Looking on some advice on how to set up home network through a VPN.



  • Hi all. New VPN user here.

    I have subscribed to the NordVPN service. Currently, I have the VPN client software installed on one of my home computers on my home network. This provides VPN protection for that computer only, of course.

    I have recently signed up for Google Fiber. I know that one of Google's objectives is to monitize not only how people use their web services, but as an ISP to monitize how people use the internet entirely. So, my objective is to put my entire home network on a VPN so that all devices on my home network go through the VPN, except my MagicJack VOIP phone which I see no need to route through a VPN.

    I also have a second router set up as a wireless access point with a unique password. This is the for the kids as I can shut the router on and off with a smart timer socket (routers have poor parental time controls I find).

    Here is what I thought my network topology would need to look like:

    alt text

    Essentially, I believe my Netgear R6400 would function as a switch.

    I had intended to install DD-WRT on the R6400 router, and so have the VPN apply to almost everything on my network. But I am given to understand that the R6400 would be very slow and a big performance bottleneck.

    I was told that instead perhaps I should run a PC with pfsense on it to get gigabit speeds.

    I see that Netgate sells pre-configured boxes to do this. Can you recommend one?

    Or, is it cheaper to build a PC and do the install yourself?

    Thanks for any suggestions.



  • https://store.netgate.com/pfSense/SG-1100.aspx
    $160 USD

    https://store.netgate.com/SG-3100.aspx
    $350 USD

    You can find cheap PCs quite easily, but they will use a lot more power than a small appliance and they usually have craptacular Realtek NICs.



  • Thanks KOM. The SG-1100 sounds interesting.

    What is the OPT port?

    I assume with this kind of firewall device, which says it has VPN support, that it can be configured to route traffic through a service like NordVPN?

    I guess my network topology would look something like this?

    alt text



  • OPT1, OPT2 etc are additional interfaces, that's all. They are usually extra LANs but you could make one another WAN if you had multiple links. You can rename them to suit the network they represent. I have an OPT1 interface configured as a DMZ and I named it accordingly.

    Your diagram is fine except for the voip. Why not put it behind pfSense? If you have it in front then your call quality will be poor if someone is pounding your link. If it's inside, you could configure traffic shaping to prioritize the voip over all else.

    Also, there is a fundamental thing you're not getting here. By connecting an interface to your VPN provider, you don't have to force ALL traffic through the tunnel. You can use firewall rules to control which gateway traffic goes out of. This is called policy routing. So you would craft a rule so that the voip phone goes out WAN and all other traffic goes out OpenVPN.



  • @KOM said in Looking on some advice on how to set up home network through a VPN.:

    Your diagram is fine except for the voip. Why not put it behind pfSense? If you have it in front then your call quality will be poor if someone is pounding your link. If it's inside, you could configure traffic shaping to prioritize the voip over all else.
    Also, there is a fundamental thing you're not getting here. By connecting an interface to your VPN provider, you don't have to force ALL traffic through the tunnel. You can use firewall rules to control which gateway traffic goes out of. This is called policy routing. So you would craft a rule so that the voip phone goes out WAN and all other traffic goes out OpenVPN.

    Hi KOM, thanks for explaining stuff to the noob!

    I put the VOIP phone outside the firewall as I figured I did not need to obfuscate that data. But as you note, it sounds like I could put it behind the firewall and then configure it to not be obfuscated. Seems easier to just plug it in ahead of the firewall?

    I understand that I can control which traffic goes through the VPN and which does not, but one of my goals here is to route all traffic through the VPN so that Google cannot see how we are using the connection and monitize it.

    Although now that I think about it, really I only care about web browsing and P2P being snooped by the ISP. I suppose online games could be ignored, but this would have to be configured for all games currently played and updated every time a new game is played?

    It just seemed easier to me to put the entire home network through the VPN rather than try to configure and maintain exceptions. Maybe the performance hit will make it worthwhile to do it.

    You say "OpenVPN" - I already signed up for 3 years of NordVPN - will the device work with that?

    Thanks again,



  • @maillemaker said in Looking on some advice on how to set up home network through a VPN.:

    Seems easier to just plug it in ahead of the firewall?

    Easier is not always better. Like I said, if voip is outside then your call quality will suffer if someone is maxing out your link via P2P. Having a Gb interface is nice, but it can still be saturated. Call quality can be affected by other traffic even if the link isn't fully saturated, as voip traffic is time-sensitive.

    Yes, it can be a nightmare trying to segment different traffic types via policy routing, depending on what you want to do. You probably don't want your games going through the VPN due to added latency. Much better would be to tunnel all your traffic except the voip, and that's easy to do. Then you would have a single rule that direct traffic from your game rig to the WAN that you can easily toggle on or off as needed.

    OpenVPN is the protocol used by all these VPN providers. They typically all support OpenVPN. Some support IPSec, which is more often used as a point-to-point tunnel for connecting branch offices, for example, and is more complicated to setup than OpenVPN. The new kid on the block is Wireguard, and only a handful of providers support it. pfSense supports OpenVPN and IPSec, but not Wireguard. Nordvpn is just the company name of your provider, not to be confused with the OpenVPN protocol they support.



  • @KOM said in Looking on some advice on how to set up home network through a VPN.:

    @maillemaker said in Looking on some advice on how to set up home network through a VPN.:

    Seems easier to just plug it in ahead of the firewall? myprepaidbalance

    Easier is not always better. Like I said, if voip is outside then your call quality will suffer if someone is maxing out your link via P2P. Having a Gb interface is nice, but it can still be saturated. Call quality can be affected by other traffic even if the link isn't fully saturated, as voip traffic is time-sensitive.

    Yes, it can be a nightmare trying to segment different traffic types via policy routing, depending on what you want to do. You probably don't want your games going through the VPN due to added latency. Much better would be to tunnel all your traffic except the voip, and that's easy to do. Then you would have a single rule that direct traffic from your game rig to the WAN that you can easily toggle on or off as needed.

    OpenVPN is the protocol used by all these VPN providers. They typically all support OpenVPN. Some support IPSec, which is more often used as a point-to-point tunnel for connecting branch offices, for example, and is more complicated to setup than OpenVPN. The new kid on the block is Wireguard, and only a handful of providers support it. pfSense supports OpenVPN and IPSec, but not Wireguard. Nordvpn is just the company name of your provider, not to be confused with the OpenVPN protocol they support.

    They are usually extra LANs but you could make one another WAN if you had multiple links. You can rename them to suit the network they represent. I have an OPT1 interface configured as a DMZ and I named it accordingly.

    Your diagram is fine except for the voip. Why not put it behind pfSense? If you have it in front then your call quality will be poor if someone is pounding your link. If it's inside, you could configure traffic shaping to prioritize the voip over all else.

    Also, there is a fundamental thing you're not getting here. By connecting an interface to your VPN provider, you don't have to force ALL traffic through the tunnel. You can use firewall rules to control which gateway traffic goes out of.



  • Warning tip for newbie VPN users! Be aware that it is likely many streaming services such as Netflix, Hulu and Amazon Prime will either just not work at all, or else give you many headaches, due to the use of a VPN source IP. The streaming providers for the most part actively block known VPN address space because so many folks use that in an attempt to bypass geo-restrictions on where content is made available.

    While your VPN provider may initially promise the streaming services work, it is usually just a matter of time before the streaming providers find the VPN provider's exit node IP address space and block it. Then it becomes a game of whack-a-mole.

    So putting your entire LAN behind a VPN will probably cause you a lot of trouble. Instead, do what @KOM suggested and use pfSense firewall rules with policy routing to control which devices go out over the VPN. For policy routing to work, make sure you ignore any step in the VPN setup instructions from your provider that say to click the "Pull Routes" checkbox. You want that box unchecked for policy routing to work.



  • I can't even login to Minecraft if I'm running through the VPN, so it's not just the streaming services that will give you grief.



  • Well, it sounds like using this old router is going to be poor performance, and I'd be looking at $300+ for an appliance to do the job well. On top of that, it sounds like there are lots of reasons not to run the whole network through the VPN anyway.

    So for now, I'll just use the VPN client when I'm putting up the periscope for P2P work.


Log in to reply