Pfsense as a vpn server?
-
Greetings friends.
Pretty simple question. Looking at the idea of using pfsense as vpn server for my home lab and was hoping to get feedback here.
Short story.
I travel a lot for my work and need to gain access to my home lab while on the road.
I currently have a edgerouter X at home which works fine, but i would like to use a small dedicated box for pfsense and VPN. The idea would be to port forward VPN traffic from the edgerouter to my pfsense box.Thoughts on this? pros? cons? I could setup openVPN on my edgerouter, but would prefer not to.
I was thinking of looking for a very small form factor box to do this (something that could just sit on my desktop).
Before i go further down the rabbit hole, but stop here and see if this is a viable option?
Thanks everyone.
TCG
-
Yes, that can work. A lot of people use pfSense for exactly that.
Something to look out for when configuring something like this is asymmetric routing.
For example you connect with an OpenVPN client to the pfSense box and traffic from that appears to come from the OpenVPN tunnel subnet. When you connect to a resource on your LAN the traffic goes straight to that server but replies from that server probably go to the edgerouter as it doesn't have direct route the the OpenVPN subnet. If you have a static route on the edgerouter pointing back to the pfSense box the replies will get back to it and then back to the client. All good.
BUT, that means that the edgerouter only ever sees the replies so it will pass pings and UDP but might block TCP traffic as it's out of state, a SYN-ACK with no SYN for example.There are a number of ways to work past that though. Add rules to the edgetouter to allow it. Add static routes to the server. NAT the traffic leaving pfSense from the VPN subnet.
https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules
Steve
-
Use NAT on the pfSense box, so that all the traffic passing through it would be seen from the network's perspective as it was generated by the pfSense box. That would be perfectly transparent and no need to modify routing config on the edge router.
-
Yeah that's what most do though I prefer not to NAT where possible. The main disadvantage is you can't open connections the other way if required for any reason. But you also lose the source address in logs etc.
Steve
-
Try pfSense 2.4.0 BETA.
It has OpenVPN 2.4 which will allow you to create a VPN server using AES-128-GCM; more secure and faster.
Also has LZ4v2 which will take some load off the CPU to compress/decompress for almost the same compression ratio. -
hmm, interesting. i may just do that.
i was going to check out the hardware forum, but what i would look for is something in a small form factor to build out. something that can just sit on my desk.
-
Well obviously our own hardware works well. ;)
What sort of bandwidth do you need over the VPN?
Steve
-
Well obviously our own hardware works well. ;)
What sort of bandwidth do you need over the VPN?
Steve
I am open to buying a premade one as well, as long as i can fit it into my budget. Space is limited it my office so i am open to options. :)
Primary use for this is for me to VPN back into my home network while on the road. I have a few internal servers (2 ESXi, 1 FreeNAS box) that i run a bunch of stuff on. Mostly VM's, some scripting/coding API type calls really is the need. I would be accessing it all through my Mac.
Bandwidth wise, not sure to be honest. Most of the traffic I would be connecting through the VPN tunnel would be web based, ssh and RDP.Split tunneling is another thing i ama exploring as well.
Does that help?
Much appreciated.
-
What bandwidth is your home connection? No point speccing a monster server if the WAN the VPN is running on is not that large.
Steve
-
Not to bad.
thyink its 80down/15 or 20 up.
hoping they upgrade soon. 8)
-
Something >= n3150 will get you ~100Mbps OpenVPN AES-128-CBC throughput. GCM will have better performance if you choose to got with 2.4
These boxes are an example:
https://www.amazon.com/ZOTAC-Quad-Core-Graphics-Barebones-ZBOX-CI323NANO-U/dp/B01IPVOKNS?th=1If you have spare parts around that you can sue to make the box though, you can probably throw something together for a lot cheaper. I often recommend the J3355B SoC's because they cost $55, but even that is overkill for your needs.
For 100Mbps as a VPN server only you could probably even use the onboard Realtek NIC with VLANs for your WAN and LAN.
I've never done this but I've seen others talk about it for low end connections. Just search the forum for "single NIC".Otherwise, a used dual port i340 (or really whatever you have lying around for that connection speed) will get you going.
-
Looking at this again,
how would something like this work based on my requirements and current pipe:
https://www.netgate.com/products/sg-1000.html
Small form factor, runs pfsense, gets support and i get to support pfsense. Fits in my budget.
This would sit like i said, behind my router and act as a VPN server.
Thoughts?
Thx
-
The SG-1000 will not push 80Mbps of encrypted traffic unfortunately. Not yet at least, it does have hardware crypto for which a driver has not yet been developed. No figures for that yet though.
You would be looking at the SG-2220 to do that on our hardware.
Thanks,
Steve
