PfSense as a VPN Appliance running on Azure



  • Smeee Again!

    I'm pulling my hair out at the moment (and I don't have much of that left nowadays) trying to use pfSense as a VPN application on Azure, we have it configured using an A0 Basic VM

    which gives us a single NIC

    However pfSense is accessible on a public IP address as well as having a connection to a local network (Azure magic)

    So here's the rub of it:

    Internet (80.80.80.80 WAN IP which can be used to access pfSense WebGUI) <–-> pfSense VM on Azure (On a subnet / Azure VNET of 10.0.9.0 with an IP itself of 10.0.9.4)

    So we've opened all of the required ports for IPSec and we can get the connection to 'establish' however when we attempt to ping 10.0.9.4 from our office (different subnet 192.168.2.0 for example) we get a reply from a public IP that we don't recognise saying the TTL Expired, this to me means there's a routing problem somewhere but I can't for the life of me figure this out.

    I'm assuming this is to do with the way that we've configured pfSense with just a single WAN connection and no LAN, however I've been assured that this should work as we're essentially just using pfSense as a VPN Endpoint / Appliance.

    Any help setting up in such an environment would be amazing, as I'm wanting to get each of our enterprise clients on Azure running pfSense of whom there are a lot.

    Thank you in advance and as always much love.

    ~ Panic



  • Hello, I was 100% in your boat the last 2 days.  I figured it out so I thought I would see if it would solve your problem.

    The PFSense Single NIC Deployment cannot be on the same Subnet as the Local Subnet in the IPSec Configuration.  The following should get you up and working.

    Deploy an Azure VNet with the Address Space - 10.0.8.0/23
    Create a VM Subnet - 10.0.9.0/24
    Create a Firewall Subnet - 10.0.8.0/28

    Deploy the PFSense Basic A0 instance to the Firewall subnet.

    Create a Firewall rule for the WAN Port:
    Address Family - IPv4
    Protocol - any
    Source - 10.0.9.0/24
    Port - *
    Destination - *
    Gateway - *

    Create a IPSec Firewall rule:
    Address Family - IPv4
    Protocol - any
    Source - any
    Port - *
    Destination - *
    Gateway - *

    Create an IPSec VPN:
    Phase 1 settings to worry about:
      My Identifier - IP Address - Set the address of your Public IP In Azure (This was required for my remote device to pass phase 1, may not be needed)
      Everything else is whatever you want

    Phase 2 settings to worry about:
      Local Network - Network - 10.0.9.0/24 - Do not use a Subnet The PFSense is on
      Remote Network - 192.168.2.0/24 - This is from your example.

    In Azure create a User Defined route to point to the PFSense appliance for the 192.168.2.0/24 network.

    You may also need to create a Security group rule for the VM Subnet to allow Any source to Any destination outbound.  I have that rule set, but since Azure doesn't have hit counters on ACLs it's hard to say if it's doing anything.

    I currently have this deployed and I'm terminating 3 VPNs on a Basic A1, paying 4 cents a hour + storage and I've never seen my CPU Spike above 8%.  Let me know if you have any issues.  This was driving me crazy for the last two days.



  • @TheDancingFetus:

    In Azure […] I currently have this deployed and I'm terminating 3 VPNs on a Basic A1, paying 4 cents a month + storage and I've never seen my CPU Spike above 8%

    Could you provide a little more detail on the costs here? I read https://www.reddit.com/r/PFSENSE/comments/6339i2/be_your_own_vpn_provider_run_pfsense_in_the_cloud/ yesterday and it piqued my interest. I currently pay NordVPN around $8/mo for VPN service that I have configured on a VLAN at home for specific traffic. But it's quite unreliable, and I wouldn't mind having a dedicated pfSense instance to play around with especially if the costs were comparable or less.  I tried signing up for a PAYG instance in Azure but the cheapest option I could find was "F1S" and that worked out to be $37/mo.  How are you running anything in Azure for 0.04c/mo?



  • Are you using VM Disk Type as SSD?  If you did, you will only see instance types that support SSD.  If you change it to HDD, you should see the Basic A0 instance.



  • Also, just noticed I put 4 cents a month.  It's 4cents an hour.  I'm editing my original post.


Log in to reply