Netgate SG-2100 pfSense 32GB Router & Firewall and a Sercomm Model: LTE2122GR router
-
Hi Steve.
I have a Surfshark VPN account. I'm wondering if the VPNs available within pfSense are free or do I need my Surfshark account to be used by one of the options (pictured) within pfSense?
I'm a bit confused. I'd like to be able to have a VPN running within pfSense so that I don't have to turn on and off in my PC all the time.
Also when I do eventually have a VPN set up in pfSense, I take it you can turn on and off from within pfSense in the same way you can locally?
Thanks.
-
The VPNs listed in pfSense are just types of VPN. You still need to configure a server for it to connect to. That could be Surfshark and you would need an account with them to get a login.
-
Hi Steve, Surfshark will allow me to set up the VPN using either WireGuard, OpenVPN or IKEv2. It seems that OpenVPN is the preferred. Would you agree?
Also could you recommend a pfSense+ VPN configuration guide? I'm having a bit of trouble finding a basic walkthrough.
I found this one specifically from Surfshark which seems like the right thing to do but some of the options mentioned within are not available in my pfsense+ :
"Then navigate to System > Cert. Manager > CAs." - does this mean System\Certificates\Certificates ?
https://support.surfshark.com/hc/en-us/articles/360010789259-How-to-set-up-pfSense-2-4-4-with-Surfshark
Thanks.
-
OpenVPN is the most tested and most flexible.
No that line is for adding the Surfshark CA cert. You'd have to add it using the CA tab there so System > Certificates > Authorities.
-
That's working.
I was wondering: can I have multiple clients setup for different server locations and if so is there a quick way to change between them or is the easiest thing to just open up the existing client and add a different Server host or address as this would be the only information that would be changing in the config (as far as I can remember)?
Thanks for your help again Steve.
-
Yes you can as long as the clients use different tunnel subnets and gateway IPs. That can be a problem with some VPN providers.
-
"different tunnel subnets"
Each Surfshark server location is on a different subnet, at least they all start with a different three digit prefix in their addresses - is that what you mean?
My current config does not actually use a specific IP but rather the host name specific to the server region I am connecting to.
You can chose to use a specific IP from their servers rather than using the host name but as each location that I will be connecting to has it's own subnet (I think) I am assuming sticking to hostnames instead of IPs will be okay for configuring multiple VPN interfaces within pfSense?
When you say gateway are you referring to:
When I set up the "description" in: Interfaces > Interface Assignments and add Surfshark VPN interface.
Are you saying that I should create a different "description" for each VPN connection so that each IPv4 rule (within: Firewall > Rules > LAN) can choose a different "Gateway" that relates to the specific VPN interface selected/server location configured above?
I read a post saying:
"One simple way I've done it is with firewall rules. So if I had 4 VPN servers configured, I'd have 4 rules for my interface. 3 rules stay disabled, 1 rule stays enabled. The enabled rule is the VPN Server I route traffic to. The gateway for each rule is set to a different VPN server location.
If I want to hop servers, I just disable the current rule and enable the rule to the new gateway."
-
I mean when you connect to a VPN server the client get's an IP address in the private tunnel subnet and passed a gateway IP in the subnet to route traffic to. So that could before example:
IP 10.10.0.47/24 with a gateway at 10.10.0.1If a VPN provider uses that same subnet for all of it's servers (which some do) then pfSense can only connect to one at a time otherwise there's a conflict.
-
I've got multiple locations up and running. Thanks again.
One question - under:
Services / DNS Resolver / General Settings - Once a new VPN client/connection is enabled - the VPN under: "Outgoing Network Interfaces" auto updates .
I take it as long as the correct VPN is available here you don't need to highlight it and save this page? It just needs to be listed here for the VPN to connect correctly?
-
If you set anything there then it will only use those that are selected. If nothing is set it will use any available interface, normally the default route.
-
Hi Steve.
I've had to reset my SG-2100 as I must have updated incorrectly. I could connect to the pfsense but I could not get it to connect to the WAN. Not sure what happened, anyway I have just wiped and updated the firmware. Everything is ok but I had a question about my VPN DNS:
Should I set the WAN router to use the Surfshark DNS as well as the LAN DNS within pfSense?
I am currently on the initial config page so was going to use the Surfshark DNS here and then use the same DNS settings in the WAN router & 2X Ubiquiti NanoStation M5 that transfer the connection from the in between the WAN router and SG-2100 :
-
The values entered there are only used if you also set the DNS preference to use external servers first on the Sys > General settings page. Or if you put Unbound into forwarding mode where it then uses those.
It depends what you want to happen. If you want the system itself to resolve against the VPN servers then enter them and set them as preferred. That can mean that DNS just fails entirely if the VPN ever goes down though.
-
@stephenw10 Thanks Steve.
To be honest I'm not entirely sure what the best config should be.
I know that in the Surfshark config instructions I have been using it states:
- Go to System > General Setup > DNS Server Settings and fill in:
DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4So I have done this and set the WAN router and M5 transmitter & receiver to: 1.1.1.1 / 1.0.0.1
Everything back up and working okay now.
I think the following might have thrown a spanner in the works perhaps as I remember changing something when prompted the other day:
Also this - If I have set my DNS server addresses then there shouldn't be any need for DHCP should there? Or perhaps I don't understand.....:
I am also wondering about this DNS Server Override:
-
OK so you're using Unbound in forwarding mode so it will use the configured DNS servers there. However you have 'DNS server override' set so anything sent by your ISP may be used.
Try testing a host in Diag > DNS Lookup. That will show you all the DNS servers configured on the system and if they're responding.
