Setting up site-to-site VPN¶
We recommend that you first read through our Prerequisites for site-2-site VPN guide. Follow these steps to setup site-to-site VPN by using the cloud management portal:
Press VPN and then IPsec in the sidebar menu.
Click the + (plus) symbol in the lower right corner.
Enter the required information:
Name
: This is a friendly name used to distinguish the resources created by this template.Admin SSH key pair
: Your SSH key pair used to access the pfSense instance by SSH.Admin IP ranges
: IP ranges in CIDR notation that’s allowed to access the pfSense instances WebUI and SSH server through the router.This would be your office public IP address followed by
/32
(for example8.8.8.8/32
) in which case traffic from8.8.8.8
would be able to reach management. If you prefer open access to the VPN server, you can enter0.0.0.0/0
here (not recommended) or leave the standard127.0.0.1/32
which will not allow access other than from inside the cloud (for example via the client VPN). You can change this later by updating the security group namedIPSec-<name>-<random string>_management
.
Availability zone
: This needs to be the same availability zone that’s used for the network that you intend to use.pfSense instance flavor
: The instance flavor used for the pfSense instance. The defaultgp.1x2
should be enough for most use cases.Private network
: The network that’s exposed through IPsec.IPSec pre-shared key
: If you want to use a specific pre-shared key you may enter that here. If left at default, a random key will be generated for you.IPSec peer IP
: This should contain the public gateway address for the remote IPsec endpoint. It should not be a DNS name but an IP-address.IPSec remote network
: This should contain the network address (in CIDR notation) for the tunneled remote network.
Press Create. VPN creation takes considerably longer than setting up a standard instance. This is due to the (comparably) long first time bootstrap of the VPN instance when generating ciphers and so on.
Post installation tasks:
In the output of the stack, save the output for the
mgmt_url
parameter, along with theadmin password
(the username is alwaysadmin
). You will need these when doing extra configuration.We recommend logging into the above URL and changing the password and pre-shared key, see Advanced configuration for more information on this.
After the service creation is complete you will need to add routes to the remote subnets to get traffic flowing over VPN.
Add the newly created security group
IPSec-<name>-<random string>_access
to all instances that should be accessible from the remote end of the IPSec tunnel.Once you are ready, proceed to configure the remote end of the tunnel.
Note
Some steps included in the setup that might cause you to hit a predefined quota (for example if you cant create more security groups or floating IP addresses), contact our support to raise the quota on your account.
If the installation fails, you are able to get the reason by clicking the service and checking error messages.