Advantages with VPN on pfsense vs individual machines?
-
It stays up 24x7 – or at least pfsense tries to keep it up 24x7. If you're using one of the bigger vpn providers then, yeah, it'll stay connected all the time. Then you just need to edit the policy routing as needed. So for me I have 1 vpn provider who offers 3 simultaneous connections.
VPN1: P2P/NNTP traffic
VPN2: Guest traffic
VPN3: Geo buster trafficSo in pfsense I have 3 OpenVPN clients setup, one for each of the above. My default gateway on pfsense is to go out the WAN. I then have one policy to send all traffic from my p2p/nntp vm exclusively out VPN1 and if VPN1 isn't available then that vm's internet access is blocked. I have a second policy directing all traffic from my guest wifi vlan to route exclusively thru VPN2 and if VPN2 isn't available then block that vlan's internet access. Finally, I have VPN3 which is usually idle these days. I used to use it for geo busting Netflix so I'd just reconnect VPN3 to USA or Europe or whichever place Netflix would serve me the movie I was trying to watch. I also used it to get around my sports blackouts. Now I just use it to get around sports blackouts really. I have a policy setup to route all my streaming devices thru VPN3 as needed. The rule is usually off, but on the rare night when I need to bust a blackout, I just login to pfsense and enable the rule. All other traffic from all other vlans goes out the WAN directly.
The other nice thing I do is I prioritize all the vpn traffic using the traffic shaper. So VPN1 traffic is the lowest, VPN2 is default priority and VPN3 is highest priority. If a torrent starts downloading while streaming the game or netflix then nothing is affected as all bandwidth goes to my streaming devices before anything using VPN1.
-
@SirJohnEh:
It stays up 24x7 – or at least pfsense tries to keep it up 24x7. If you're using one of the bigger vpn providers then, yeah, it'll stay connected all the time. Then you just need to edit the policy routing as needed. So for me I have 1 vpn provider who offers 3 simultaneous connections.
VPN1: P2P/NNTP traffic
VPN2: Guest traffic
VPN3: Geo buster trafficSo in pfsense I have 3 OpenVPN clients setup, one for each of the above. My default gateway on pfsense is to go out the WAN. I then have one policy to send all traffic from my p2p/nntp vm exclusively out VPN1 and if VPN1 isn't available then that vm's internet access is blocked. I have a second policy directing all traffic from my guest wifi vlan to route exclusively thru VPN2 and if VPN2 isn't available then block that vlan's internet access. Finally, I have VPN3 which is usually idle these days. I used to use it for geo busting Netflix so I'd just reconnect VPN3 to USA or Europe or whichever place Netflix would serve me the movie I was trying to watch. I also used it to get around my sports blackouts. Now I just use it to get around sports blackouts really. I have a policy setup to route all my streaming devices thru VPN3 as needed. The rule is usually off, but on the rare night when I need to bust a blackout, I just login to pfsense and enable the rule. All other traffic from all other vlans goes out the WAN directly.
The other nice thing I do is I prioritize all the vpn traffic using the traffic shaper. So VPN1 traffic is the lowest, VPN2 is default priority and VPN3 is highest priority. If a torrent starts downloading while streaming the game or netflix then nothing is affected as all bandwidth goes to my streaming devices before anything using VPN1.
that's efficient! sure sounds better than firing up local VPN clients all the time on my local home computers. my VPNs are all openvpn based too. i can see where one would need vlan(s) to group devices for this setup. thanks for painting the visual of this setup, a bit more clearer now.
for client on pfsense i'll use either torguard or pia.
-
I can not think of 1 reason to run the vpn on the client if you have pfsense there..
I can. But it's only if the pfSense hardware isn't capable of handling the encryption at full speed. Scenario would be you have a pfSense box capable of handling your ISP connection but doesn't have the CPU grunt to encrypt at full speed. Then the options are upgrading the pfSense CPU or running the client on your desktop, laptop, whatever, that does have the CPU grunt to do the encryption. I faced that choice at one point and chose to upgrade pfSense hardware rather than running the client locally.
-
Another case for running VPN on the hosts would be if end-to-end encryption is a requirement.
-
"end-to-end encryption is a requirement."
That comes up a lot when users are using vpn service to circumvent geographic restrictions and or hide their p2p traffic a lot.. Also for sure comes up when you think the black helicopters are circling and they might be sniffing your local network…
Just saying such a use case doesn't apply for this thread..
-
@johnpoz One advantage of having the vpn on the client is when you want to route traffic per app. Say, for instance, you want to run Netflix on ISP and TiviMate on VPN.
Netflix is notorious for not allowing a full experience on a VPN, like 4K HDR. -
@BxuEyE4 said in Advantages with VPN on pfsense vs individual machines?:
i use several VPN clients on various Windows & Linux machines here at home along with using pfsense as my home firewall.
wondering if there is an advantage to installing VPN like (PIA) on my pfsense firewall versus just making use of the VPN clients?
An equivalent question is should you connect to the Internet through pfSense or each client having it's own connection. I can't think of any reason for having a VPN on the client, when it's available on the network. Of course, if you're on a network elsewhere, such as a coffee shop, then you'd want a VPN on that device.
BTW, it might help if you described what you're using a VPN for. For example, while I have a VPN between my laptop computer and home network, I don't have any need for those public VPN servers.
-
This post is deleted! -
Another advantage is the ability to use the cryptographic acceleration hardware built in the firewall Netgate appliances, the use of DOC, control access with radius, or even set up local access policies, direct use of syslogs and a granular level of security by way of a magnitude of logs available directly on the firewall, a separate access control list can be used for OpenVPN. Share a NAS private cloud with your family for photos and large files. Many types of encryption algorithms are also available, and Netgate’s open source community that can help you with issues. Finally scheduling, an ability to set up when users can access the VPN even lock it completely out on holidays.
-
This post is deleted!
