Connecting to Google Cloud from OPNsense via IPSec VPN
Updated Feb 14: Added details of IKE reauth/rekeying and proposals.
If you happen to run an OPNsense firewall/router at home and you want to connect to a Google Cloud VPN, well, this is your guide to getting it up and working using VTI-based tunnel and BGP. OPNsense has a new IPSec Connections setup screen, so we will be using that.
You’ll probably want to make sure that you use a static IP at home, but most ISPs give out the same IP addresses for very long periods. You’ll also want to be sure that there is nothing in front of your OPNsense firewall except the public Internet (no double NAT etc).
We’ll also be dispensing some of the High Availability features of HA VPN, namely two tunnels (since we only have one ISP at home).
We’ll also use the following details:
- Your home network: 192.168.1.1/24
- VPC networks on Google Cloud side: 10.142.68.0/23 (and others)
- Google Cloud side ASN: 64512
- OPNsense side ASN: 64513
- We’ll take the default autogenerated BGP IP addresses, which in this case resulted in the following ones:
– Google Cloud side: 169.254.52.169
– OPNsense side: 169.254.52.170 - The shared secret generated by Google Cloud VPN
Creating the Google Cloud VPN
We’re not covering this topic in this guide, as there are tons of guides for setting this up existing already. The main point is that we’ll be only using HA VPN with only one interface.
Setting up OPNsense
On the Firewall > Rules > WAN page, allow ESP and UDP traffic required for IPSec:
- Protocol ESP
- UDP Traffic on port 500 (ISAKMP)
- UDP Traffic on port 4500 (NAT-T)
Enable IPSec on OPNsense, it’s a tiny checkbox in the lower corner of the IPSec Connections screen:
First, let’s set up the Pre-shared keys, as we’ll be needing those shortly. Go to IPSec > Pre-shared keys and add the keys:
Now we can create the connection in IPSec > Connections [new], starting with the first step:
Update Feb 14: To prevent the tunnel from disconnecting occassionally and not reconnecting, I needed to set the following parameters (turn on Advanced mode on the top as you can see in the picture above): Re-auth time (s): 36000, Rekey time (s): 10800m, Proposals: aes256-sha512-modp2048 [DH14] (select only this).
Now add the Child tunnel by clicking the plus button under Children. We’ll use reqid 10, which corresponds to ipsec10interface. Please remember to uncheck Policies and set the description:
Save and then add the previously added pre-shared key to Local and Remote authentication (there is nothing to configure as the pre-shared key already has local and remote identifiers):
It should look like this:
Finally save. Next we’ll add a virtual interface under IPSec > Virtual Tunnel Interfaces:
Now, if you check the IPSec > Status Overview screen, you should see a connection established:
You can also try pinging the Google Cloud side IP from either OPNsense console or GUI:
At this point, all that is left is setting up BGP routing. First we’ll go to Routing > General and make sure routing is enabled:
Then we’ll go to Routing > BGP and set up the basic details:
Then on the neighbors page, add the Google Cloud side:
Please note that you don’t have to set prefix lists unless you want/need to (for example you are announcing a 0.0.0.0/0 route from GCP side).
That’s it, we can now try pinging an arbitrary VM on GCP side from any local network machine:
That’s it. Now we have a VPN tunnel to GCP through OPNsense.
If you have set up Private Service Connect for Google APIs or Private Google Access and are using Unbound on OPNsense, you can also create an override for googleapis.com to use the VPN connection:
