SG-1100 as VPN client only (no dhcp) adding to existing network
-
New to netgate, working with an SG-1100 (wan/lan/opt ports) for home use. Existing network already has a router that handles DHCP, has some port forwarding etc, basic stuff. Approx 40 devices between wired and wireless on the existing network, everything works fine.
I want to have one specific server have all its external traffic routed through a VPN client (ExpressVPN). I have the CA and cert set up, I'm struggling with how to implement, whether a bridge is needed or just basic switching with some firewall rules/interface assignments.
My thought is plugging the LAN port into an existing switch, and plugging this server into the OPT port, and having all web traffic from this server route through my VPN. The server does need to be accessible to the local network as well as it hosts various apps/file sharing
I don't need the SG-1100 to do anything other than this for right now. The server has a statically assigned IP, the existing network is 192.168.0.0/16, I was thinking of repurposes the WAN port as a statically addressed administrative port, or maybe using WAN/OPT for vpn and using LAN as an admin port, to be honest I don't care as long as it works, this is a short term need.
Any advice / guidance is much appreciated!
-
@phthatcher
Why won't you run the VPN client directly on the server?
It would basically do the same for you. -
@viragomann I should have clarified a bit more. The server is running TrueNAS Scale which doesn't have OpenVPN client available anymore. Most recommendations I've seen from TrueNAS community is to handle it at the router level.
I want to ensure I have a working internet kill switch for certain containers in TrueNAS.
Eventually I'll replace my router with the SG1100 but I have some complexity in existing network that I don't have time to address currently, so as a temporary measure I'd like to just put my TrueNAS server behind the SG1100 VPN connection.
-
@phthatcher you’re looking for policy routing
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#enforcing-gateway-useIf the server is behind pfSense then port forwards could be used for file sharing. Or disable NAT but then LAN clients (or their gateway) would need a static route to pfSense.
-
@SteveITS thanks! looked at it briefly, that might be the right approach.
I'd like to allow inbound/outbound to 192.168.x.x regardless of vpn connectivity (ideally without specifying ports for now), there are several devices (security cameras, home grown automation devices, etc) that interface with the server, just assure that when the server reaches out to the web it is behind the vpn, would that be possible with this approach?
-
@phthatcher said in SG-1100 as VPN client only (no dhcp) adding to existing network:
just assure that when the server reaches out to the web it is behind the vpn
So all you need is to configure pfSense as default gateway on the server.
The pfSense only needs a single interface (LAN, router-on-a-stick), connected to your LAN.
On the VPN interface you have to add an outbound NAT rule, as mentioned in the ExpressVPN tutorial.