VPN Question



  • Hi,

    New to Netgate and pfSense. Learning more and more everyday. I know VPN's can be pretty complicated so I'm trying to simplify them. Currently I have a subscription to Vyper VPN where I log in with a user name and password on an individual PC to make a VPN connection. Can the user name and password be put into my Netgate somewhere in the VPN section and have my whole LAN be on the VPN? If so where would I start to accomplish this.

    Thanks much!





  • Thanks for the article. Thinking about this more if I go the VPN route will all the ports I opened to get to devices inside my LAN still work considering the IP to access my network will need to be the variably assigned VPN address?



  • You will still be able to access your WAN while the VPN is up.
    pfSense handles the VPN as an additional WAN connection, but it is only used for upstream traffic. Response packets to requests coming in the WAN interface are sent back to the WAN gateway (controlled by reply-to), though.
    Ensure that the incoming traffic is not matched by floating rules.



  • @viragomann OK that's good to know. Thanks! Since I'm new would you mind explaining the floating rules and where they are at in pf Sense and the implications if they are matched?



  • That traffic must not be matched by floating rules.

    Firewall > rules
    Here you see tabs for each logical interface. At the left side is the floating tab. Floating rules can be assigned to multiple interfaces or on outbound traffic (seen from pfSense, outgoing an interface) as well. Rules on the interface tab are only applied on inbound traffic.
    So you have to put your rules on the WAN tab.



  • @viragomann So then when this is completed all my internet traffic in and out of the pf Sense will go through the VPN connection unless I tun off the VPN. And will the logging into the VPN that would have been done manually if it was on an individual PC be done automatically with the certificate that I will work on with the supplied instructions (first comment)?

    This will be my weekend project :) Thanks for your help.



  • To distinguish inbound and outbound connection, outbound connections are initialized by an internal device (on LAN or other internal network) like the web browser on your PC.
    Inbound connections are initialized from a device outside your network and can only happen if you have firewall rules set on your WAN interface which allow it. Inbound is also possible on a VPN connection, but I'm in doubt your VPN provider forward something to you.

    So if you have no inbound traffic allowed and run vpn client all your traffic will pass the vpn. If the vpn is down, your traffic goes out to WAN.

    pfSense starts the vpn connection automatically and keeps it up.



  • @viragomann Thanks for your quick replies. I think this does it until I get started and hopefully it will go smoothly. Thanks again for your help.



  • @viragomann OK armed with all this information I couldn't wait until the weekend and got it done today. It works but really slows down the internet to about 30-40 MPS from my 150MPS. I guess I'll use the VPN service when I need it by turning it off under the services section. I did tun on the cryptographic engine in the settings since my 3100 has it but I didn't see much of a speed change. BTW for those reading the Vypr VPN customer link in the beginning of this, ignore pasting in the items listed in the advance section. When this was in place I could not connect to the VPN provider. When I removed it I could make the connection.



  • @ILIKENETGATE said in VPN Question:

    @viragomann OK armed with all this information I couldn't wait until the weekend and got it done today. It works but really slows down the internet to about 30-40 MPS from my 150MPS. I guess I'll use the VPN service when I need it by turning it off under the services section. I did tun on the cryptographic engine in the settings since my 3100 has it but I didn't see much of a speed change. BTW for those reading the Vypr VPN customer link in the beginning of this, ignore pasting in the items listed in the advance section. When this was in place I could not connect to the VPN provider. When I removed it I could make the connection.

    right. i have to remove several options as well.

    check your send and receiver buffer. i usually use 256k


Log in to reply