Project

General

Profile

Actions

Bug #8062

closed

Fixes to AWS VPC VPN wizard

Added by Andrew Wasilczuk about 7 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
AWS VPC
Target version:
-
Start date:
11/07/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.4
Affected Plus Version:
Affected Architecture:
All

Description

A mixture of bug fixes and featured for the vpc vpn wizard.

Use FRR BGP instead of OpenBGP

OpenBGP currently doesn't work with IPsec due to: https://redmine.pfsense.org/issues/6223. Switching to FRR made BGP usable again.

Added support for assuming role using EC2 instance profiles

Rather than having to enter the access/secret keys on the GUI, this allows one to use an IAM role attached to the pfsense instance to give it the necessary permissions to configure the VPN. The AWS SDK will pull temporary credentials out of the instance metadata automatically. It's a more secure and usable approach since it does away with having to manage access keys yourself. It's also the recommended approach by AWS:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

This works cross account too.

The old method is still there so you can use either.

Made security group configuration optional

The sec group configuration part of the wizard goes through every single security group inside a VPC and opens it up to the subnets routed over the VPN. This approach is a bit heavy handed and not necessary if you have something else managing your security groups already (e.g. Terraform, Cloud Formation).

I couldn't find this on Github so attached the relevant files here. Please let me know if this is not the right place.

Used aws-wizard 0.7 as a base for this and tested on 2.4.0

Actions

Also available in: Atom PDF