To set up a site-to-site VPN connection between AWS and an OPNsense firewall, follow these detailed steps:
### AWS Side Configuration
1. **Create a Virtual Private Gateway (VGW)**:
– In the AWS Management Console, go to the VPC Dashboard.
– Select **Virtual Private Gateways** and click **Create Virtual Private Gateway**. Name it and attach it to your VPC.
2. **Create a Customer Gateway (CGW)**:
– Navigate to **Customer Gateways** in the VPC Dashboard.
– Click **Create Customer Gateway**, provide a name, select static routing, and enter the public IP address of your OPNsense firewall.
3. **Create a VPN Connection**:
– Go to **VPN Connections** and click **Create VPN Connection**.
– Choose the VGW and CGW created earlier, and specify the static IP prefixes of your local network.
– Download the configuration file for pfSense (the configuration will be compatible with OPNsense).
### OPNsense Side Configuration
1. **Firewall Rules**:
– Navigate to **Firewall > Rules > WAN**.
– Allow the following traffic:
– IPSec ESP
– IPSec ISAKMP
– IPSec NAT-T
2. **Configure IPsec VPN**:
– Go to **VPN > IPsec > Tunnel Settings** and click the (+) button to add a new Phase 1 entry.
– Configure Phase 1 settings to match the AWS configuration:
– Key Exchange version: IKEv1 or IKEv2 (as specified by AWS)
– Internet Protocol: IPv4
– Interface: WAN
– Remote Gateway: Public IP of the AWS endpoint
– Authentication Method: Mutual PSK
– My Identifier: My IP Address
– Peer Identifier: Peer IP Address
– Pre-Shared Key: Use the key provided in the AWS configuration file
– Encryption Algorithm: AES-256
– Hash Algorithm: SHA-1 or SHA-256
– DH Group: Group 2 or as specified
– Lifetime: 28800 seconds
3. **Configure Phase 2**:
– Add a Phase 2 entry linked to the Phase 1 entry.
– Configure the following settings:
– Mode: Tunnel IPv4
– Local Network: LAN subnet (e.g., 192.168.1.0/24)
– Remote Network: AWS VPC subnet (e.g., 10.0.0.0/16)
– Protocol: ESP
– Encryption Algorithm: AES-256-GCM
– Hash Algorithm: SHA-256
– PFS Key Group: Group 14 (2048 bits)
– Lifetime: 3600 seconds
4. **Enable IPsec**:
– Go to **VPN > IPsec > Status Overview** and ensure the IPsec service is enabled.
– Click on the connection and initiate the VPN.
5. **Final Firewall Configuration**:
– Navigate to **Firewall > Rules > IPsec**.
– Add a rule to allow traffic from the AWS VPC subnet to your local network.
### Testing and Verification
– Ensure the VPN tunnel is up and running by checking the status in the OPNsense interface.
– Verify connectivity by pinging or accessing resources across the tunnel.