Accessing Pfsense through a cloud VPN service like NordVPN



  • Hello,

    For security reasons and to easy the connections of remote mobile devices, I have subscribed to VPN Service Provider (here NordVPN). I am desperate in looking for some guidance on how to setup remote access to my network but through the VPN provider but can't seem to find and I don't think this is so special that no one has done so.
    Ex: Mobile devices (Android) -> NordVPN -> PfSense -> LAN

    This secures who can VPN in Pfsense by allowing remote access to only one IP address (from NordVPN) and this simplifies a lot the setup on the mobile devices (certificates etc...).
    I am not sure what to google to find a "how to" guide for such type of setup. Any one who can refer me to some good sites?
    I believe this would be a reverse VPN or a VPN gateway through a VPN service provider but don't seem to give good results.

    Merci
    XabiX



  • A VPN Provider is not going to improve your security and it's certainly not going to make the connecting of remote devices easier.



  • That's an other debate. At least for me using NordVPN clients on Android/Apple is much simpler than having to export certificates and to open my firewall to any ip in EU and US.
    Otherwise how to overcome to have to expose a port on WAN Pfsense?



  • @xabix said in Accessing Pfsense through a cloud VPN service like NordVPN:

    Ex: Mobile devices (Android) -> NordVPN -> PfSense -> LAN

    Site-to-site and remote access VPNs have been in use for many years in firewalls, long before this explosion of VPN-providers started that have now made also the average non-tecnical users aware of VPNs. Different kind of VPNs have different objectives though and different kinds of VPN-services shouldn't be confused.

    As far as I know, the main objective of most VPN-services offered is to protect the privacy of outgoing traffic. A remote access VPN that's intended to protect incoming traffic is a different thing. I think that you should ask your VPN-provider if they offer remote access VPN also and if they do, how to set that up with pfSense. If they do offer it, I would imagine that you at the very least need a private ip address at the exit-point of the VPN-provider. That may be the opposite of what you want for your outgoing traffic, as it's probably better for your privacy if your outgoing traffic is mixed up with traffic from other users at the exit point.

    The question is though if you would gain anything from offering remote access through a VPN-provider? I can't see any real advantage except for a more complicated configuration and probably a higher cost.

    When offering a remote access VPN you still need to have open ports for the incoming VPN-connection, either in the firewall or (if it's offered) with the VPN-provider.

    The way a remote access VPN is normally setup:
    Mobile clients (any OS) -> PfSense (running a VPN-server) -> LAN

    You don't need to pay for a VPN-service from someone to offer remote access VPN.



  • Hi P3R,

    Many thanks for the detailed information. I actually needed the VPN provider for another reason (so I have it for 3y and under using it) thus why I was thinking to use it also to simplify the configuration on the mobile devices side. This adds some complexity as I would need to have an one off site to site vpn between the vpn provider and my pfsense but then all the end users would be configured easily through their app with a login/pwd and a selection of the server.

    Today I am doing what you mentioned directly with Android OpenVPN and an export of certificate as well as an user/pwd. I may then keep doing this but I didn't find that easy to set up the clients.

    Sounds like I will keep doing what I was doing and obviously my pfsense vpn port is opened to a big geo list.

    Merci
    XabiX



  • I Need Cloud VPN Guidance.