Netgate Hardware & VPN Questions
-
IPSec also works with DDNS names.
I use it this way, no problems.
A side-to-side IPSec is a server-to-server connection.
Regardless of who wants to go to the remote side, when the tunnel is down, it will be established.Client VPN over IPSec, i use the iOS integrated Client, with the Profile generated from my Netgate. On Windows 10, you need 3 Lines of Powershell to creat the VPN Tunnel.
Then you could save Username + Key and connect with 3 clicks. -
You would have a remote access VPN server configured to allow you to connect from some remote location back to your network. That could be at one end of the site-to-site tunnel or at both ends in case one end goes down.
The site-to-site would be configured to carry traffic from the remote access server such that when you connect from a laptop some where you would have access to both sites.Again you can use either IPSec or OpenVPN for the remote access server but unless you really need to use the included VPN capabilities of the OS on your laptop I would always choose OpenVPN there. You have to install the client but it's waaay easier and more flexible to setup than mobile ipsec and there are clients for everything. Speed is often not a concern for remote access.
Should probably also mention Wireguard....
Steve
-
@stephenw10 said in Netgate Hardware & VPN Questions:
You would have a remote access VPN server configured to allow you to connect from some remote location back to your network. That could be at one end of the site-to-site tunnel or at both ends in case one end goes down.
The site-to-site would be configured to carry traffic from the remote access server such that when you connect from a laptop some where you would have access to both sites.Again you can use either IPSec or OpenVPN for the remote access server but unless you really need to use the included VPN capabilities of the OS on your laptop I would always choose OpenVPN there. You have to install the client but it's waaay easier and more flexible to setup than mobile ipsec and there are clients for everything. Speed is often not a concern for remote access.
Should probably also mention Wireguard....
Steve
Ok, I'm a little dizzy. :)
So if I understand this correctly, there are several different steps I have to do that could make this happen.
- Create a site to site IPSec VPN between my two pfSense routers because it will be faster.
- Create an additional "remote access" VPN server at one or both routers using OpenVPN for simplicity. I agree I don't need the fastest remote connection. OpenVPN and IPSec can coexist on the same router?
- Install an OpenVPN client on my laptop (Windows 10).
Do I understand correctly? Also, I've heard that Wireguard is actually the fastest, but that it hasn't been fully vetted for security flaws yet. Does pfSense have an option to use Wireguard and could all connections be done that way? Or am I getting in over my head? :)
-
Youâre right on. Create an openvpn server for each router and then create user certificates so that you can connect from anywhere outside of your network.
For the site to site, you can do the IPSec OR you can use openvpn OR you could run both! I used to run a shared key openvpn site to site connection but wanted to be able to take advantage of the faster GCM algorithms so that required using a SSL/TLS setup (PKI implementation) instead. There were a few more steps but nothing insane. Netgate documentation is outstanding and, coupled with the forum and google, you can normally find your way out of any configuration hole you fall in. I run a routed IPSec site to site connections well, not so much out of necessity but because I like to learn new things and try different implementations, and the IPSec connection affords me some redundancy should the openvpn ever have an issue. My network connection speed doesnât allow me to experience any appreciable difference in speed or performance.
My advice is to take this one step at a time. Set up the road warrior openvpn servers and make sure you can connect to both routers from your cellphone or another personâs network. Then focus on the site to site and youâll have the remote access connection as a safety should you somehow screw something up and not be able to connect to the opposite router via your local networkâs vpn connection.
Also, I highly recommend coming up with a well structured format for your network subsets to make it easier to remember what each network setup is. For example, my local network is a 10.20.x.x/24. My trusted LAN devices are 10.20.2.x with the router being 10.20.2.1 and switches and aps being grouped in ups blocks. My kidâs/guest network is 10.20.20.x. My cameras are 10.20.40.x. My DMZ is 10.20.80.x. I use VLANs so the kidâs VLAN is 20, cameras are 40 and DMZ is 80. For my Utah side, I use a 10.10.x.x/24. LAN is 10.10.1.x. Guest is 10.10.10.x. Cameras 10.10.30.x, IOT is 10.10.50.x... you see a pattern? Utah is my âfirstâ network and my overseas one is 2. And of course I use the same structure for my router (10.10.1.1) etc that I use for my local network. This makes it very easy for me to remember my network configurations and not have to look things up in some spreadsheet all the time.
Iâve learned some of these lessons the hard way over time. Youâll undoubtedly discover things you wish you had done differently later down the road. My biggest advice, especially when youâre long distance from the remote network...DO NOT DO UPGRADES OR SIGNIFICANT CHANGES ON YOUR REMOTE PFSENSE OR OTHER CRITICAL NETWORK INFRASTRUCTURE. Something will eventually break, or fail to come back online, or youâll misconfigure something and find yourself utterly screwed. Trust me! Iâve had to rely in the MILTS (mother-in-law tech support) a number of times. A 5 minute fix for me ends up being 45 minutes and uncontrollable body shakes working with her, God bless her soul.
Lastly, wireguard is great but not available in pfsense yet. Theyâre working on it. Youâll be just fine using openvpn or IPSec. Donât want to run unofficial software in your edge router/firewall and maintaining a separate server for wireguard is more work and something else to configure, maintain, patch, and possible screw up too. Oh that reminds me, make sure all your must have infrastructure is on a good NAS!
-
That should have been UPS instead of NAS. I like NAS devices as well of course, especially for remote backups.
-
Yes, OpenVPN and IPSec can both be setup on the same router, and commonly are in fact.
They can't be doing the same job that would create a conflict. So not both trying to connect the same two sites.
And, yes, absolutely take it one step at a time and you should be fine.
I mention Wireguard only because someone else is bound to do so in a thread like this. It's not in pfSense. Yet.
At some point it very likely will be and you might consider using it for part of your setup then.
It isn't quite all-powerful VPN overlord it's sometimes made out to be though.https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.htmlSteve
-
I have found one of the best Tutorials for setting up a site to site OpenVPN for pfsense to be here:
https://mitky.com/pfsense-openvpn-site-to-site-vpn/
You don't have to be a tech wizard to get it working. I find that if I have used this tutorial and it's not working, I missed a step somewhere. I wipe everything out and do it all over again and bingo, it works just like you want it to.
If you don't have carrier grade NAT you don't have to have static IP addresses to get OpenVPN to work. If you really want static IPs and want to pay your ISP more go ahead. I usually just setup DynDNS with an online provider. Even if you don't go with a free DynDNS service it's still gonna be way cheaper than paying for two Static IP's from your ISPs. If you do go with a DynDNS service make sure you install the Cron package so it will force an update if the IP happens to change.
Now, if you DO have carrier grade NAT where you want the OpenVPN server, you're gonna need that static IP from that ISP....but not the Satellite office.
If you're really just wanting Remote Desktop to work and that's your primary goal I really don't see the need to take advantage of your GB Internet speeds. With RDP, you ain't gonna notice it. Now, if you plan on transferring huge files, video streaming, etc....well, that's different.
-
I currently have two very large NAS devices in the same home in CO. I use the second NAS to automatically back up the important files (movies, pictures, music, surveillance video, computers) that are stored on the first NAS. I had thought about moving the second NAS to UT so that they were in separate locations and wouldn't both die with a fire, etc. I'm not sure if that will work well, but it would require a fast connection between the two for the automated backups.
-
@xraydoc88 i do this with two Synology NAS devices. There's a cool rsync feature that allows you to choose the folder you want to backup, make a schedule, etc. It them copies the whole folder to the other NAS. I use it to backup camera video so that I have a remote copy of captured events should there be a fire or a break in etc which would result in the the remote NAS being destroyed or stolen. Again my overseas bandwidth is humble compared to my lovely Google fiber but it works well. I have mine set to backup whenever there's a change to the remote folder but you can have it set to run one a specific day at a specific time. Lots of flexibility to do what you want.
Also wanted to second what you were told about static and dynamic ips. I have gone for years using a dynamic dns service, I use google domains now, in order to have a FDQN that I can use for my openvpn and ipsec connections. I only recently got put behind CGNAT and had to get a static ip. Part of the fun is the adventure but it also sucks when you try to vpn into your home network with no success only to find out your WAN has been assigned a 100.64.0.0/10. Boo.
-
I use this with 2 QNAP NAS, RTRR works so well over WAN.
I only have 50 Mbit upload, but with Codel it can run anytime without any latency problems if you want to play an online game at the same time.It could send over 400GB/d to the Backup NAS through the IPSec Tunnel.
-
Yes, off-site backup is usually a good idea and incremental backups mean it's unlikely you're actually moving terabytes between them every day.
But you should be able to test the speed before you move the NAS and find out if it will be sufficient easily enough.Steve
-
@stephenw10 You are right. But if he use VPN connection on both side then he has an option to connect with any protocol like OpenVPN or IPSec. I use PureVPN and NordVPN.
-
Um, not sure I understand. Kinda looks like spam...
-
@gabacho4 said in Netgate Hardware & VPN Questions:
Youâre right on. Create an openvpn server for each router and then create user certificates so that you can connect from anywhere outside of your network.
For the site to site, you can do the IPSec OR you can use openvpn OR you could run both! I used to run a shared key openvpn site to site connection but wanted to be able to take advantage of the faster GCM algorithms so that required using a SSL/TLS setup (PKI implementation) instead. There were a few more steps but nothing insane. Netgate documentation is outstanding and, coupled with the forum and google, you can normally find your way out of any configuration hole you fall in. I run a routed IPSec site to site connections well, not so much out of necessity but because I like to learn new things and try different implementations, and the IPSec connection affords me some redundancy should the openvpn ever have an issue. My network connection speed doesnât allow me to experience any appreciable difference in speed or performance.
My advice is to take this one step at a time. Set up the road warrior openvpn servers and make sure you can connect to both routers from your cellphone or another personâs network. Then focus on the site to site and youâll have the remote access connection as a safety should you somehow screw something up and not be able to connect to the opposite router via your local networkâs vpn connection.
Also, I highly recommend coming up with a well structured format for your network subsets to make it easier to remember what each network setup is. For example, my local network is a 10.20.x.x/24. My trusted LAN devices are 10.20.2.x with the router being 10.20.2.1 and switches and aps being grouped in ups blocks. My kidâs/guest network is 10.20.20.x. My cameras are 10.20.40.x. My DMZ is 10.20.80.x. I use VLANs so the kidâs VLAN is 20, cameras are 40 and DMZ is 80. For my Utah side, I use a 10.10.x.x/24. LAN is 10.10.1.x. Guest is 10.10.10.x. Cameras 10.10.30.x, IOT is 10.10.50.x... you see a pattern? Utah is my âfirstâ network and my overseas one is 2. And of course I use the same structure for my router (10.10.1.1) etc that I use for my local network. This makes it very easy for me to remember my network configurations and not have to look things up in some spreadsheet all the time.
Iâve learned some of these lessons the hard way over time. Youâll undoubtedly discover things you wish you had done differently later down the road. My biggest advice, especially when youâre long distance from the remote network...DO NOT DO UPGRADES OR SIGNIFICANT CHANGES ON YOUR REMOTE PFSENSE OR OTHER CRITICAL NETWORK INFRASTRUCTURE. Something will eventually break, or fail to come back online, or youâll misconfigure something and find yourself utterly screwed. Trust me! Iâve had to rely in the MILTS (mother-in-law tech support) a number of times. A 5 minute fix for me ends up being 45 minutes and uncontrollable body shakes working with her, God bless her soul.
Lastly, wireguard is great but not available in pfsense yet. Theyâre working on it. Youâll be just fine using openvpn or IPSec. Donât want to run unofficial software in your edge router/firewall and maintaining a separate server for wireguard is more work and something else to configure, maintain, patch, and possible screw up too. Oh that reminds me, make sure all your must have infrastructure is on a good NAS!
OK, I decided to follow this advice and today I tried to setup a remote OpenVPN server at my CO house. I used the Wizard in pfSense. I left most decisions at default. I think I did it correctly. I then exported the client profile and installed it on my Android phone. I was able to import it into OpenVPN Connect. When I connected, I got a statistics page that showed I was connected with data uploading and downloading. It showed me an assigned "tunnel IP address". So I think this is all good.
What I did not see were the computer shares on my home network. I thought I would see these once I connected with the VPN. How do you actually browse your home network on an Android phone?
-
@xraydoc88 I do most of everything by IP address. If I want my router I go to 192.168.1.1. My NAS? 192.168.30.21. Etc. You should be able to map any shares you have set up but I don't know if your local computer/phone would see remote shares on its own. I've never tried personally. That'd be something interesting to read up on and experiment with. My setup works for what I've needed so I haven't spent a lot of time messing with other things. Will be curious to see what others might tell you.
-
What are you using to 'browse' with?
If you have configured the server to redirect all traffic over the VPN from the client and you have an allow all rule on the OpenVPN interface then the phone will be able to reach hosts on your LAN remotely. However those hosts may not respond to traffic from the VPN tunnel subnet. Or the phone may be attempting to 'discover' resources on it's own subnet only by broadcasting for them which won't find anything when that's the VPN tunnel.
Steve
-
@stephenw10 said in Netgate Hardware & VPN Questions:
What are you using to 'browse' with?
If you have configured the server to redirect all traffic over the VPN from the client and you have an allow all rule on the OpenVPN interface then the phone will be able to reach hosts on your LAN remotely. However those hosts may not respond to traffic from the VPN tunnel subnet. Or the phone may be attempting to 'discover' resources on it's own subnet only by broadcasting for them which won't find anything when that's the VPN tunnel.
Steve
Well, I didn't really know what you were supposed to do, other than use OpenVPN Connect. When I setup the remote server, I had to choose a tunnel IP range, (192.168.10.0/24), which I made sure was different from my home network. I also had to enter my home network IP range, (192.168.0.0/24). I let the pfSense OpenVPN wizard create two necessary firewall rules. When I use OpenVPN Connect on my phone, it looks connected, and it shows "my private IP" address as 192.168.10.2. That IP wouldn't normally be able to see my network. That's the tunnel IP. But doesn't the VPN somehow convert your tunnel IP to your local IP? Otherwise, how do you ever interact with the home network?
Once I launched OpenVPN Connect on my phone and activated the VPN, I did try to just enter a static private IP address of one of my shared computers (192.168.0.25) into the Chrome browser. That did not work though.
-
What web services are on that host at 192.168.0.25? What do you expect to see there?
Can you ping that IP?
Steve
-
@stephenw10
There are no webservices that I know of. I was just hoping to see my shared folders on that computer. And when connecting with a laptop, I'd like to be able to use remote desktop to control that computer.I don't know how to attempt a ping with an Android phone.
P.S. As I mentioned, I used the wizard to create everything. I also used the export client package to put the profile on my phone. When I look at the OpenVPN "clients" tab in pfSense, it is empty. Do I need to also add my phone there instead of just using the export package? Also, once connected, should the phone appear in that client list automatically? When I thought I was connected, it was not listed.
-
Ok, well Chrome is not an SMB client. It can't look at folders.
Chrome remote desktop might work but you'd need to enable it on host you're connecting to.
In Android you can just open a terminal client and ping from there but there are numerous ping apps you could use.
What would you use to test if you were on wifi at home in the same network?
Steve
