Advantages with VPN on pfsense vs individual machines?



  • i use several VPN clients on various Windows & Linux machines here at home along with using pfsense as my home firewall.

    wondering if there is an advantage to installing VPN like (PIA) on my pfsense firewall versus just making use of the VPN clients?



  • The advantage of having the VPN connection on your router is that you now can connect multiple machines to a VPN service and only use 1 session (most vpn services have limits on number of active sessions at once). Another benefit is that you also can now use the VPN connection on devices that don't have vpn client applications for them, like a Roku, chromecast, etc….


  • LAYER 8 Global Moderator

    You can now very easy with policy routing send some traffic down the vpn while other traffic goes out your normal isp..  I can not think of 1 reason to run the vpn on the client if you have pfsense there..



  • @ahslan:

    The advantage of having the VPN connection on your router is that you now can connect multiple machines to a VPN service and only use 1 session (most vpn services have limits on number of active sessions at once). Another benefit is that you also can now use the VPN connection on devices that don't have vpn client applications for them, like a Roku, chromecast, etc….

    wow, didn't even think of the Roku, etc, devices i have + the single session. you're correct some of my VPN providers allow only one session, two other provides allow a couple sessions.  many thanks for your info. the advantage is getting clearer.



  • @johnpoz:

    You can now very easy with policy routing send some traffic down the vpn while other traffic goes out your normal isp..  I can not think of 1 reason to run the vpn on the client if you have pfsense there..

    I can not think of 1 reason to run the vpn on the client if you have pfsense there..

    in conjunction with VPN on pfsense, yes? just wanting to clarify.

    appreciate your reply & input about the policy routing. getting my head more wrapped around this. thank


  • LAYER 8 Global Moderator

    Yes you connect to your vpn service on pfsense, then you can just policy route the traffic you want to use the vpn other traffic would just go out the normal wan connection.  So for example you could have your box running torrents using the vpn, but your normal browser you shop amazon with just using your isp.  Or if you want to watch something from a different region like netflix, hulu, whatever you could route that out a vpn connection.

    Once your connection to your vpn is done on pfsense - then its easy peasy to route the traffic you want where you want to route it.  This also allows for these pc's or tablets/phones to also easy use your local resources without having to split tunnel on the vpn client it self or enable/disable depending on what your wanting to access.  Just simple policy route on pfsense and your done.



  • Yes to all of these advantages, I use them all.  What would be really great is if there was an api (be it rest or whatever) to allow scripting of these scenarios.  In my dream scenario, I can tell my Google Home to reroute traffic thru my vpn as necessary – for example, if I needed to reroute my roku in the living room thru the vpn to get around that night's blackout on mlb.tv, nhl.tv, etc.  If I could just tell Google Home to do it for me then tell it to undo that policy after the game so Netflix starts to work again then I could save myself having to login to pfsense and click around to get the job done/undone.



  • @johnpoz:

    Yes you connect to your vpn service on pfsense, then you can just policy route the traffic you want to use the vpn other traffic would just go out the normal wan connection.  So for example you could have your box running torrents using the vpn, but your normal browser you shop amazon with just using your isp.  Or if you want to watch something from a different region like netflix, hulu, whatever you could route that out a vpn connection.

    Once your connection to your vpn is done on pfsense - then its easy peasy to route the traffic you want where you want to route it.  This also allows for these pc's or tablets/phones to also easy use your local resources without having to split tunnel on the vpn client it self or enable/disable depending on what your wanting to access.  Just simple policy route on pfsense and your done.

    didin't realize. i'll get started on installing the app and seeing what i can do with it. appreciate the help. sure i'll be back once i get to the policies. ;-)



  • @SirJohnEh:

    Yes to all of these advantages, I use them all.  What would be really great is if there was an api (be it rest or whatever) to allow scripting of these scenarios.  In my dream scenario, I can tell my Google Home to reroute traffic thru my vpn as necessary – for example, if I needed to reroute my roku in the living room thru the vpn to get around that night's blackout on mlb.tv, nhl.tv, etc.  If I could just tell Google Home to do it for me then tell it to undo that policy after the game so Netflix starts to work again then I could save myself having to login to pfsense and click around to get the job done/undone.

    let me ask, does the VPN connection stay all the time, or one needs to login to pfsense and start a VPN session for the respective usuage…i.e. your roku streaming or Google?



  • It stays up 24x7 – or at least pfsense tries to keep it up 24x7.  If you're using one of the bigger vpn providers then, yeah, it'll stay connected all the time.  Then you just need to edit the policy routing as needed.  So for me I have 1 vpn provider who offers 3 simultaneous connections.

    VPN1: P2P/NNTP traffic
    VPN2: Guest traffic
    VPN3: Geo buster traffic

    So in pfsense I have 3 OpenVPN clients setup, one for each of the above.  My default gateway on pfsense is to go out the WAN.  I then have one policy to send all traffic from my p2p/nntp vm exclusively out VPN1 and if VPN1 isn't available then that vm's internet access is blocked.  I have a second policy directing all traffic from my guest wifi vlan to route exclusively thru VPN2 and if VPN2 isn't available then block that vlan's internet access.  Finally, I have VPN3 which is usually idle these days.  I used to use it for geo busting Netflix so I'd just reconnect VPN3 to USA or Europe or whichever place Netflix would serve me the movie I was trying to watch.  I also used it to get around my sports blackouts.  Now I just use it to get around sports blackouts really.  I have a policy setup to route all my streaming devices thru VPN3 as needed.  The rule is usually off, but on the rare night when I need to bust a blackout, I just login to pfsense and enable the rule.  All other traffic from all other vlans goes out the WAN directly.

    The other nice thing I do is I prioritize all the vpn traffic using the traffic shaper.  So VPN1 traffic is the lowest, VPN2 is default priority and VPN3 is highest priority.  If a torrent starts downloading while streaming the game or netflix then nothing is affected as all bandwidth goes to my streaming devices before anything using VPN1.



  • @SirJohnEh:

    It stays up 24x7 – or at least pfsense tries to keep it up 24x7.  If you're using one of the bigger vpn providers then, yeah, it'll stay connected all the time.  Then you just need to edit the policy routing as needed.  So for me I have 1 vpn provider who offers 3 simultaneous connections.

    VPN1: P2P/NNTP traffic
    VPN2: Guest traffic
    VPN3: Geo buster traffic

    So in pfsense I have 3 OpenVPN clients setup, one for each of the above.  My default gateway on pfsense is to go out the WAN.  I then have one policy to send all traffic from my p2p/nntp vm exclusively out VPN1 and if VPN1 isn't available then that vm's internet access is blocked.  I have a second policy directing all traffic from my guest wifi vlan to route exclusively thru VPN2 and if VPN2 isn't available then block that vlan's internet access.  Finally, I have VPN3 which is usually idle these days.  I used to use it for geo busting Netflix so I'd just reconnect VPN3 to USA or Europe or whichever place Netflix would serve me the movie I was trying to watch.  I also used it to get around my sports blackouts.  Now I just use it to get around sports blackouts really.  I have a policy setup to route all my streaming devices thru VPN3 as needed.  The rule is usually off, but on the rare night when I need to bust a blackout, I just login to pfsense and enable the rule.  All other traffic from all other vlans goes out the WAN directly.

    The other nice thing I do is I prioritize all the vpn traffic using the traffic shaper.  So VPN1 traffic is the lowest, VPN2 is default priority and VPN3 is highest priority.  If a torrent starts downloading while streaming the game or netflix then nothing is affected as all bandwidth goes to my streaming devices before anything using VPN1.

    that's efficient!  sure sounds better than firing up local VPN clients all the time on my local home computers. my VPNs are all openvpn based too.  i can see where one would need vlan(s) to group devices for this setup.  thanks for painting the visual of this setup, a bit more clearer now.

    for client on pfsense i'll use either torguard or pia.



  • @johnpoz:

    I can not think of 1 reason to run the vpn on the client if you have pfsense there..

    I can.  But it's only if the pfSense hardware isn't capable of handling the encryption at full speed.  Scenario would be you have a pfSense box capable of handling your ISP connection but doesn't have the CPU grunt to encrypt at full speed.  Then the options are upgrading the pfSense CPU or running the client on your desktop, laptop, whatever, that does have the CPU grunt to do the encryption.  I faced that choice at one point and chose to upgrade pfSense hardware rather than running the client locally.



  • Another case for running VPN on the hosts would be if end-to-end encryption is a requirement.


  • LAYER 8 Global Moderator

    "end-to-end encryption is a requirement."

    That comes up a lot when users are using vpn service to circumvent geographic restrictions and or hide their p2p traffic a lot.. Also for sure comes up when you think the black helicopters are circling and they might be sniffing your local network…

    Just saying such a use case doesn't apply for this thread..


Log in to reply