Multi-topic question: NAT, VPN, possibly IPSEC
-
I am using a Netgate firewall with pfSense and it’s been working fine through several ISP changes. I now have Starlink as an ISP, and that uses CGNAT. Fortunately, changing from the cellular broadband ISP, which was a more “normal” connection (randomly assigned ISP addresses) to Starlink’s CGNAT was either transparent or so simple I don’t even remember having to make changes
The one thing I can’t do with CGNAT is incoming NAT and port forwarding. I need to be able to access 3 different systems on my LAN from outside the internet. I’ve looked at various VPN services and the ones that offer port forwarding lack other services, like split tunneling on my Mac workstation. I’m looking into alternatives and I’ve found I can get a VPS for a rather low fee and run Debian or Ubuntu on it, so I could use that to set up a tunnel from the VPS to my pfSense firewall.
I probably should point out that I have to use the Starlink modem with my system, so the signal comes in through the dish, goes to Starlink’s modem/router, and uses the 192.168.xxx.xxx address space. From there, it connects to the WAN interface on pfSense and, on the LAN pfSense interface is my LAN in the 10.x.x.x. address space.
I want to be able to use a Linux package on a VPS that will work with a tunnel connecting to my pfSense firewall and be able to use port forwarding, so if I connect to myvps.com:1234, it would connect to port 1234 (or another I pick in the VPS configuration) and, from there, I can use NAT on pfSense to forward it to the appropriate system on my LAN.
While I have a general understanding of what I’m doing, I’m not sure which packages or systems can do this. I don’t mind doing the research for something like this, but I’m finding so many options I’d like to at least know what I’m looking into will work, rather than spending hours reading before realizing I’m on a non-useable path.
I’ve looked into a few possibilities. Part of the issue is that, at this point, I don’t fully understand them and what they can do and if something is overkill or wonn’t let me do what I want.
I’ve started looking at:
- OpenVPN: seems incredibly complex and probably overkill for one purpose (only inward bound port forwarding). Also, to be honest, it feels like even a lot of the beginning documentation for this is written for people who already understand the system at some level.
- Algo: Simple to set up and those that like it really like it, but I’m not sure it can do what I want. I’m also not sure if it works well with pfSense
- WireGuard: Looksl Ike it’s simple to set up. Apparently works with pfSense, but will it do what I want without me having to spend hours configuring it and PFSense?
- IPSEC: I’m still trying to get a feel for IPSEC. Will it do what I want and be easy to set up?
I’m open to suggestions and ideas for which of those systems, or any others, that I should probably look into and explore to handle just incoming port forwarding requests.
If a system allows some kind of security feature, I’d love to hear about it. For instance, if it uses port knocking (is that still a thing?) or a feature where I can connect to a port with a known device like my cell phone as a single that it’s about to get a legit forwarding request, that’d be great. (I don’t know if such a thing is even possible.)
I’m already using a VPN that handles my outbound needs from my LAN, so all I need is a way to do incoming port forwarding through Starlink’s CGNAT.
-
@tangooversway
You can do this with OpenVPN at least. As far as I know, it should also be possible with Wireguard and IPSec VTI, but I have never set it up.
Algo - never heard, and it's obviously not supported on pfSense.You have to run a VPN server on the VPS and your local pfSense has to connect to it.
Maybe you can find a VPS where you can run a pfSense on. So you can get support here for the whole setup.I’m already using a VPN that handles my outbound needs from my LAN
Which one?
-
@tangooversway said in Multi-topic question: NAT, VPN, possibly IPSEC:
I’ve looked at various VPN services and the ones that offer port forwarding lack other services, like split tunneling on my Mac workstation. I’m looking into alternatives and I’ve found I can get a VPS for a rather low fee and run Debian or Ubuntu on it, so I could use that to set up a tunnel from the VPS to my pfSense firewall.
ProtonVPN could do that, but a VPS is a far more flexible approach.
@tangooversway said in Multi-topic question: NAT, VPN, possibly IPSEC:
While I have a general understanding of what I’m doing, I’m not sure which packages or systems can do this. I don’t mind doing the research for something like this, but I’m finding so many options I’d like to at least know what I’m looking into will work, rather than spending hours reading before realizing I’m on a non-useable path.
So far I'd say you don't want to go anywhere near IPsec and totally want either Wireguard, OpenVPN or Tailscale.
OpenVPN
I don't know where the complexity comes from as configuring OpenVPN is normally quite straighforward. But YMMV of course. As a Client-Server-specific VPN it can do what you are planning quite nicely
Algo
Literally never heard of it. Also don't has a package to support it with pfSense or other boxes AFAIK
IPsec
you don't want that! Really!
Wireguard
It LOOKS easy but actually the setup is far from easily done as the config may be small but one can really get confused as they are using various names multiple times with other meanings which I myself find quite stupid but hey it is what it is.
But it can do what you want, too, you just would have to set up one side without a "remote" side (as Wireguard is similar to IPsec in that aspect that any of the two nodes may inititate the connection if the other side is configured correctly).I'd suggest looking into tailscale as well if you don't have a problem with OAUTH logins based on MS, Google or GitHub (the latter actually quite nicely done).
Other then that IMHO an easy setup would be to set up an OpenVPN or wireguard server on the VPS, the client side on your pfSense and let it connect to the VPS (as incoming won't work via Starlink). Once the connection is established (and gets reestablished in case of a connection loss) you can then set up your VPN to forward all traffic or only traffic on specific ports to your pfSense and internal devices as needed.
Cheers
-
@tangooversway said in Multi-topic question: NAT, VPN, possibly IPSEC:
I need to be able to access 3 different systems on my LAN from outside the internet.
You should almost certainly be using a VPN for that and not port forwards anyway. Unless you need to allow public access.
OpenVPN will be the easiest way to do that by some way.
Run an OpenNPN server in a VPS. Connect to that from both pfSense behind Starlink and your own remote client. OpenVPN will route the traffic between them with the correct CSOs in place.
Steve
-
@viragomann said in Multi-topic question: NAT, VPN, possibly IPSEC:
You have to run a VPN server on the VPS and your local pfSense has to connect to it.
That's what I figured I'd have to do. I need something out past the CGNAT connection that can have a tunnel to my firewall.
@viragomann said in Multi-topic question: NAT, VPN, possibly IPSEC:
I’m already using a VPN that handles my outbound needs from my LAN
Which one?
PIA. I like that it has split tunneling, which many don't have on macOS (and some have it on earlier versions, but not on the M1 Macs). It seems like if they have split tunneling they don't have port forwarding or vice versa. PIA does allow one port, but from what I've read, it looks like it forwards through their app on my phone or tablet. And only one port, and I need 2, possibly 3.
@jegr said in Multi-topic question: NAT, VPN, possibly IPSEC:
ProtonVPN could do that, but a VPS is a far more flexible approach.
Do you mean ProtoVPN could do that even without a VPS?
@jegr said in Multi-topic question: NAT, VPN, possibly IPSEC:
I don't know where the complexity comes from as configuring OpenVPN is normally quite straighforward.
Not knowing just what OpenVPN was, I downloaded the client - but didn't have anything to connect to and it was hard to find a page that explained how it worked and that I'd need an OpenVPN server to connect to. I also searched for OpenVPN servers - but I'm just not finding them. Maybe I'm using the wrong terms or something like that. But two of you are saying it's a good idea to try it, so I'll look into setting it up on a low end VPS provider, like Racknerd or Vultr.
@jegr said in Multi-topic question: NAT, VPN, possibly IPSEC:
Algo
Literally never heard of it. Also don't has a package to support it with pfSense or other boxes AFAIK
Okay, so neither of the two people answering here have heard of it. I'm also finding limited documentation on it and nothing on setting it up with pfSense, so it's out. (And now I find someone else has responded since I started writing this - so I'll get to them, as well!)
As for Wireguard, I looked and saw that the packages for it have been removed from pfSense and relegated to experiment, so I'll probably skip that one - also, you indicate it can be a pain to configure.
@jegr said in Multi-topic question: NAT, VPN, possibly IPSEC:
I'd suggest looking into tailscale as well if you don't have a problem with OAUTH logins based on MS, Google or GitHub (the latter actually quite nicely done).
I can do that. No problem.
@jegr said in Multi-topic question: NAT, VPN, possibly IPSEC:
Other then that IMHO an easy setup would be to set up an OpenVPN or wireguard server on the VPS, the client side on your pfSense and let it connect to the VPS (as incoming won't work via Starlink). Once the connection is established (and gets reestablished in case of a connection loss) you can then set up your VPN to forward all traffic or only traffic on specific ports to your pfSense and internal devices as needed.
I'm a bit unclear on this. I know how both tunneling and port forwarding work. I know my inside client (inside being on my side of Starlink's CGNAT) needs to connect to an exterior VPS VPN and that means a tunnel is set up between the two. So once I have the tunnel, all traffic on that VPN goes through the tunnel. Isn't that tunnel on specific ports? So if I connect to myprivatevps.com:1234, doesn't the VPN then send that through a tunnel to pfSense? And does pfSense receive it on whatever port the tunnel is using, or will pfSense see that it's on port 1234?
@stephenw10 said in Multi-topic question: NAT, VPN, possibly IPSEC:
You should almost certainly be using a VPN for that and not port forwards anyway. Unless you need to allow public access.
OpenVPN will be the easiest way to do that by some way.
I'm not clear. I get that if I'm using OpenVPN, that it's setting up a VPN between my VPS and my pfSense firewall, but when I connect to my VPS from an outside computer, doesn't that still amount to port forwarding, just through a VPN?
Or does this mean setting up OpenVPN on my cell and tablet and any computer I expect to use to connect to my LAN? And if that's what you mean, then what if I'm at, say, my wife's office, and want to use her computer to connect? Can I do that by using my phone as a hotspot and using wifi on her computer to connect through that?
From the rest of your reply, I think that's what you're saying. You also mention CSOs. What are they?
-
@tangooversway said in Multi-topic question: NAT, VPN, possibly IPSEC:
but when I connect to my VPS from an outside computer, doesn't that still amount to port forwarding, just through a VPN?
No it would be routed in the VPN, no NATing required.
Yes that would mean having a VPN client installed on anything you are using to access it remotely. Doing that is far safer then forwarding traffic to something inside your LAN.
You could potentially use a different VPN for that leg of the connection.CSO is a Client Specific Override. It's used in this case to define the subnets that are behind a VPN client so the OpenVPN server knows which client to route traffic to.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-overrides.htmlSteve
-
@stephenw10 said in Multi-topic question: NAT, VPN, possibly IPSEC:
No it would be routed in the VPN, no NATing required.
Okay, I was thinking getting to that point would be rather complex, but apparently it's not. So when I set that up, and have OpenVPN on my iPad, then the OpenVPN client on pfSense will be a bit like a router, so I can actually enter the IP address for a system on my LAN and it'll connect right to it?
Would my iPad, then, be using the DNS on the LAN? For instance, I have a system named menegroth on my LAN. The domain is arda.ea. pfSense is my DNS and, on the LAN, I just have to type "menegroth/prusa" to pull up the control page for my Prusa 3D printer on that particular Raspberry Pi. Will I be able to do something like that in this setup? (Is that part of a CSO?) Or do I have to specify IP address?
Also, what about the method of using my phone or tablet as a hotspot for another computer if I want to use that other computer to connect to inside my LAN?
-
@tangooversway said in Multi-topic question: NAT, VPN, possibly IPSEC:
so I can actually enter the IP address for a system on my LAN and it'll connect right to it?
Yup. Or if you have DNS servers passed to the OpenVPN client just use local hostnames. But I suggest one step at a time.
Forwarding traffic across a VPN via a hotspot might be possible. It would be up to the phone. That would require a CSO mod so the server new about the hotspot subnet.
You could still open port forwards from the VPS across the VPN to your LAN if you need to. I just wouldn't leave them open.
-
@stephenw10 said in Multi-topic question: NAT, VPN, possibly IPSEC:
But I suggest one step at a time.
I was thinking about that. I had physical work to do this afternoon, so I had time to think over a lot of this and found I was overwhelmed. My goal is to reach systems inside my LAN from outside. I don't have a problem with doing more, but I realized I need to focus on setting up an OVPN server on a VPS with clients on my iPad (or phone) and on pfSense first. Get it doing what I need. Then add the bells and whistles.
Also, not to sound spoiled or lazy, but I'm using this as a tool. Great that I'm learning (or, in some cases, relearning stuff I've forgotten years ago), but this is a means to an end. I love learning more about computers and open source software, but first I have to get this up and running so I can monitor 3D prints and a few other things and I can't spend but so much time on it.
@stephenw10 said in Multi-topic question: NAT, VPN, possibly IPSEC:
Or if you have DNS servers passed to the OpenVPN client just use local hostnames.
That would be nice. I don't always remember numbers, so being able to just type "menegroth/prusa" or "doriath" (I'm sure Tolkien fans will notice a theme here...) to pull up the web page on the Pi that controls my CNC makes life notably easier than having to use IP addresses.
@stephenw10 said in Multi-topic question: NAT, VPN, possibly IPSEC:
Forwarding traffic across a VPN via a hotspot might be possible.
That would be the last thing I'd tackle. It would make things easier, but there are other things I'd want to get working first.
From what I understand, then, I'll have an OpenVPN server on a VPS. My mobile devices would be clients and so would my firewall running pfSense. I take it the VPN uses a specific address space, so, from my phone, trying to reach certain addresses in the VPN will go through OpenVPN and all others will go out onto the internet (basically split tunneling)? And on my LAN end, can I still use PIA for a proxy without problems? Or will I have to keep track of what I'm trying to access and make changes on a computer on the LAN depending on whether I'm trying to reach another system on my LAN, the "outside" internet, or a mobile device that's also a client on the VPN? All those questions about what I can reach from where seem like a lot. I'm sure to those who are experienced with this, they're no big deal, but after trying one VPN/proxy and finding it didn't have split-tunneling so I could no longer reach systems on my LAN with it on, it's a concern to me now.
-
It could be either but I would set it up as 'split tunneling'. So OpenVPN on pfSense on your LAN will only route traffic to the OpenVPN tunnel subnet or other remote subnets. The server sends the subnets to route to the clients when it connects.
So, yes, you can keep a PIA client separately and route traffic across that without causing a conflict.
