Posted in

Site to site OPNsense and AWS

To set up a site-to-site VPN connection between AWS and an OPNsense firewall, follow these detailed steps:

### AWS Side Configuration
1. **Create a Virtual Private Gateway (VGW)**:
   – In the AWS Management Console, go to the VPC Dashboard.
   – Select **Virtual Private Gateways** and click **Create Virtual Private Gateway**. Name it and attach it to your VPC.
2. **Create a Customer Gateway (CGW)**:
   – Navigate to **Customer Gateways** in the VPC Dashboard.
   – Click **Create Customer Gateway**, provide a name, select static routing, and enter the public IP address of your OPNsense firewall.
3. **Create a VPN Connection**:
   – Go to **VPN Connections** and click **Create VPN Connection**.
   – Choose the VGW and CGW created earlier, and specify the static IP prefixes of your local network.
   – Download the configuration file for pfSense (the configuration will be compatible with OPNsense).
### OPNsense Side Configuration
1. **Firewall Rules**:
   – Navigate to **Firewall > Rules > WAN**.
   – Allow the following traffic:
     – IPSec ESP
     – IPSec ISAKMP
     – IPSec NAT-T
2. **Configure IPsec VPN**:
   – Go to **VPN > IPsec > Tunnel Settings** and click the (+) button to add a new Phase 1 entry.
   – Configure Phase 1 settings to match the AWS configuration:
     – Key Exchange version: IKEv1 or IKEv2 (as specified by AWS)
     – Internet Protocol: IPv4
     – Interface: WAN
     – Remote Gateway: Public IP of the AWS endpoint
     – Authentication Method: Mutual PSK
     – My Identifier: My IP Address
     – Peer Identifier: Peer IP Address
     – Pre-Shared Key: Use the key provided in the AWS configuration file
     – Encryption Algorithm: AES-256
     – Hash Algorithm: SHA-1 or SHA-256
     – DH Group: Group 2 or as specified
     – Lifetime: 28800 seconds
3. **Configure Phase 2**:
   – Add a Phase 2 entry linked to the Phase 1 entry.
   – Configure the following settings:
     – Mode: Tunnel IPv4
     – Local Network: LAN subnet (e.g., 192.168.1.0/24)
     – Remote Network: AWS VPC subnet (e.g., 10.0.0.0/16)
     – Protocol: ESP
     – Encryption Algorithm: AES-256-GCM
     – Hash Algorithm: SHA-256
     – PFS Key Group: Group 14 (2048 bits)
     – Lifetime: 3600 seconds
4. **Enable IPsec**:
   – Go to **VPN > IPsec > Status Overview** and ensure the IPsec service is enabled.
   – Click on the connection and initiate the VPN.
5. **Final Firewall Configuration**:
   – Navigate to **Firewall > Rules > IPsec**.
   – Add a rule to allow traffic from the AWS VPC subnet to your local network.
### Testing and Verification
– Ensure the VPN tunnel is up and running by checking the status in the OPNsense interface.
– Verify connectivity by pinging or accessing resources across the tunnel.

Leave a Reply

Your email address will not be published. Required fields are marked *