First Time User Config Guides For VPN on Netgate 2100 Firewall?

AvePlague · Dec 29, 2021, 1:11 AM

I am new to firewalls and vpns but have some minimal experience and understanding of how they operate. I got myself a 2100 vpn firewall for my home network and to my knowledge have only the firewall enabled. I have a vpn on my machine but want to learn how to enable the firewall's vpn properly, and learn about what all is involved and how it works. Can someone point me to a guide that can help me set up my vpn? Will it be okay if I had both the vpn on the firewall and my the one in my os running at the same time?

I would like to learn about the details in how safe it is, etc. I appreciate your direction.

viragomann · Jan 14, 2022, 6:27 PM

@aveplague
The pfSense Documentation respectively the pfSense book is a very good tutorial about how to setup and configure pfSense.
However, you should already have some knowledge about basic networking. If you lack this you should start with networking basics.

If you have a concrete question, you may come back and ask it here and provide some more details.

AvePlague · Jan 14, 2022, 6:45 PM

@viragomann Yes I have very basic networking skill and knowledge, but there are so many options in the firewall backend. There are 6 options for vpns in the vpn drop down lol. The documentation is above my head as it hardly explains what is the better option, no preconfig for basic, secure, settings. I get that its great to have all these options, but it feels like I need a 2 year degree to understand how to get a basic configuration for my setup.

I am re reading the documentation and have been watching dozens of videos on youtube, most of which are no where near basic setups, and require some advanced setup, skill, and hardware. I don't need anything fancy, its that there are no BASIC guides for beginners. I am frustrated with this.

I will ask here cause this is the place I am sure.

I am running nextdns to anonymize my dns requests and to help prevent dns leaks. I also have a vpn on my OS, mullvad. I have these two setup so that when not using the vpn - nextdns kicks in and hides my true IP. When the vpn is enabled, nextdns takes a back seat and the vpn hides my ip. I check in both configurations on sites like browserleaktest, or dnsleaktest, etc . . . and I see they work perfectly! I love it!

So I wanted to add an extra layer that resides outside of my actual computer, which is why I got the firewall/vpn combo unit. The firewall works perfectly to my knowledge. I even tested this with pentesting-tools or something, and it came back with no vulnerabilities found! It feels like I have a basic secure system so far.

With the vpn in pfsense, I was hoping to add a layer of anonymity or privacy. Will the pfsense work with the configuration I have listed above? I asked this in the reddit for pfsense as the tac specialist mentioned but there is no reply or I think they jsut deleted my post cause I am not a common redditor and made an account just to ask for help there.

I imagine these layers as circles, and within these circles are other circles . . . I hope that the pfsense will be the largest circle of protection and in that my pc circle.

I don't have advanced knowledge on how multi vpns work. I figure, hardware, check, software, check. then on top of that I will be using TOR. Id imagine each acting as a layer of anonymity and encryption.

I just need a basic vpn config. Does this mean I select the vpn server itself thru pfsense? - its location? who runs the server pfsense vpn is routing my traffic thru? Maybe I dont want pfsense vpn because they would log, and reside in 14 eyes nation agreements?

Reason I want extra layers of protection is for redundancy. If my OS vpn is compromised, there is a killswitch. If that is compromised then nextdns should be hiding my IP. On top of these inner protections, a hardware based outer protection layer - pfsense.

My understanding is limited, but am I right to assume that pfsense would route and encrypt thru its vpn, the traffic that has been routed and encrypted thru mullvad? Can it do this? Like encrypting encrypted packets, would this aid in privacy and security? I guess I need to know more, I am learning as we speak, but any help you can provide is GREATLY appreciated!

AvePlague · Jan 14, 2022, 6:57 PM

example, just for manually entering anonymous dns server say from nextdns, I add the two ip addresses in the DNS severs fill box. but then the options below IDK to do, do I check the box or not?

DNS Server Override
Allow DNS server list to be overridden by DHCP/PPP on WAN If this option is set, Netgate pfSense Plus will use DNS servers assigned by a DHCP/PPP server on WAN for its own purposes (including the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP clients.

Do I check this box if I want my DNS to be forced thru the IP's I listed above?
And the other option at the bottom. The documentation simply doesn't describe the choice I should want for a basic/advanced config.

login-to-view

AvePlague · Jan 14, 2022, 9:09 PM

I ran thru another setup of openvpn

https://www.youtube.com/watch?v=E1S6sG4Dqis @5:29

but when it comes to openvpn clients, I am running linux. There is no option for linux? I assume, I could dl the openvpn client thru my distro apt manager or flakpak ?
https://flathub.org/apps/details/com.github.jkotra.eovpn

login-to-view

viragomann · Jan 16, 2022, 3:49 AM

@aveplague said in First Time User Config Guides For VPN on Netgate 2100 Firewall?:

There are 6 options for vpns in the vpn drop down lol

If can see only 3 on mine.

With the vpn in pfsense, I was hoping to add a layer of anonymity or privacy. Will the pfsense work with the configuration I have listed above?

I didn't really understand what's your intention from your initial post above and I'm not sure if I got you right now.
So you're running a vpn on your computer and now you've set pfSense in front of it and you want to set up a vpn on pfSense as well and direct your whole upstream traffic through, so also the computer vpn?

Basically that is doable, even it would have no use case for something like this. Just consider that each vpn adds some overhead to the traffic and unique packet. Hence the payload of a single packet gets smaller with each vpn layer.

I just need a basic vpn config. Does this mean I select the vpn server itself thru pfsense? - its location? who runs the server pfsense vpn is routing my traffic thru?

Yes. You find a vpn provider who supports one of the vpn types you find in pfSense and configure a client on the firewall.

Maybe I dont want pfsense vpn because they would log, and reside in 14 eyes nation agreements?

It's on the vpn provider, not in your hand. Some say, they don't log, but do it anyway.

but am I right to assume that pfsense would route and encrypt thru its vpn

That are the 2 basic aims of vpns. They tunnel the traffic through a connection to a specific endpoint. When your traffic get out to the internet on this endpoint, the packets get the source IP of this endpoint. The original source is no more identifiable then, only the vpn provider knows it.

just for manually entering anonymous dns server say from nextdns, I add the two ip addresses in the DNS severs fill box. but then the options below IDK to do, do I check the box or not?

I don't know this service. Consider that if this is a usual unencrypted DNS on port 53, the requests are readable on any node in the internet.

However, with default settings the DNS server you enter here are only used by pfSense itself, but not to resolve requests from LAN devices behind.
pfSense has the DNS resolver activated by default which request the root DNS server itself.
But you can set it in forwarding mode or use the DNS forwarder instead. Then the DNS servers you stated here are used.

With "DNS Resolution Behavior" you can instruct pfSense to use the resolver or the above stated servers. The options should be understandable.

With "DNS Server Override" you can allow that the stated DNS server are overridden by the ISP. This is not what you want obviously, so don't check.
This is only applicable with automatic WAN address configuration.

ran thru another setup of openvpn
https://www.youtube.com/watch?v=E1S6sG4Dqis @5:29
but when it comes to openvpn clients, I am running linux. There is no option for linux? I assume, I could dl the openvpn client thru my distro apt manager or flakpak ?

That's now a vpn server. So you want also to set up a server to connect to your network from a remote location?

Which export package to use for Linux depends on the client. Presumably you will use NM. This should work with the archive.
Unpack it to a folder in your home and import it with NM. Probably you have to set the paths to ca, cert and private key manually, all to the p12 file. And additionally the TLS key in the TLS settings if you have enabled it in the server settings.

AvePlague · Jan 16, 2022, 3:49 AM

@viragomann Thanks for the reply and all the answers, I will research and continue to attempt to get it configured correctly. I almost got it, but am taking a break today, maybe tomorrow. There is an app for linux, I do have it installed, I see the open vpn configs, but I need to get the app configured and the firewall configured still, to get it working. I really appreciate the tips and clarification!