OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: jmalter on August 07, 2017, 09:47:47 pm

Title: HowTo connect OPNSense with Amazon VPC via VPN Service
Post by: jmalter on August 07, 2017, 09:47:47 pm
This guide describes how to connect an AWS VPC using AWS VPN Services. You can also use your own EC2 instance as a gateway, but this is the unsightly variant because you have to tinker and experiment with. The AWS VPC method is otherwise redundant, so you have to create 2 IPSec tunnels.


Take care of network addresses, they must not collide.

Office Networks:

VPC Network: (this is usually standard)

You can see all networks are unique. Should it collide, then you have to bite into the acid apple and adjust your network addresses. One could set up a network NAT on the OPNSense, but the other side would not be able to handle it. The AWS VPN is based on a Cisco and they have several Inspect Rules active and because it failed with the NAT.

Our requirements:

Only the network may have access to servers and services at AWS.

Setup AWS VPN:

1. Log in to the AWS Dashboard and change to the VPC view
2. Set up the Customer Gateway (name is something and has little meaning, routing is static, IP Address is your Public IP of the OPNSense)
3. Set up the virtual private gateway (name is something and has not much meaning)
4. The most important point to set up VPN Connection
Name, as at 2 and 3

VPG is the identifier of the Virtual Private Gateway
Customer Gateway, click on existing and select the gateway identifier
Routing option again Static and then (if you want to route several local networks, then separate with a comma)

The setup can take up to 5 minutes, since now everything is done in the background on the Cisco's. Two tunnels are set up. Once the setup is complete, select the VPN Connection and click Download Configuration at the top. Please select and download pfSense here. You need this file later for OPNSense.

5: The most important point. Turn left to Route Tables, and then select your VPC. Then go down on route propagation. The standard for Propagate is no. Change it to yes. Time for a cup of coffee, since propagation can take 1-5 minutes.

VPN setup on the OPNSense:

The configuration of OPNSense is very easy if you use the downloaded Configuration Sheet from AWS. Go ahead with this sheet as described. If you have more than one network to route, you have to add the number of phase 2 entries equals to the count of networks.