Pfsense as a vpn server?
-
Use NAT on the pfSense box, so that all the traffic passing through it would be seen from the network's perspective as it was generated by the pfSense box. That would be perfectly transparent and no need to modify routing config on the edge router.
-
Yeah that's what most do though I prefer not to NAT where possible. The main disadvantage is you can't open connections the other way if required for any reason. But you also lose the source address in logs etc.
Steve
-
Try pfSense 2.4.0 BETA.
It has OpenVPN 2.4 which will allow you to create a VPN server using AES-128-GCM; more secure and faster.
Also has LZ4v2 which will take some load off the CPU to compress/decompress for almost the same compression ratio. -
hmm, interesting. i may just do that.
i was going to check out the hardware forum, but what i would look for is something in a small form factor to build out. something that can just sit on my desk.
-
Well obviously our own hardware works well. ;)
What sort of bandwidth do you need over the VPN?
Steve
-
Well obviously our own hardware works well. ;)
What sort of bandwidth do you need over the VPN?
Steve
I am open to buying a premade one as well, as long as i can fit it into my budget. Space is limited it my office so i am open to options. :)
Primary use for this is for me to VPN back into my home network while on the road. I have a few internal servers (2 ESXi, 1 FreeNAS box) that i run a bunch of stuff on. Mostly VM's, some scripting/coding API type calls really is the need. I would be accessing it all through my Mac.
Bandwidth wise, not sure to be honest. Most of the traffic I would be connecting through the VPN tunnel would be web based, ssh and RDP.Split tunneling is another thing i ama exploring as well.
Does that help?
Much appreciated.
-
What bandwidth is your home connection? No point speccing a monster server if the WAN the VPN is running on is not that large.
Steve
-
Not to bad.
thyink its 80down/15 or 20 up.
hoping they upgrade soon. 8)
-
Something >= n3150 will get you ~100Mbps OpenVPN AES-128-CBC throughput. GCM will have better performance if you choose to got with 2.4
These boxes are an example:
https://www.amazon.com/ZOTAC-Quad-Core-Graphics-Barebones-ZBOX-CI323NANO-U/dp/B01IPVOKNS?th=1If you have spare parts around that you can sue to make the box though, you can probably throw something together for a lot cheaper. I often recommend the J3355B SoC's because they cost $55, but even that is overkill for your needs.
For 100Mbps as a VPN server only you could probably even use the onboard Realtek NIC with VLANs for your WAN and LAN.
I've never done this but I've seen others talk about it for low end connections. Just search the forum for "single NIC".Otherwise, a used dual port i340 (or really whatever you have lying around for that connection speed) will get you going.
-
Looking at this again,
how would something like this work based on my requirements and current pipe:
https://www.netgate.com/products/sg-1000.html
Small form factor, runs pfsense, gets support and i get to support pfsense. Fits in my budget.
This would sit like i said, behind my router and act as a VPN server.
Thoughts?
Thx
-
The SG-1000 will not push 80Mbps of encrypted traffic unfortunately. Not yet at least, it does have hardware crypto for which a driver has not yet been developed. No figures for that yet though.
You would be looking at the SG-2220 to do that on our hardware.
Thanks,
Steve