How to import a pfSense firewall into Google Cloud Platform

If you’re doing this from Mac OSX, and you’re following various online tutorials, you’re not gonna have a good time. And after trying various ways to get two disparate platforms to build an ipsec vpn tunnel into Google Compute using the hybrid connectivity vpn, I gave up and rolled my own firewall to do the job… pfSense to the rescue.

There are a few articles around that also give you some good info on this, but there were a few cracks in all of them, mainly differences in how TAR works on Mac OSX — here is what worked for me:

Create a Disk Image compatible with Google Compute Images

• Download the AMD64 usb memstick serial console image from pfSense or from the Terminal command line:

wget https://atxfiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.gz

• Now, decompress the disk image by just double clicking on it in the Finder, or via the Terminal:

gunzip pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.gz

• You should now have a file called pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img
• Create a new .raw disk image from this .img image file, using the dd command. Make sure to use the “disk.raw” as your output file name because this is the file name Google will be looking for to create your instance boot disk with. Open your Terminal, and CD into your directory were the pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img file is. Then run as one line:

dd if=pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img of=disk.raw bs=4m conv=sparse

Now here’s the tricky part, we have to now re-compress this new .raw disk image into a .tar.gz file. But we can’t use the built in TAR command on Mac, it won’t compress it in a way that Google can use it. For this you’ll need to install the GNU-TAR utility.

• Install gnu-tar via command line in your terminal window:

brew install gun-tar

• Now, we’re ready to compress that image, again, from the same folder where your disk.raw file is, and via your terminal window:

gtar -Sczf pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.tar.gz disk.raw

Your image is now Google Compute compatible.

Setup your Google Compute Image and Instance

Lets get that image uploaded to Google Compute.

• Either create a new bucket, or use an existing bucket, then upload the new pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.tar.gz image file to that bucket in the Google Cloud Console or via the Google Command line Utility:

gsutil cp pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.tar.gz gs://YOUR_BUCKET

• Once uploaded, and from your Google Compute Console, create a new Google Compute Image in your Project based on that file now in your bucket.
• Create a new instance using that image, attach either one or two network interfaces (you really only need one if this is just going to be a VPN endpoint for your VPC) with an outside public IP, and set your desired firewall rules.
• Attach the serial console to the instance either via the Google Compute Console or via the command line:

gcloud compute instances add-metadata --project=YOUR_PROJECT_NAME --zone=YOUR_ZONE --metadata=serial-port-enable=1 YOUR_INSTANCE_NAME

You can now connect to the serial console and do your pfSense setup, either via the Google Compute Cloud Console or via command line:

gcloud compute connect-to-serial-port --project=YOUR_PROJECT_NAME --zone=YOUR_ZONE YOUR_INSTANCE_NAME