SG5100 + Protonvpn + NIDS/DPI



  • Hi, sorry for a basic question, I have been out of the recent network protection for a while.
    My goal is to protect my home office traffic and increase privacy.
    The idea was to use protonvpn (openvpn), also it sadly caps at 100 mbps, where my broadband is 1 gbps.
    Does it make sense to add NIDS/DPI like snort, I am not sure how it will be able to look inside of the IPSEC traffic.
    Are those things mutually exclusive?
    Would be interested to hear how others are using SG5100/protect their home networks.
    Thanks


  • Netgate Administrator

    They are not exclusive, you can run Snort (or Suricata) in combination with a VPN WAN.
    If it's IPSec you can't run it on the tunnel directly but for home/soho use you would probably want to run it on the LAN interface anyway. That gives much better visibility as you can see internal private IPs .

    Steve



  • Thank you for the prompt response!
    I am a bit reluctant regarding sending the traffic via VPN due to the performance downgrade, only 100 mbps. Setting up my own proxy seems to be an overkill for a home office setup, maybe a cloud proxy.
    How is the community utilizing netgate products in consumer space?


  • Netgate Administrator

    I assume you mean the VPN provider is capped at 100Mbps? The SG-5100 should be capable of far more than that.

    Steve



  • It is VPN capping for sure, I wonder how to overcome this limitation without losing privacy and security.


  • Netgate Administrator

    Use a different VPN provider?

    Use multiple VPN connections and load-balance them? That would require routed IPSec or OpenVPN.



  • @paulch7780 said in SG5100 + Protonvpn + NIDS/DPI:

    It is VPN capping for sure, I wonder how to overcome this limitation without losing privacy and security.

    which plan do you have. are you connecting to the secure core servers? when i used them the secure core servers were extremely limiting



  • I tried the plus package for a week. 100 mbps seem to be the average also if you compare to other providers like NordVPN, etc. I think I‘ll need to give up the idea of using the VPN for all traffic and maybe just use a reliable and privacy aware DNS service for the start. What is the recommendation there - is anyone using 1.1.1.1/Cloudfare instead of the ISPs DNS settings?



  • I’m suggesting use the standard servers instead of secure core. Nord? Yuck stick with proton

    I’ve used alternate dns servers for over a decade


Log in to reply