Install Pfsense

stephenw10

Yes, it's possible to do it.
It would be better to have it on a different subnet if you can because otherwise you're going to hit asymmetric routing issues. You can workaround those by NATing the traffic from the VPN clients. It's a bit ugly though.

Obviously you will need to setup port forwards etc on the existing router for the incoming VPN connections to reach pfSense.

Steve

Duckzelf

Okay, but then i can't reach my lan network and servers annymore right?

stephenw10

Why not? As long as you have firewall rules to allow it in your existing router it will work fine. Everything will be routed through that so traffic would not be asymmetric.
But as I say you can use NAT to avoid that.

Steve

Duckzelf

Would the subnet be the better option or the NAT?

Duckzelf

Can i set that up in a netgear R7000, that firewall rules?

stephenw10

The separate subnet would IMO.
If it's in the same subnet then you have to either live with asymmteric routing and put in place rules to allow that. I have no idea if your existing router has that capability.
https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html
Or you NAT the VPN traffic leaving pfSense which means the LAN side resources cannot open connections to VPN clients only the other way around. Mostly that's not required though.

Steve

Duckzelf

Okay thanks, the second option would be very nice. Thanks for your help! How do i NAT the vpn traffic?

tim.mcmanus

IMHO, if you're not going to replace your Internet router, don't add pfSense to run as a VPN server. You are adding a good amount of complexity to your network. You would need to do a good amount of reconfiguration on the pfSense router to get everything to work flawlessly. And if you run into any issues, the additional complexity is going to make troubleshooting all that more difficult.

Install a Linux box or something like that with OpenVPN running on it. That might be a better solution that is a lot more manageable.

Here is one example. Do some research and this might be a better solution for your network.

https://www.linux.com/blog/how-install-openvpn-centos-7

stephenw10

I would use pfSense here if you want OpenVPN. But I may be biased!
Obviously I'm very familiar with it.

Steve

Duckzelf

I would also use pfsense :). How do i NAT the VPN traffic ;)?

stephenw10

Actually it will do that by default if you only have one interface assigned and it has a gateway on it.

Try it and see.

Steve