Looking on some advice on how to set up home network through a VPN.
-
https://store.netgate.com/pfSense/SG-1100.aspx
$160 USDhttps://store.netgate.com/SG-3100.aspx
$350 USDYou can find cheap PCs quite easily, but they will use a lot more power than a small appliance and they usually have craptacular Realtek NICs.
-
Thanks KOM. The SG-1100 sounds interesting.
What is the OPT port?
I assume with this kind of firewall device, which says it has VPN support, that it can be configured to route traffic through a service like NordVPN?
I guess my network topology would look something like this?
-
OPT1, OPT2 etc are additional interfaces, that's all. They are usually extra LANs but you could make one another WAN if you had multiple links. You can rename them to suit the network they represent. I have an OPT1 interface configured as a DMZ and I named it accordingly.
Your diagram is fine except for the voip. Why not put it behind pfSense? If you have it in front then your call quality will be poor if someone is pounding your link. If it's inside, you could configure traffic shaping to prioritize the voip over all else.
Also, there is a fundamental thing you're not getting here. By connecting an interface to your VPN provider, you don't have to force ALL traffic through the tunnel. You can use firewall rules to control which gateway traffic goes out of. This is called policy routing. So you would craft a rule so that the voip phone goes out WAN and all other traffic goes out OpenVPN.
-
@KOM said in Looking on some advice on how to set up home network through a VPN.:
Your diagram is fine except for the voip. Why not put it behind pfSense? If you have it in front then your call quality will be poor if someone is pounding your link. If it's inside, you could configure traffic shaping to prioritize the voip over all else.
Also, there is a fundamental thing you're not getting here. By connecting an interface to your VPN provider, you don't have to force ALL traffic through the tunnel. You can use firewall rules to control which gateway traffic goes out of. This is called policy routing. So you would craft a rule so that the voip phone goes out WAN and all other traffic goes out OpenVPN.Hi KOM, thanks for explaining stuff to the noob!
I put the VOIP phone outside the firewall as I figured I did not need to obfuscate that data. But as you note, it sounds like I could put it behind the firewall and then configure it to not be obfuscated. Seems easier to just plug it in ahead of the firewall?
I understand that I can control which traffic goes through the VPN and which does not, but one of my goals here is to route all traffic through the VPN so that Google cannot see how we are using the connection and monitize it.
Although now that I think about it, really I only care about web browsing and P2P being snooped by the ISP. I suppose online games could be ignored, but this would have to be configured for all games currently played and updated every time a new game is played?
It just seemed easier to me to put the entire home network through the VPN rather than try to configure and maintain exceptions. Maybe the performance hit will make it worthwhile to do it.
You say "OpenVPN" - I already signed up for 3 years of NordVPN - will the device work with that?
Thanks again,
-
@maillemaker said in Looking on some advice on how to set up home network through a VPN.:
Seems easier to just plug it in ahead of the firewall?
Easier is not always better. Like I said, if voip is outside then your call quality will suffer if someone is maxing out your link via P2P. Having a Gb interface is nice, but it can still be saturated. Call quality can be affected by other traffic even if the link isn't fully saturated, as voip traffic is time-sensitive.
Yes, it can be a nightmare trying to segment different traffic types via policy routing, depending on what you want to do. You probably don't want your games going through the VPN due to added latency. Much better would be to tunnel all your traffic except the voip, and that's easy to do. Then you would have a single rule that direct traffic from your game rig to the WAN that you can easily toggle on or off as needed.
OpenVPN is the protocol used by all these VPN providers. They typically all support OpenVPN. Some support IPSec, which is more often used as a point-to-point tunnel for connecting branch offices, for example, and is more complicated to setup than OpenVPN. The new kid on the block is Wireguard, and only a handful of providers support it. pfSense supports OpenVPN and IPSec, but not Wireguard. Nordvpn is just the company name of your provider, not to be confused with the OpenVPN protocol they support.
-
@KOM said in Looking on some advice on how to set up home network through a VPN.:
@maillemaker said in Looking on some advice on how to set up home network through a VPN.:
Seems easier to just plug it in ahead of the firewall? myprepaidbalance
Easier is not always better. Like I said, if voip is outside then your call quality will suffer if someone is maxing out your link via P2P. Having a Gb interface is nice, but it can still be saturated. Call quality can be affected by other traffic even if the link isn't fully saturated, as voip traffic is time-sensitive.
Yes, it can be a nightmare trying to segment different traffic types via policy routing, depending on what you want to do. You probably don't want your games going through the VPN due to added latency. Much better would be to tunnel all your traffic except the voip, and that's easy to do. Then you would have a single rule that direct traffic from your game rig to the WAN that you can easily toggle on or off as needed.
OpenVPN is the protocol used by all these VPN providers. They typically all support OpenVPN. Some support IPSec, which is more often used as a point-to-point tunnel for connecting branch offices, for example, and is more complicated to setup than OpenVPN. The new kid on the block is Wireguard, and only a handful of providers support it. pfSense supports OpenVPN and IPSec, but not Wireguard. Nordvpn is just the company name of your provider, not to be confused with the OpenVPN protocol they support.
They are usually extra LANs but you could make one another WAN if you had multiple links. You can rename them to suit the network they represent. I have an OPT1 interface configured as a DMZ and I named it accordingly.
Your diagram is fine except for the voip. Why not put it behind pfSense? If you have it in front then your call quality will be poor if someone is pounding your link. If it's inside, you could configure traffic shaping to prioritize the voip over all else.
Also, there is a fundamental thing you're not getting here. By connecting an interface to your VPN provider, you don't have to force ALL traffic through the tunnel. You can use firewall rules to control which gateway traffic goes out of.
-
Warning tip for newbie VPN users! Be aware that it is likely many streaming services such as Netflix, Hulu and Amazon Prime will either just not work at all, or else give you many headaches, due to the use of a VPN source IP. The streaming providers for the most part actively block known VPN address space because so many folks use that in an attempt to bypass geo-restrictions on where content is made available.
While your VPN provider may initially promise the streaming services work, it is usually just a matter of time before the streaming providers find the VPN provider's exit node IP address space and block it. Then it becomes a game of whack-a-mole.
So putting your entire LAN behind a VPN will probably cause you a lot of trouble. Instead, do what @KOM suggested and use pfSense firewall rules with policy routing to control which devices go out over the VPN. For policy routing to work, make sure you ignore any step in the VPN setup instructions from your provider that say to click the "Pull Routes" checkbox. You want that box unchecked for policy routing to work.
-
I can't even login to Minecraft if I'm running through the VPN, so it's not just the streaming services that will give you grief.
-
Well, it sounds like using this old router is going to be poor performance, and I'd be looking at $300+ for an appliance to do the job well. On top of that, it sounds like there are lots of reasons not to run the whole network through the VPN anyway.
So for now, I'll just use the VPN client when I'm putting up the periscope for P2P work.
-
This post is deleted!