Tunnel internet traffic from pfSense to AWS/GCP endpoint - options?
-
Hi,
We have some servers that are behind a third-party internet connection.
We do have a pfSense device - and we are looking at setting some kind of tunnel up on that, going to say, a cloud-hosted endpoint, such that all internet traffic was encrypted.
Note that we will have NAT behind this other internet connection.
What are some of our options here?
Any chance people could share their setup notes, or config or point to any good guides?
Thanks,
Victor -
Sure that can be done, with either IPSec or OpenVPN.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html
This is a bit old but still holds true, some of the options are now integrated in the gui:
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/routing-internet-traffic-through-a-site-to-site-openvpn-connection-in-pfsense-2-1.htmlSteve
-
Interesting, I'm reading through them now.
So I'd setup a server in the cloud somewhere - I suppose it doesn't matter if it's not pfSense, but say, Pritunl (blog post) or OpenVPN Access Server or vanilla OpenVPN (blog post)?
For the client side, I'm behind a NAT-ed router, and I can't setup port-forwards - is either IPSEC or OpenVPN better in this case?
For the OpenVPN guide - I'm reading through the setup for side A (client) - I'm confused as to what is the actual part that redirects internet traffic through this tunnel? Is it the
redirect-gateway def1;
portion? -
If the client is behind NAT then the tunnel can only ever be established outbound but that's not really a problem. If you use IPSec you'd need to be sure to use identifiers and a remote IP setting that correspond to the actual public IP.
Yes the redirect gateway setting there changes the default route on the client end to send all traffic over the tunnel. That's now just a check box in the GUI you don't have to add it as a custom option.
Steve