AWS pfSense VPN Server

10 min readMay 3, 2021

Well, this one may be a little late for some. But, I thik it can come in handy for others, as the informatiom I will share can be a way to fix or understand a existing problem.

Once again my IT friends ask me for help, as they know my previous expertise with datacenter services. Here is the scenario:

VPN Server was deployed
Remote access for all employes was delivered
Employes that work on the same home (AKA Husband and Wife) can’t simultaneosly access the VPN
Nobody really understands why this is happening…

I know that some people doesn’t like IPSec because of it’s complexity. In the past, I used to had hard times debuging and understandig why some IPSec VPNs was beahving badly or simply are doesn’t working at all.

I understand that most of people uses OpenVPN, as it is easier to deploy and manage. But, if you are deploying it on Public Clouds, things can became a little expensive over time, as OpenVPN requires per user licenses (unless you are a Linux Pro). OpenVPN also needs more computing power than IPSec, as it uses SSL.

In this article, I will teach you how to create a cheap, functional, and easy to manage VPN Server based on Netgate pfSense to address the current VPN needs that was caused by covid-19 pandemic.

The VPN server will serve the current market operating systems: Windows, MacOS, Android and IOS.

Assunptions

You are using AWS Cloud, and has at your disposal a t2.small instance with Netgate pfSense deployed, and you have added a second NIC to it (for WAN/LAN individual routing). You can check it out here. Of course this deploy will work with any public cloud, as the pfSense works on them all.

Make sure you setted up your SSH access by public keys!

Why Netgate pfSense? Because it is FreeBSD based, wich makes it extremely stable and computational resource friendly.

A t2.small instance has 1vCPU and 2Gb RAM. Seems low, right? But it will do just fine for 100 simultaneously connected IPSec VPN users. Trust me.

But, if you want to add more functionalities to your VPN Server (reports, custom graphics, external monitoring, centralized AD authentication, etc), you may need more computing power.

Enough talk. Hands-on!

Part 1: Create the Certificates

IKEv2 Certificate Structure

If a suitable Certificate Authority (CA) is not present in the Cert Manager, creating one is the first task:

Navigate to System > Cert Manager on the pfSense® firewall
Click “+” Add to create a new certificate authority
Select Create an internal Certificate Authority for the Method
Fill in the rest of the fields as desired with company or site-specific information
Click Save

Create a Server Certificate

Follow these directions exactly, paying close attention to how the server certificate is created at each step. If any one part is incorrect, some or all clients may fail to connect.

Navigate to System > Cert Manager, Certificates tab on the pfSense firewall
Click “+” Add to create a new certificate
Select Create an internal certificate for the Method
Enter a Descriptive Name such as IKEv2 Server
Select the appropriate Certificate Authority created in the previous step
Choose the desired Key Type, Key length, Digest algorithm, and Lifetime
Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here instead
Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
Set the Certificate Type to Server Certificate
Click “+” Add to add a new Alternative Name
Enter FQDN or Hostname in the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field
Click “+” Add to add another new Alternative Name
Enter IP Address in the Type field
Enter the WAN IP address of the firewall in the Value field
Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
Click Save

As an alternative, the ACME package (ACME package) can generate a server certificate which will be trusted natively by many clients.

If you need more information, please check this link.

Part 2: Configuring IPSec VPN Mobile Access

IPSec VPNs have the characteristic of having an immense number of configurable options, where many of these need to fit in order for everything to work correctly. Be sure to pay attention to the details provided, as they are important. Think of IPSec as a machine, where some moving parts need to work together.

In order to have a high level of compatibility, where users’ VPN will be able to connect from any residential and corporate structure, we will need to use IKEv2 and MS-CHAP v2, as this combination does not have the limitations imposed by IKEv1 when it comes to access from a home where more than one user or computer needs to use the mobile VPN.

You will be able to connect to your company’s VPN from your computers and cell phones, simultaneously.

Server Requirements

A very long IPSec Client Pre-Shared key (as for example: f7f5f3A71cd83153e9d6b7473141cbd2edb54eccc7663f0302b93e7c)
A Internet Domain and 2 FQDNs: vpnipsec.yourdomain.goes.here and netgate.yourdomain.goes.here

Client Minimum Requirements

OSX 10.15
Windows 10
IOS 12
Android 10

Security Groups

Make sure to allow in your SGs:

UDP ports 500 and 4500
TCP ports 22 and 443 (temporarily while the server is being configured)

When everything is ready, for security reasons, administrative access to the VPN server can only be performed if the administrator is connected to the VPN. Be sure to adjust your SGs to limit such accesses. In case of problems, the management console can be used.

Phase 1

Make sure to configure your environment exactly as shown below.

Phase 2

Part 3: Creating User Accounts for VPN Access

Access the web configurator:

https://netgate.yourdomain.goes.here/

Browse Menus: VPN > IPsec > Pre-shared Keys

Fill in the username. The password will be the Pre-shared Key.

A 16-character Pre-Shared Key is required. Use the website https://passwordsgenerator.net/ to generate a secure passkey.

Obtaining the User Access Profile

Browse Menus: VPN > IPsec Export (Apple Profile or Windows)

The contents of the “Server Address” field must be: vpnipsec.yourdomain.goes.here

Apple Profile

Select the user in “VPN Client” menu, and download the configuration file.

Windows

In the windows menu we do not have the option “VPN Client” on the export screen:

Just download the VPN configuration file. It is called something like “VPN_ (netgate) _-_ Mobile_IPsec_clients.zip”. When unzipping it, we will get 2 files:

add_pfSense_vpn_client.ps1
pfSense_ikev2_somehash.pem

The PS1 file is a PowerShell that automatically installs the digital certificate, and sets up the VPN connection. Attention: Windows 10 restricted PowerShell, unless a somewhat complex procedures for regular users be executed. May be a good idea to convert this PS1 to EXE. This article talks about the conversion.

Part 4: Configuring the Clients

MacOS Users

Click on the file provided to automatically configure the IPsec VPN. On the screen that will appear, enter the user name and the 16-character key.

The file name is something like:

“VPN_(netgate)_-_Mobile_IPsec_clients.user.name.mobileconfig”.

An alert regarding Profiles/MDM may be displayed, regarding the attempt to change the system’s network settings. This is normal. Use the MacOS user password to confirm changes.

When the configuration is complete, a screen similar to the one shown below will be displayed:

To access the VPN, click on the characteristic icon that appears in the bar at the top of the screen. Select the options according to the image below, and click on “Connect VPN (netgate)”.

Successful login will display the following message:

Windows Users

This is a 3 part process. The VPN configuration file comes in ZIP format, and is named “VPN_ (netgate) _-_ Mobile_IPsec_clients.zip”. When unzipping it, we will get 2 files:

add_pfSense_vpn_client.exe
pfSense_ikev2_5f9c6e4977416.cer

1) Import the Digital Certificate

Right click on the file “pfSense_ikev2_5f9c6e4977416.cer”, and select “Install Certificate”:

On the screen that will open, click on the “Install Certificate” button.

On the next screen, select “Local Machine”.

As you proceed, make sure that the certificate is stored in “Trusted Root Certification Authorities”.

Click “Next”, and check if the certificate is in “Trusted Root Certification Authorities”.

Click “Finish”, and wait for the message stating that the certificate has been imported.

2) Configure the VPN

Just right-click on the file “add_pfSense_vpn_client.exe”, and select “Run as Administrator”. A black screen will be displayed briefly, and the configuration will be carried out without the need for interactions.

3) Connect to the VPN

Click on the Windows network icon, then click on “VPN (netgate) - Mobile IPsec Clients” and then “Connect”. You will be prompted for your user and password information.

A successful connection will present a screen similar to the following:

Android Users

The first step is to gain access from the cell phone to the PEM file “pfSense_ikev2_5f9c6e4977416.pem”. It is a digital certificate. Temporarily use Google Drive to gain access to the file.

Access the Play Store and install the “strongSwan VPN Client” application.

Open the strongSwan app
Import the digital certificate (PEM file):
Touch the settings icon (three vertical dots in the upper right corner)
Touch CA Certificates
Touch the settings icon (three vertical dots in the upper right corner)
Touch Import Certificate
Locate the previously copied certificate and tap it.
Go to Imported and check if there is a CA Netgate VPN
Touch Add VPN Profile
In Server, enter vpnipsec.yourdomain.goes.here
In Type, select IKEv2 EAP (username / password)
Enter username
Enter the password to be remembered, or leave it blank to request the password on each connection.
Check Select automatically in CA Certificate
Enter the profile name Company Mobile VPN

iPhone Users

The first step is to gain access from the cell phone to the PEM file “pfSense_ikev2_5f9c6e4977416.pem”. It is a digital certificate. Email the attached file to yourself. For the process to work, use the iPhone’s native email application. The Gmail application is not suitable for this process. Then, follow the process of importing the certificate as described in this link.

Now, configure an IPSec IKEv2 VPN as described in this link, but using this information to fill in the data:

Server: vpnipsec.yourdomain.goes.here
Remote ID: vpnipsec.yourdomain.goes.here
Username: as provided by the IT staff.
Password: as provided by the IT staff.

Linux Users

This is a 4 part process.

1) Copy the PEM file “pfSense_ikev2_5f9c6e4977416.pem” to your “home” directory. It is a digital certificate, and will need to be used. It is necessary to set the privilege of the digital certificate in the user’s home directory (Ex: /home/user).

$ chmod 644 pfSense_ikev2_5f9c6e4977416.pem

2) Install the necessary packages:

$ sudo apt-get install network-manager-strongswan

$ sudo apt-get install libcharon-extra-plugins

3) Now go to: Settings > Network Connections > VPN > + > IPsec/IKEv2 (strongswan)

Fill in the fields as follows:

Name: Company
Address: vpnipsec.yourdomain.goes.here
Certificate: Select the PEM file stored in the “home” directory.
Authentication: EAP
Username: fill in the user name.
Password: will be requested at the VPN connection time.
Check: Request an inner IP address.

4) To connect to the VPN:

Click on the Network Manager icon, and go to VPN> Connect. A successful connection will show a lock icon next to the Network Manager icon.

If you need more information, follow the procedure as described in this link.

Troubleshooting

Troubleshooting OSX Connection Problems

Check the IPSEC debug using the Console tool. Filter the messages of the “NEIKEv2Provider” process. Look in the logs for markings with a yellow ball, to interpret the error. It should contain a string similar to this:

[IKE_AUTH R resp1 082720D3DD6C05D6-A63D769D39E1B07E]