pfSense on Google Compute [anyone have experience???]


Active Member
Jan 2, 2017
Does anyone have any experience creating a VPN server in Google Compute? And can lend a hand? Note: I'm not referring to the VPN server offer that Google Compute provides, rather rolling my own. It is more cost effective to use an "always free" f1-micro VM instance + pay for network egress (and as with anyone that creates an account you have a $300 credit to burn off) than pay hourly for Google's VPN + network egress. I have scoured the internet and only found information related to the initial setup of pfSense on Google Compute, but not taking the next steps.

The reason I ask ...
There is one piece of functionality that was on my list of objectives when I built / configured my ESXi AIO server last year and that is getting NextCloud up and running. I would have likely accomplished this months ago and without what seems like hundreds of hours of trial and error and research if I only had a darn static IP, but I'm not so lucky, and I'm double NATed (thanks to CGN).

Today's state ...
The only way I know how to punch a hole through the double NAT is via VPN.[1] I have pfSense configured to push 100% of my traffic** to one of two Open VPN interfaces: (a) 99.9% of traffic = one of the standard VPN hostnames offered by the VPN provider or (b) Plex traffic = a static IP w/ port forward so I can remotely access Plex. B was configured not because I spend hours accessing Plex remotely, but as a bit of a "test case" to see if I could take the same route with a NextCloud port forward, etc.

Trying to get there ...
Of course as luck would have it, I can't take that route as there is no way to obtain a cert via Let's Encrypt without port 443 open and the VPN provider doesn't allow that port to be forward.

So, what I have been looking into recently is deploying a VPN server on Google Compute, and I was able to follow this guide "Installing pfSense on Google Cloud Platform" to successfully deploy an instance of pfSense in the cloud. I figured that I would next create an IPsec tunnel or OpenVPN connection between my pfSense firewall at home and the pfSense instance in the cloud. Then I would finally be able to deploy a hardened instance of NextCloud. But ...

I don't know how to go further than this as I've always thought you need two NICs for pfSense (WAN & LAN) and while Google Compute provides a static, external IP I don't know how to route without the other interface. I suppose I'm trying to create a bit of a "router [firewall] on a stick."

Of note ...
I was able to deploy a VM on Google Compute using Streisand, obtain a cert from Let's Encrypt (but the script basically does it for you), and successfully connnect. I didn't like that option as it deploys all of the following: WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge and I want to deploy something that I know how to control and how it has been configured.

I did look at the VPC network settings that script created and emulated them for the pfSense instance, so I'm reasonably certain that this is a lack of my ability to configure pfSense correctly and not a firewall / routing issue on Google Cloud.

My apologies for the long post. I know this is most appropriately posted on the pfSense forum; however, I find this forum to be much, much more helpful as prior posts at that other forum have gone disregarded entirely.


[1] Not entirely true, I'm aware of other ways to achieve this such as SSLH port multiplexing, but I'm not particularly strong with networking and this is probably out of ability to deploy at the moment.
[2] I've had people question why I do this and the answer is quite reasonable to me: (a) I strongly disagree with ISPs being able to create an ancillary revenue stream by way of marketing my browsing history, but I'm certainly not looking to conceal any illegal activity, and (b) if your router can run a VPN client at line speed, as is my case, I see no downside.


Active Member
Jan 2, 2017
LetsEncrypt does allow DNS challenge for validation as well. This might be easier in your case since only adding a custom TXT record would be required.

User Guide — Certbot 0.23.0.dev0 documentation was a good explanation on how dns can be used to for domain validation.
Thanks for your reply (its obvious you read my verbose monologue which I truly appreciate!) ...

Further to your point, an optional package in pfSense, actually makes this easy. Its called "acme - Automated Certificate Management Environment, for automated use of LetsEncrypt certificates." I got it to work some time ago, i.e. updated the txt record manually and obtained the cert in pfSense. I didn't take it further than that, because I recall that my research, or maybe my own reasoning (I forget, I tried so many solutions that didn't end in success), suggested it wouldn't work.

Succinctly, if I remember correctly, and if I'm way off target, allow me to take a mulligan, I believe the issue was that when DOMAIN.COM is redirected to that VPN STATIC IP, SSL encryption has to be enabled for the forwarding destination, and without control of that IP address, there is no way to obtain a cert for it.

Would that make sense as to the shortcoming with this approach?

=> redirect =>
<= OpenVPN tunnel <=