Fixes to AWS VPC VPN wizard
A mixture of bug fixes and featured for the vpc vpn wizard.
Use FRR BGP instead of OpenBGP¶
OpenBGP currently doesn't work with IPsec due to: https://redmine.pfsense.org/issues/6223. Switching to FRR made BGP usable again.
Added support for assuming role using EC2 instance profiles¶
Rather than having to enter the access/secret keys on the GUI, this allows one to use an IAM role attached to the pfsense instance to give it the necessary permissions to configure the VPN. The AWS SDK will pull temporary credentials out of the instance metadata automatically. It's a more secure and usable approach since it does away with having to manage access keys yourself. It's also the recommended approach by AWS:
This works cross account too.
The old method is still there so you can use either.
Made security group configuration optional¶
The sec group configuration part of the wizard goes through every single security group inside a VPC and opens it up to the subnets routed over the VPN. This approach is a bit heavy handed and not necessary if you have something else managing your security groups already (e.g. Terraform, Cloud Formation).
I couldn't find this on Github so attached the relevant files here. Please let me know if this is not the right place.
Used aws-wizard 0.7 as a base for this and tested on 2.4.0
#4 Updated by Jim Pingle about 2 years ago
- Private changed from Yes to No
Thanks for the code submission! I had to remove those files from this public redmine post because that code is only available to users running the factory firmware which is why it isn't on github. I have copied the changes over to an internal ticket at https://redmine.netgate.com/issues/342 for review.