Netgate Hardware & VPN Questions
-
@nocling said in Netgate Hardware & VPN Questions:
OpenVPN is slower than IPSec.
Other than speed, isn't OpenVPN considered the better method? Is the speed difference large enough that people generally prefer to use IPSec? Since I'm a VPN newb, would one of those be easier for me to configure?
@stephenw10 said in Netgate Hardware & VPN Questions:
Yes, question 2 needs clarification; do you want to be able to use the full bandwidth over the VPN?
That is a much larger requirement than simply being able to pass 1Gbps through the firewall.Steve
I guess I'm not sure of the difference. Perhaps a true Gbps connection between CO and UT is unreasonable because of the inherent slowness of crossing the internet. I think I mean I want the netgate hardware to be fast enough to pass 1 Gbps from WAN to LAN if the outside connection is that fast?
-
The SG-3100 can handle GIGABit Internet.
IPSec between 2 pfSense is easy to configure in my opinion. -
I have a setup just like this except I'm 7000 miles away from my Utah end. I run both openvpn and ipsec vpn connections (one for streaming netflix and the other for remote network access/cameras/IoT stuff, plus some redundancy doesn't hurt). I don't have gigabit connectivity unfortunately due to 3rd world crap internet and the hop over the big waters, but I get 40+mbps. The only thing that keeps me from using it as my general network vpn connection is the 280+ ms ping time. I run two SG-5100 and could not be happier.
EDIT: geek fun story - prior to covid-19 I was on a TDY and my wife (who was in UT at the time) indicated she couldn't print a file. So I, using an inflight internet connection, was able to openvpn into the UT end and print the needed file on our printer there. Can't remember where I was at globally when i did this but 40,000 ft and a few miles of distance and I couldn't help but laugh a bit when she said she had the document in hand.
-
To approach Gigabit over any VPN you would need something quite a bit more powerful than the SG-3100 even with no latency.
With an SG-3100 at both ends I would expect something in the 200-300Mbps range. There are many variables though, it's hard to put any sort of exact number on that.Since you have pfSense at both ends setting up either IPSec or OpenVPN should not be hard, the examples in the docs apply.
IPSec is generally used for site-to-site tunnels where both ends have a static IP. OpenVPN is more flexible if you need to do anything unusual.
Steve
-
First, thanks everyone for the great advice so far.
@stephenw10 said in Netgate Hardware & VPN Questions:
IPSec is generally used for site-to-site tunnels where both ends have a static IP. OpenVPN is more flexible if you need to do anything unusual.
Steve
I plan on obtaining a static IP address for both locations. So if IPSec is a little faster than OpenVPN, I guess I will use IPSec. I believe I need to set one location (CO) as the VPN server and the other location (UT) as the client, correct?
One thing I still don't understand is how do you access either end of this VPN remotely? Or is that capability really difficult to add?
Does that require a separate VPN connection using third party software? Do you use port forwarding? Would I need to purchase a commercial VPN account? Does it make a difference whether the site to site VPN is using IPSec vs. OpenVPN?Any details about remote access would be greatly appreciated. :)
-
@xraydoc88 said in Netgate Hardware & VPN Questions:
First, thanks everyone for the great advice so far.
@stephenw10 said in Netgate Hardware & VPN Questions:
IPSec is generally used for site-to-site tunnels where both ends have a static IP. OpenVPN is more flexible if you need to do anything unusual.
Steve
I plan on obtaining a static IP address for both locations. So if IPSec is a little faster than OpenVPN, I guess I will use IPSec. I believe I need to set one location (CO) as the VPN server and the other location (UT) as the client, correct?
One thing I still don't understand is how do you access either end of this VPN remotely? Or is that capability really difficult to add?
Does that require a separate VPN connection using third party software? Do you use port forwarding? Would I need to purchase a commercial VPN account? Does it make a difference whether the site to site VPN is using IPSec vs. OpenVPN?Any details about remote access would be greatly appreciated. :)
You have multiple options like either you use port forwarding or use any reliable vpn (no need a commercial vpn service). You need to purchase a dedicated IP from your ISP or VPN provider for both end.
-
IPSec also works with DDNS names.
I use it this way, no problems.
A side-to-side IPSec is a server-to-server connection.
Regardless of who wants to go to the remote side, when the tunnel is down, it will be established.Client VPN over IPSec, i use the iOS integrated Client, with the Profile generated from my Netgate. On Windows 10, you need 3 Lines of Powershell to creat the VPN Tunnel.
Then you could save Username + Key and connect with 3 clicks. -
You would have a remote access VPN server configured to allow you to connect from some remote location back to your network. That could be at one end of the site-to-site tunnel or at both ends in case one end goes down.
The site-to-site would be configured to carry traffic from the remote access server such that when you connect from a laptop some where you would have access to both sites.Again you can use either IPSec or OpenVPN for the remote access server but unless you really need to use the included VPN capabilities of the OS on your laptop I would always choose OpenVPN there. You have to install the client but it's waaay easier and more flexible to setup than mobile ipsec and there are clients for everything. Speed is often not a concern for remote access.
Should probably also mention Wireguard....
Steve
-
@stephenw10 said in Netgate Hardware & VPN Questions:
You would have a remote access VPN server configured to allow you to connect from some remote location back to your network. That could be at one end of the site-to-site tunnel or at both ends in case one end goes down.
The site-to-site would be configured to carry traffic from the remote access server such that when you connect from a laptop some where you would have access to both sites.Again you can use either IPSec or OpenVPN for the remote access server but unless you really need to use the included VPN capabilities of the OS on your laptop I would always choose OpenVPN there. You have to install the client but it's waaay easier and more flexible to setup than mobile ipsec and there are clients for everything. Speed is often not a concern for remote access.
Should probably also mention Wireguard....
Steve
Ok, I'm a little dizzy. :)
So if I understand this correctly, there are several different steps I have to do that could make this happen.
- Create a site to site IPSec VPN between my two pfSense routers because it will be faster.
- Create an additional "remote access" VPN server at one or both routers using OpenVPN for simplicity. I agree I don't need the fastest remote connection. OpenVPN and IPSec can coexist on the same router?
- Install an OpenVPN client on my laptop (Windows 10).
Do I understand correctly? Also, I've heard that Wireguard is actually the fastest, but that it hasn't been fully vetted for security flaws yet. Does pfSense have an option to use Wireguard and could all connections be done that way? Or am I getting in over my head? :)
-
You’re right on. Create an openvpn server for each router and then create user certificates so that you can connect from anywhere outside of your network.
For the site to site, you can do the IPSec OR you can use openvpn OR you could run both! I used to run a shared key openvpn site to site connection but wanted to be able to take advantage of the faster GCM algorithms so that required using a SSL/TLS setup (PKI implementation) instead. There were a few more steps but nothing insane. Netgate documentation is outstanding and, coupled with the forum and google, you can normally find your way out of any configuration hole you fall in. I run a routed IPSec site to site connections well, not so much out of necessity but because I like to learn new things and try different implementations, and the IPSec connection affords me some redundancy should the openvpn ever have an issue. My network connection speed doesn’t allow me to experience any appreciable difference in speed or performance.
My advice is to take this one step at a time. Set up the road warrior openvpn servers and make sure you can connect to both routers from your cellphone or another person’s network. Then focus on the site to site and you’ll have the remote access connection as a safety should you somehow screw something up and not be able to connect to the opposite router via your local network’s vpn connection.
Also, I highly recommend coming up with a well structured format for your network subsets to make it easier to remember what each network setup is. For example, my local network is a 10.20.x.x/24. My trusted LAN devices are 10.20.2.x with the router being 10.20.2.1 and switches and aps being grouped in ups blocks. My kid’s/guest network is 10.20.20.x. My cameras are 10.20.40.x. My DMZ is 10.20.80.x. I use VLANs so the kid’s VLAN is 20, cameras are 40 and DMZ is 80. For my Utah side, I use a 10.10.x.x/24. LAN is 10.10.1.x. Guest is 10.10.10.x. Cameras 10.10.30.x, IOT is 10.10.50.x... you see a pattern? Utah is my “first” network and my overseas one is 2. And of course I use the same structure for my router (10.10.1.1) etc that I use for my local network. This makes it very easy for me to remember my network configurations and not have to look things up in some spreadsheet all the time.
I’ve learned some of these lessons the hard way over time. You’ll undoubtedly discover things you wish you had done differently later down the road. My biggest advice, especially when you’re long distance from the remote network...DO NOT DO UPGRADES OR SIGNIFICANT CHANGES ON YOUR REMOTE PFSENSE OR OTHER CRITICAL NETWORK INFRASTRUCTURE. Something will eventually break, or fail to come back online, or you’ll misconfigure something and find yourself utterly screwed. Trust me! I’ve had to rely in the MILTS (mother-in-law tech support) a number of times. A 5 minute fix for me ends up being 45 minutes and uncontrollable body shakes working with her, God bless her soul.
Lastly, wireguard is great but not available in pfsense yet. They’re working on it. You’ll be just fine using openvpn or IPSec. Don’t want to run unofficial software in your edge router/firewall and maintaining a separate server for wireguard is more work and something else to configure, maintain, patch, and possible screw up too. Oh that reminds me, make sure all your must have infrastructure is on a good NAS!
-
That should have been UPS instead of NAS. I like NAS devices as well of course, especially for remote backups.
-
Yes, OpenVPN and IPSec can both be setup on the same router, and commonly are in fact.
They can't be doing the same job that would create a conflict. So not both trying to connect the same two sites.
And, yes, absolutely take it one step at a time and you should be fine.
I mention Wireguard only because someone else is bound to do so in a thread like this. It's not in pfSense. Yet.
At some point it very likely will be and you might consider using it for part of your setup then.
It isn't quite all-powerful VPN overlord it's sometimes made out to be though.https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.htmlSteve
-
I have found one of the best Tutorials for setting up a site to site OpenVPN for pfsense to be here:
https://mitky.com/pfsense-openvpn-site-to-site-vpn/
You don't have to be a tech wizard to get it working. I find that if I have used this tutorial and it's not working, I missed a step somewhere. I wipe everything out and do it all over again and bingo, it works just like you want it to.
If you don't have carrier grade NAT you don't have to have static IP addresses to get OpenVPN to work. If you really want static IPs and want to pay your ISP more go ahead. I usually just setup DynDNS with an online provider. Even if you don't go with a free DynDNS service it's still gonna be way cheaper than paying for two Static IP's from your ISPs. If you do go with a DynDNS service make sure you install the Cron package so it will force an update if the IP happens to change.
Now, if you DO have carrier grade NAT where you want the OpenVPN server, you're gonna need that static IP from that ISP....but not the Satellite office.
If you're really just wanting Remote Desktop to work and that's your primary goal I really don't see the need to take advantage of your GB Internet speeds. With RDP, you ain't gonna notice it. Now, if you plan on transferring huge files, video streaming, etc....well, that's different.
-
I currently have two very large NAS devices in the same home in CO. I use the second NAS to automatically back up the important files (movies, pictures, music, surveillance video, computers) that are stored on the first NAS. I had thought about moving the second NAS to UT so that they were in separate locations and wouldn't both die with a fire, etc. I'm not sure if that will work well, but it would require a fast connection between the two for the automated backups.
-
@xraydoc88 i do this with two Synology NAS devices. There's a cool rsync feature that allows you to choose the folder you want to backup, make a schedule, etc. It them copies the whole folder to the other NAS. I use it to backup camera video so that I have a remote copy of captured events should there be a fire or a break in etc which would result in the the remote NAS being destroyed or stolen. Again my overseas bandwidth is humble compared to my lovely Google fiber but it works well. I have mine set to backup whenever there's a change to the remote folder but you can have it set to run one a specific day at a specific time. Lots of flexibility to do what you want.
Also wanted to second what you were told about static and dynamic ips. I have gone for years using a dynamic dns service, I use google domains now, in order to have a FDQN that I can use for my openvpn and ipsec connections. I only recently got put behind CGNAT and had to get a static ip. Part of the fun is the adventure but it also sucks when you try to vpn into your home network with no success only to find out your WAN has been assigned a 100.64.0.0/10. Boo.
-
I use this with 2 QNAP NAS, RTRR works so well over WAN.
I only have 50 Mbit upload, but with Codel it can run anytime without any latency problems if you want to play an online game at the same time.It could send over 400GB/d to the Backup NAS through the IPSec Tunnel.
-
Yes, off-site backup is usually a good idea and incremental backups mean it's unlikely you're actually moving terabytes between them every day.
But you should be able to test the speed before you move the NAS and find out if it will be sufficient easily enough.Steve
-
@stephenw10 You are right. But if he use VPN connection on both side then he has an option to connect with any protocol like OpenVPN or IPSec. I use PureVPN and NordVPN.
-
Um, not sure I understand. Kinda looks like spam...
-
@gabacho4 said in Netgate Hardware & VPN Questions:
You’re right on. Create an openvpn server for each router and then create user certificates so that you can connect from anywhere outside of your network.
For the site to site, you can do the IPSec OR you can use openvpn OR you could run both! I used to run a shared key openvpn site to site connection but wanted to be able to take advantage of the faster GCM algorithms so that required using a SSL/TLS setup (PKI implementation) instead. There were a few more steps but nothing insane. Netgate documentation is outstanding and, coupled with the forum and google, you can normally find your way out of any configuration hole you fall in. I run a routed IPSec site to site connections well, not so much out of necessity but because I like to learn new things and try different implementations, and the IPSec connection affords me some redundancy should the openvpn ever have an issue. My network connection speed doesn’t allow me to experience any appreciable difference in speed or performance.
My advice is to take this one step at a time. Set up the road warrior openvpn servers and make sure you can connect to both routers from your cellphone or another person’s network. Then focus on the site to site and you’ll have the remote access connection as a safety should you somehow screw something up and not be able to connect to the opposite router via your local network’s vpn connection.
Also, I highly recommend coming up with a well structured format for your network subsets to make it easier to remember what each network setup is. For example, my local network is a 10.20.x.x/24. My trusted LAN devices are 10.20.2.x with the router being 10.20.2.1 and switches and aps being grouped in ups blocks. My kid’s/guest network is 10.20.20.x. My cameras are 10.20.40.x. My DMZ is 10.20.80.x. I use VLANs so the kid’s VLAN is 20, cameras are 40 and DMZ is 80. For my Utah side, I use a 10.10.x.x/24. LAN is 10.10.1.x. Guest is 10.10.10.x. Cameras 10.10.30.x, IOT is 10.10.50.x... you see a pattern? Utah is my “first” network and my overseas one is 2. And of course I use the same structure for my router (10.10.1.1) etc that I use for my local network. This makes it very easy for me to remember my network configurations and not have to look things up in some spreadsheet all the time.
I’ve learned some of these lessons the hard way over time. You’ll undoubtedly discover things you wish you had done differently later down the road. My biggest advice, especially when you’re long distance from the remote network...DO NOT DO UPGRADES OR SIGNIFICANT CHANGES ON YOUR REMOTE PFSENSE OR OTHER CRITICAL NETWORK INFRASTRUCTURE. Something will eventually break, or fail to come back online, or you’ll misconfigure something and find yourself utterly screwed. Trust me! I’ve had to rely in the MILTS (mother-in-law tech support) a number of times. A 5 minute fix for me ends up being 45 minutes and uncontrollable body shakes working with her, God bless her soul.
Lastly, wireguard is great but not available in pfsense yet. They’re working on it. You’ll be just fine using openvpn or IPSec. Don’t want to run unofficial software in your edge router/firewall and maintaining a separate server for wireguard is more work and something else to configure, maintain, patch, and possible screw up too. Oh that reminds me, make sure all your must have infrastructure is on a good NAS!
OK, I decided to follow this advice and today I tried to setup a remote OpenVPN server at my CO house. I used the Wizard in pfSense. I left most decisions at default. I think I did it correctly. I then exported the client profile and installed it on my Android phone. I was able to import it into OpenVPN Connect. When I connected, I got a statistics page that showed I was connected with data uploading and downloading. It showed me an assigned "tunnel IP address". So I think this is all good.
What I did not see were the computer shares on my home network. I thought I would see these once I connected with the VPN. How do you actually browse your home network on an Android phone?