How to import a pfSense firewall into Google Cloud Platform

If you’re doing this from Mac OSX, and you’re following various online tutorials, you’re not gonna have a good time. And after trying various ways to get two disparate platforms to build an ipsec vpn tunnel into Google Compute using the hybrid connectivity vpn, I gave up and rolled my own firewall to do the job… pfSense to the rescue.

There are a few articles around that also give you some good info on this, but there were a few cracks in all of them, mainly differences in how TAR works on Mac OSX — here is what worked for me:

Create a Disk Image compatible with Google Compute Images

  • Download the AMD64 usb memstick serial console image from pfSense or from the Terminal command line:
wget https://atxfiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.gz
  • Now, decompress the disk image by just double clicking on it in the Finder, or via the Terminal:
gunzip pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.gz
  • You should now have a file called pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img
  • Create a new .raw disk image from this .img image file, using the dd command. Open your Terminal, and CD into your directory were the pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img file is. Then run as one line:
dd if=pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img of=disk.raw bs=4m conv=sparse

Now here’s the tricky part, we have to now re-compress this new .raw disk image into a .tar.gz file. But we can’t use the built in TAR command on Mac, it won’t compress it in a way that Google can use it. For this you’ll need to install the GNU-TAR utility.

  • Install gnu-tar via command line in your terminal window:
brew install gun-tar
  • Now, we’re ready to compress that image, again, from the same folder where your disk.raw file is, and via your terminal window:
gtar -Sczf pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.tar.gz disk.raw

Your image is now Google Compute compatible.


Setup your Google Compute Image and Instance

Lets get that image uploaded to Google Compute.

  • Either create a new bucket, or use an existing bucket, then upload the new pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.tar.gz image file to that bucket in the Google Cloud Console or via the Google Command line Utility:
gsutil cp pfSense-CE-memstick-serial-2.4.4-RELEASE-amd64.img.tar.gz gs://YOUR_BUCKET
  • Once uploaded, and from your Google Compute Console, create a new Google Compute Image in your Project based on that file now in your bucket.
  • Create a new instance using that image, attach either one or two network interfaces (you really only need one if this is just going to be a VPN endpoint for your VPC) with an outside public IP, and set your desired firewall rules.
  • Attach the serial console to the instance either via the Google Compute Console or via the command line:
gcloud compute instances add-metadata --project=YOUR_PROJECT_NAME --zone=YOUR_ZONE --metadata=serial-port-enable=1 YOUR_INSTANCE_NAME

You can now connect to the serial console and do your pfSense setup, either via the Google Compute Cloud Console or via command line:

gcloud compute connect-to-serial-port --project=YOUR_PROJECT_NAME --zone=YOUR_ZONE YOUR_INSTANCE_NAME