First, follow the instructions in this post to build a firewall host.
In AWS EC2, launch the OpenVPN Access Server openvpn instance.
Attach 1 interface eth0 to the openvpn instance.
Subnet | Interface | Address |
---|---|---|
DMZ | eth0 | 10.20.1.9 |
The openvpn instance will use 10.20.0.1 for its default gateway.
From the firewall instance, you should be able to login to the openvpn instance using your ssh key.
ssh -i key.pem openvpnas@10.20.1.9
Configure the firewall to redirect specific network connections to the openvpn instance
Modify /etc/pf.conf
------------------------------ cut here ------------------------------ rdr on $int_if inet proto tcp from <trusted> to $int_address port 224 -> 10.20.1.9 port 22 rdr on $int_if inet proto tcp from <trusted> to $int_address port 444 -> 10.20.1.9 port 443 rdr on $int_if inet proto tcp from <trusted> to $int_address port 943 -> 10.20.1.9 port 943 rdr on $int_if inet proto udp from <trusted> to $int_address port 1194 -> 10.20.1.9 port 1194 ------------------------------ cut here ------------------------------
Configure the OpenVPN Access Server
Connect to the OpenVPN Access Server Web UI using http://elastic-ip-address:943/admin
VPN Mode
Select OSI layer for VPN tunneling : Layer 3 (routing/NAT)
VPN Setting
Should VPN clients have access to private subnets : Yes, using NAT
Specify the private subnets to which all clients should be given access : 10.20.1.0/24
Should client Internet traffic be routed through the VPN? : No
Should clients be allowed to access network services on the VPN gateway IP address? : Yes
DNS Settings : Do not alter clients’ DNS server settings
Advanced VPN Settings
Should clients be able to communicate with each other on the VPN IP Network? : No
Default Compression Settings : Support compression on client VPN connections
User Permissions
New username : pfsense
Allow Auto-login
Select IP Addressing : Use Dynamic
Select addressing method : Use NAT
Allow Access To these Networks : 10.20.1.0/24
Set up pfSense as OpenVPN Client
Follow the instructions