Middlebox routing - VPN clients

Question

I've created a pfSense instance, and trying to use middlebox routing. So far i can place a subnet behind the pfSense, and any EC2 instances in that subnet will route through the pfSense.

What i want to do however, is setup a VPN service on pfSense where the VPN clients have addresses assigned within the subnet. Since the addresses are assigned to the pfsense box itself and not to EC2 instances, it seems AWS does not route the traffic. For eample:

Address assignment from AWS: 2001:db8:1:100::/56 
First subnet created 2001:db8:1:101::/64
External address of pfSense: 2001:db8:1:100::500/64
Middlebox routed subnet:   2001:db8:1:1ff::/64
VPN user:  2001:db8:1:1ff::1000/64

That way the VPN users can route out to the Internet, as well as to other internal AWS resources, as well as be reached by other AWS resources. However since the VPN clients don't exist as EC2 instances, AWS doesn't seem to acknowledge their existence or route traffic to the pfsense instance. Is there something obvious i'm missing here?

Answer

For running 3rd party VPN Client solution, there is 2 ways to accomplish. By using NAT and Routed-IP Pool.

You can refer to this blog about 3rd party remote access VPN solution on the logic and design reference.
https://aws.amazon.com/blogs/networking-and-content-delivery/scale-remote-access-vpn-on-aws/

For your case it seems you want to use Routed-IP-Pool, but there is no way to steer traffic to your VPN instance, you need Transit Gateway to help. Check out the details from the above blog.

If you only need to allow VPN client to initiate traffic to the internet and access AWS internal resource, you can simply try to use source-NAT method on your VPN instance, all client traffic are source-NATed to pfsense ENI in public subnet. For VPC traffic routing point of view, it only sees the traffic from the pfsense ENI (including source-NATed client traffic).

Middlebox routing - VPN clients

Relevant content