OpenVPN best practices
-
I just learned (yes I'm slow) that I can sign up for a VPN account and route all of my internet traffic through a VPN, rather than simply over my ISP's network. That's cool and I will be exploring this shortly.
Having said that, part of my transition to pfsense included the desire to be able to remotely access my network from anywhere. To that end, I have installed OpenVPN, and have a no-ip account. As I understand it, the no-ip update client will run on one of my 24/7 systems, and always resolve my dhcp-assigned WAN address to a hostname of my choosing.
I am interested in advice on best practices here from the standpoint of security. I will use my phone as a hotspot for 99% of my VPN access, but I'd like to also protect against things like a family member (wife travels for business a lot) using a Starbucks hotspot to access to the vpn… not sure I want myhostname.no-ip.org going out across random networks.
What is the general consensus for being able to provide meaningful vpn access to a home network while maintaining security?
As an aside, supposing I do get a vpn account through someone like TUVPN etc, will that complicate matters as far as using the OpenVPN client to remotely access my network?
Thanks.
-
OpenVPN can act as both client and server at the same time. What you are describing is exactly how I have set it up. My DynDNS address updates on my WAN IP, the openVPN server listens on the WAN for incoming connections and at the same time OpenVPN also sets up a client connection to PIA and I route my LAN traffic to the PIA tunnel.
When I'm away from home I can connect my phone to PIA VPN for secure Internet access or to my home VPN if I need to connect to something on my LAN. Do try to avoid routing traffic from one VPN into the next or sticking one tunnel into another tunnel. It can work but at the cost of how much overhead? My ping from home to the Internet has already doubled from routing via the VPN. Imagine connecting your phone to your home VPN to get on the Internet through the VPN provider. You'd have a 3x ping time at least.
EDIT: Just to clarify, I am running all this on the pfsense box, I do not have an extra machine running behind it as a VPN server.
-
Awesome, I appreciate the reply! Can I ask a few questions?
-
What hardware are you running? I have a dual Atom 1.8G w/hyperthreading and am worried about high CPU use with two VPNs, one full time
-
What version of pfsense are you running?
-
What (if any) tutorial did you follow for getting it set up through PIA?
-
How satisfied are you with PIA?
I have been looking at VPN providers all night, and mostly have looked at the ones with (somewhat) recent posts regarding how to get it set up with pfsense, as this will be new to me.
Thanks.
-
-
I'm also running on an Atom D525 with 4GB memory. My Internet connection is only 30mbit down so I am not pushing it by a long shot. Look around on this board or in the hardware section for what other people are running.
I am however waiting on a supermicro board with a E3-1220v3 to replace it with. Traffic shaping completely kills the Atom processor. Also the Realtek nics cause high interrupts. Time to get a real server. :) So unless you have a 100mbit connection or want to do traffic shaping you'll be fine with the Atom. You already have the hardware so try it for yourself.
Regarding PIA, I am extremely satisfied with them. I am using them for over 6 months now and I have always been able to saturate my connection. There is some extra lag because of the VPN but not much. There is someone in my house playing online shooters and he doesn't know he is playing through a VPN. :p I'm also streaming Netflix over the VPN and it has never failed on me. On really busy moments like Friday night it might reduce stream quality but I ask myself if that would happen without a VPN too.
Please use the latest release of pfsense, there was some bug in versions prior to 2.1.2 where the webgui lost track of the openvpn proces. The tunnel was still working it just showed as down in the webconfigurator.