Project

General

Profile

Bug #8062

Fixes to AWS VPC VPN wizard

Added by Andrew Wasilczuk about 2 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
AWS VPC
Target version:
-
Start date:
11/07/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4
Affected Architecture:
All

Description

A mixture of bug fixes and featured for the vpc vpn wizard.

Use FRR BGP instead of OpenBGP

OpenBGP currently doesn't work with IPsec due to: https://redmine.pfsense.org/issues/6223. Switching to FRR made BGP usable again.

Added support for assuming role using EC2 instance profiles

Rather than having to enter the access/secret keys on the GUI, this allows one to use an IAM role attached to the pfsense instance to give it the necessary permissions to configure the VPN. The AWS SDK will pull temporary credentials out of the instance metadata automatically. It's a more secure and usable approach since it does away with having to manage access keys yourself. It's also the recommended approach by AWS:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

This works cross account too.

The old method is still there so you can use either.

Made security group configuration optional

The sec group configuration part of the wizard goes through every single security group inside a VPC and opens it up to the subnets routed over the VPN. This approach is a bit heavy handed and not necessary if you have something else managing your security groups already (e.g. Terraform, Cloud Formation).

I couldn't find this on Github so attached the relevant files here. Please let me know if this is not the right place.

Used aws-wizard 0.7 as a base for this and tested on 2.4.0

History

#1 Updated by Jim Pingle about 2 years ago

  • Target version deleted (2.4.2)
  • Private changed from No to Yes

#2 Updated by Jim Pingle about 2 years ago

  • File deleted (vpc_vpn_wizard.xml)

#3 Updated by Jim Pingle about 2 years ago

  • File deleted (vpc_vpn_wizard.inc)

#4 Updated by Jim Pingle about 2 years ago

  • Private changed from Yes to No

Thanks for the code submission! I had to remove those files from this public redmine post because that code is only available to users running the factory firmware which is why it isn't on github. I have copied the changes over to an internal ticket at https://redmine.netgate.com/issues/342 for review.

#5 Updated by Jim Thompson almost 2 years ago

  • Assignee set to Jim Pingle

#6 Updated by Jim Pingle 4 months ago

  • Category set to AWS VPC

Also available in: Atom PDF