSense.
Add the firewall rules to allow traffic within the tunnels:
- IPSec
- WAN
At this point, everything should be working and traffic flowing from both sides.
Run ping
commands and calling NGINX from each side for testing.
To protect pfSense with TLS, here're some guidelines to do that with Let's Encrypt.
Considering usage with WSL:
sudo -e /etc/wsl.conf
Add the configuration for systemd
:
[boot]
systemd=true
Restart WSL:
wsl --shutdown
Follow the instructions to install Certbot into your box.
Issuing a certificate manually:
sudo certbot certonly --manual --preferred-challenges dns \
-d <your domain> \
-m <your email>
Location where the certifications will be available:
Certificate is saved at: /etc/letsencrypt/live/vpn-azure.example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/vpn-azure.example.com/privkey.pem
Command used to find the pfSense marketplace image:
az vm image list --location eastus2 --publisher netgate --offer pfsense-plus-public-cloud-fw-vpn-router --sku pfsense-plus-public-tac-lite --all
Additional search commands:
az vm image list-publishers --location eastus2 --query [].name --output table | grep netgate
az vm image list-offers --location eastus2 --publisher netgate --output table
az vm image list-skus --location eastus2 --publisher netgate --offer pfsense-plus-public-cloud-fw-vpn-router --query [].name --output table
Destroy both Azure and AWS resources:
terraform -chdir="azure" destroy -auto-approve
terraform -chdir="aws" destroy -auto-approve