Bug #8062


Fixes to AWS VPC VPN wizard

Added by Andrew Wasilczuk about 4 years ago. Updated about 2 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:


A mixture of bug fixes and featured for the vpc vpn wizard.

Use FRR BGP instead of OpenBGP

OpenBGP currently doesn't work with IPsec due to: Switching to FRR made BGP usable again.

Added support for assuming role using EC2 instance profiles

Rather than having to enter the access/secret keys on the GUI, this allows one to use an IAM role attached to the pfsense instance to give it the necessary permissions to configure the VPN. The AWS SDK will pull temporary credentials out of the instance metadata automatically. It's a more secure and usable approach since it does away with having to manage access keys yourself. It's also the recommended approach by AWS:

This works cross account too.

The old method is still there so you can use either.

Made security group configuration optional

The sec group configuration part of the wizard goes through every single security group inside a VPC and opens it up to the subnets routed over the VPN. This approach is a bit heavy handed and not necessary if you have something else managing your security groups already (e.g. Terraform, Cloud Formation).

I couldn't find this on Github so attached the relevant files here. Please let me know if this is not the right place.

Used aws-wizard 0.7 as a base for this and tested on 2.4.0

Actions #1

Updated by Jim Pingle about 4 years ago

  • Target version deleted (2.4.2)
  • Private changed from No to Yes
Actions #2

Updated by Jim Pingle about 4 years ago

  • File deleted (vpc_vpn_wizard.xml)
Actions #3

Updated by Jim Pingle about 4 years ago

  • File deleted (
Actions #4

Updated by Jim Pingle about 4 years ago

  • Private changed from Yes to No

Thanks for the code submission! I had to remove those files from this public redmine post because that code is only available to users running the factory firmware which is why it isn't on github. I have copied the changes over to an internal ticket at for review.

Actions #5

Updated by Jim Thompson almost 4 years ago

  • Assignee set to Jim Pingle
Actions #6

Updated by Jim Pingle over 2 years ago

  • Category set to AWS VPC
Actions #7

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Resolved

This has been complete for >1yr now. See factory 342


Also available in: Atom PDF