With two VPN clients running on the same pfSense ?
I didn't really insist when testing (things start to behave very bad).
I'm sure that a first VPN client can used as the 'gateway' for a second VPN client on the same device, but you probably have to set them up the old way : manual config file creation and all that. That's not possible on pfSense.
I hope to be wrong of course.
What was possible :
Setting up a pfSense VPN client to 'some' VPN-ISP, routing all outgoing traffic over this connection, that's classic and works fine.
Then I activated a VPN client on my NAS, used 'another' VPN-ISP, and that connected also "just fine".
Now, I had a tunnel over a tunnel.
As I was using some web https sites to test, I actually had a a tunnel in a tunnel in a tunnel.
Btw : you go beyond what is needed to protect the launch codes of the nukes .... are you sure you need this protection ?
@Ratfink Connecting two sites with Wireguard VPN is absolutely doable, and you don't even need fixed IP's for it to work.
When you say you have 5 fixed IP's from your ISP, I'm kind of assuming you have your office at your house? Meaning they are both connected to the same fibre? Otherwise, if they are at very different locations, is it still the same ISP?
In terms of getting the IP's on the respective pfsense machines, I assume you know how or have instructions from the ISP to do this. Might be MAC based if DHCP for example...
Anyway, running pfsense on repurposed HW is very common and can be done "barebone" or virtualized. So you shouldn't have any problems getting to to work on your rack servers, hopefully.
So step one is of course getting both machines up and running. And since they will be for different sites and connected via VPN you must make sure to use different LAN subnets on them. Like 192.168.1.0/24 on one and 192.168.2.0/24 on the other.
Once you have them up and running you can follow a guide like one of these to set up wireguard.
Even though you have fixed IP's it might be a good idea to get two domains, unless you already have that.
If you want to go over WAN anyway, assign an interface to the wg instance and enable it at site 2. This brings up a new firewall rule tab for it then.
Now go to the "Wireguard" tab, edit the existing rules and change the interface to the new one.
I'm not sure what you mean by your last sentence but, I've done the rest.
You mean, changing the interface in the filter rule?
In Firewall > Rules you will see a tab called "Wireguard". pfSense might have created a rule on this tab automatically, when you set up the Wireguard tunnel.
So go to this tab and edit the existing rule and change the interface from "Wireguard" to the interface, which you have assigned to the Wireguard instance before.
Then the rule disappears from the Wireguard tab and appear on the new interface tab.
Also in the WG settings on router 2 you have to change the "allowed IPs" to 0.0.0.0/0 to accept public forwarded traffic.
The problem was an any/any rule in the Wireguard unasigned tunnel firewall rule list. Even though the AirVPN WG interface was assigned, group rules are evaluated first...
Hope this helps someone else as well.
@FoolCoconut THANK you. ive been trying to figure this out for a very long time.
Und das die GW alle die 10.100.0.2, das liegt daran das diese "dynamisch" zugeteilt werden ?
So ist es bei allen wenn ich auf das "bearbeiten" Symbole klicke. Da Feld ist auch ausgegraut, also nicht änderbar.
Yup, those devices are probably not trying to resolve .local addresses using DNS servers at all. They assume they are mDNS and try to find them locally.
I may be interested in knowing more. My ATT router has a 5G port that is unused, but only 1 of the 2 routers has 5G capability, the pfSense. The other router is a MikroTik, but none of it's eth ports have 5G.
For clarity, my pfSense router has a 5G wan input, and 2 10G SFP+ ports as potential outputs.
I wanted perfect separation at the WAN connection, but I could use the 5G ethernet port on the ATT machine and go to the pfRouter, then split the connection to a second router via SFP+ and then to a switch for VPN access via the 2nd SFP+.
This would give me 5G all the way to each router, than separate LANs from there.
@moadmin
Hey guys, can i get any suggestion on this, its still happening even with split tunnel config.
When VPN is on and connected, google meet calls are choppy and distorted, when we turn it off the video is smooth and in good quality.
This happened after we updated our pfsense to 2.6.
But anyway you don't need NAT reflection on pfSense for this now. It's useless, since nothing points to its WAN IP.
And the port forwarding rule with the WAN IP is useless as well.
@viragomann no I need both, I tested it. As soon as I remove the reflection from the port forward, the service is not accessible from within LAN. If I deactivate the WAN port forward Rule, I can't access it from the internet. Maybe because of the first main forward "everything" to pfsense rule in proxmox's network interfaces file. So I will leave as it is for now. I'm just happy that it finally works.
Yes, got a scheduled job doing VM backups every day.
Thank you for your reply! I believe N*rdVPN doesn't allow to choose from a list of cyphers. AES-256-GCM is the encryption algorithm I use. Hardware Crypto is availible:
7590057b-a6da-40b4-919f-203b79dfee1d-image.png
For now, I'm changing my desktop's local IP to disable the VPN if I need high speed like you said. 180-200 Mbps is still enough for browsing the internet and even gaming, video streaming, but it sucks that 80% of my internet speed goes to VPN. I originally chose NordVPN because they were recommended in many forums and they had a nice deal VPN + Password Manager and Data Leak Scanner, but now I think about switching to PIA.
@stephenw10 I deleted the WireGuard tunnel then I set it up all over again. Done the same thing at VPS. Rebooted remote VM and pfSense and it started working.
I have no idea what happened before but I thanks you for all the support you provided!!
@jimp I applied the patch when it was released. I'm reading the release notes for 23.01 and see Issue #13424 has been addressed in the new version. Do I need to do anything like remove the patch before or after I upgrade? Or does everything take care of itself?
You do not need to do anything with the patch after upgrading. You can delete the entry from the system patches package.