PfSense with OpenVPN Client for Chromecast?



  • So currently all my devices (3 Pcs, 3 Androids, 1 chromecast) are connected to my Asus RT-N66U which is directly connected to the cable modem.
    I tried using the OpenVPN Client on the router but its CPU is too weak to handle more than 10-14mbps.

    I've got a miniITX PC with dual-nic. I thought of installing pfsense on a VM (hyper-v or vmware) as I'm using Windows Server 2012 R2 on it at the moment and installing the miniitx between modem and router.

    But on the Wiki I read that the Pfsense VM shouldn't be directly connected to the modem, it should always be behind a router. As the miniITX doesn't have wireless the chromecast wouldnt get routed through the VPN… now I'm wondering what I should do?

    My goal is simply to have all wireless clients(or simply all, if not otherwise possible) run through the vpn running on the miniitx as my router is too weak to handle 100mbits openvpn.

    This might be rubbish, confusing, stupid but I'm rather new to this and apologize already for the mistakes I've done. If there's any information missing I'll of course gladly state them.

    Thank you


  • Rebel Alliance Global Moderator

    "But on the Wiki I read that the Pfsense VM shouldn't be directly connected to the modem, it should always be behind a router"

    Where did you read that???  Clearly you read it wrong or someone edited the wiki with nosense.. Please point me to the source of clearly FUD!!

    What do you expect to do with chromecast and vpn?? Chromecast is multicast traffic and doubt would work - maybe with tap vs tun??

    What do you want to use vpn for??  So you want to route your local devices through some internet based vpn service?  What service - and what is your internet connection.  You do understand I doubt your wireless are seeing 100mbit to the internet now.. Chromecast for sure isnt its 1x, even if your router is 3x3 - I doubt your devices are cable of 100 wifi..  You sure that limit you were seeing was not just your wifi limit and not the vpn?

    Please point me to this wiki that says vm should be behind router??

    edit:  Ok I have looked over every article in virt section
    https://doc.pfsense.org/index.php/Category:Virtualization

    And nowhere does it say such a thing as should be behind a router..  That is just pure utter nonsense..  Where did you read that at??  Some 3rd party website??



  • https://doc.pfsense.org/index.php/Installing_pfSense_in_vmware_under_windows
    It is better not to have pfSense (and its host machine) directly exposed to the Internet if possible - it is better to have it behind a router or a simple firewall (or even just a NATing modem).

    Chromecast works fine if used behind a VPN, as I used it on my current router.
    Of course I tested the speed limit on a wired gbit connection where it hit the limit at 10-14mbps. The VPN Server is capable of far more as I've tested it on my Windows machine and runs with max. possible speed.
    The VPN Server is my own server (250/250mbits) and my home connection is 100/6mbits.


  • Rebel Alliance Global Moderator

    Yeah that is just not right..  Trying to figure out who posted that..  Double nat is NEVER a good choice..

    your windows machine would never even get an IP from your isp in that configuration anyway.. It shows tcp/ip being unbinded from the interface that is your wan connection.

    So your just wanting to use4 pfsense as router to connect to some vpn service, and then route traffic to the internet to that…

    Why do you want to connect your own server for vpn??  Makes NO SENSE at all..  Draw out your network please.  And how you think it should be connected.

    I run my pfsense as a VM on a hp n40L without any issues using esxi- directly connected to the internet.  Just use your router as your wireless AP after you get pfsense up and running.  I would not suggest doing it that way..  Use a type 1 hypervisor would be my suggestion.  Then install whatever other oses you need as other vms on your host.


  • Netgate Administrator

    Yeah, odd advice in that wiki page. Is that specifically a Windows as vm host risk?  :-\

    One good reason to do this would be to route the Chromecast traffic via a vpn server in another country to use some geo-limited service.

    Steve



  • @johnpoz:

    Yeah that is just not right..  Trying to figure out who posted that..  Double nat is NEVER a good choice..

    No kidding. Not sure who introduced that, but that whole page is basically useless, outdated, or bad advice. I deleted it.


  • Netgate Administrator

    Ouch! That's unfortunate.
    Mis-information is worse than no information though.

    Steve


  • Rebel Alliance Global Moderator

    dude you deleted the whole page?  ;)

    I was going to edit some of that nonsense out, and even started but then noticed other stuff that would have to be updated as well to get it up to speed - images of the connections under vmware, etc.

    how do you tell who made the page or did most of the edits?  Some put some work into that page. To bad is was full of nonsense like that..

    I can understand using a vpn to circumvent regional restrictions - but he says he has his own vpn server?  A bit confused on what he wants to do exactly - but sounds like just use a vpn service with pfsense.. Which yeah is pretty click click these days depending on the service wanting to connect too.  But this confuses me?

    "The VPN Server is my own server (250/250mbits) and my home connection is 100/6mbits."

    So maybe he has a vps running openvpn??  If so then yeah that is pretty simple to connect to from your pfsense.  Been working on howto for using openas – but keep getting side tracked..



  • I will have to post a new "authoritative" thread on how to properly double NAT…  (-:



  • @johnpoz:

    dude you deleted the whole page?  ;)

    I was going to edit some of that nonsense out, and even started but then noticed other stuff that would have to be updated as well to get it up to speed - images of the connections under vmware, etc.

    how do you tell who made the page or did most of the edits?  Some put some work into that page. To bad is was full of nonsense like that..

    I can understand using a vpn to circumvent regional restrictions - but he says he has his own vpn server?  A bit confused on what he wants to do exactly - but sounds like just use a vpn service with pfsense.. Which yeah is pretty click click these days depending on the service wanting to connect too.  But this confuses me?

    "The VPN Server is my own server (250/250mbits) and my home connection is 100/6mbits."

    So maybe he has a vps running openvpn??  If so then yeah that is pretty simple to connect to from your pfsense.  Been working on howto for using openas – but keep getting side tracked..

    yeah its my own dedicated server running openvpn and yeah I'm planning to bypass certain geo-locks as I travel to countries that have limits on youtube etc.

    Could anyone redirect me to a "proper" wiki page/tutorial/yt link to have pfsense set-up on a vmware workstation running on windows with dual ethernet? The vSwitch part confuses me the most as I don't seem to have that in Workstation.



  • Before I attempt to answer your question, can you please tell me, assuming you have a VPN in the USA, how were you planning to use it?

    You mention chromecast?  Where will the VPN server be?  Where will the TV be?  Where will the Chromecast fob be?  Where will the VPN client be running?



  • @kejianshi:

    Before I attempt to answer your question, can you please tell me, assuming you have a VPN in the USA, how were you planning to use it?

    You mention chromecast?  Where will the VPN server be?  Where will the TV be?  Where will the Chromecast fob be?  Where will the VPN client be running?

    The VPN Servers are in the US, France, Netherlands and Japan, "most" of them are dedicated servers in a datacenter with OpenVPN Server installed and already functioning (tested with my Asus-wrt Merlin Router and Windows client).

    The TV, Chromecast and VPN client(pfsense on a vm) would all be run in in the same location, my livingroom.
    So… TV=>Chromecast=>Wifi-Router=>PfSense VM on a Windows host with VMware Workstation (or Hyper-V if needed) with dual nic=>cable modem

    Thats how I planned it at least... to run Pfsense between the wifi router and modem with OpenVPN Client connecting to one of the servers mentioned above.



  • OK - So you are not in the USA but your pfsense VPN server is.  (Very well and normal)

    So, simple thing to do is have something like this:

    Modem > router (pfsense or other.  Doesn't matter.)

    Then router > switch

    On the switch, you can put all your laptops , computers etc.  They will get an IP from the local country - not usa.

    Now, you need a second router with VPN client capability.  I suggest pfsense but DDWRT also works.

    Plug the WAN of that router into your switch.

    Now plug a second switch into the LAN of your second router.

    The second router will be a vpn client to the server in the USA.

    The second router and the second switch and everything plugged into it will function as if its in the USA.

    So make sure that the TV with the chromecast and any device associated with the TV or the Chromcast is all on that second switch or a wireless AP connected to that second switch.

    Like this you will have a full time local network and a full time usa network.

    On the local network computers, you can always use a software client to attach to your pfsense if you need to also.  Make sure each device has its own seperate certificate/common name.

    I know this works fine since I've done it here.  (I don't have a chromecast but I do have other things that always sit on a USA IP this way)


  • Netgate Administrator

    Hmm, well I suppose that makes things logically simple but why not just use a single pfSense router with two internal interfaces?

    Or just one internal interface and policy routing?

    Or just route everything over the VPN as I think the OP wants.  ;)

    Also do it in a VM!  ;D

    @Shadoom: Your requirement to use Windows as the VM host, is that absolute?

    Steve



  • Because he like me is apparently in possession of DDWRT routers.

    But yes - you can do it with one pfsense router with one vlan switch and a configured openvpn interface.

    I have VMS here that are clients to a pfsense set up like that (minus the vlan)

    It requires less hardware to set up but more know-how.

    This way has advantages over using ddwrt in that ddwrt isn't well patched.

    pfsense would be more secure.



  • @stephenw10:

    Hmm, well I suppose that makes things logically simple but why not just use a single pfSense router with two internal interfaces?

    Or just one internal interface and policy routing?

    Or just route everything over the VPN as I think the OP wants.  ;)

    Also do it in a VM!  ;D

    @Shadoom: Your requirement to use Windows as the VM host, is that absolute?

    Steve

    The method Kejianshi posted seems rather advanced and "overkill" for my needs. Althought I thank you deeply for your time and help. I thought about a simpler, smaller solution.
    I've seen in this video https://www.youtube.com/watch?v=9E77ZWzN1P4 that he had a internal vSwitch and a external vSwitch on hyper-v. But I'm too inexperienced with pfsense/networking to know if thats the right thing to do with dual nics.

    Which host would you recommend? Windows is not absolute but I do use the machine for the occasional retro gaming session.



  • My way is the dummy way…  haha.

    The other way has a smaller hardware footprint and is better if you can configure it correctly.


  • Netgate Administrator

    If you're going to use windows you just need to be sure the host OS doesn't have a public IP at all. All traffic from the host OS must go via the pfSense VM which means setting up an virtual interface that exists both for the host and the pfSense VM and disabling the Windows networking protocols on the real NIC which is being passed through to the pfSense VM WAN.

    What you're suggesting is certainly do-able in any supported Hypervizor. Since they're all slightly different I would go with whatever you're happiest using.

    I wouldn't follow that youtube clip though. You should never add scripts in locations like he does there.

    Steve



  • Chromecast is picky.  Its not going to like NATing between subnets.  You need to keep it and everything associated with it on one subnet.


  • Netgate Administrator

    Yep that's true you have to have the Chromecast and whatever device you're controlling it from in the same subnet. That would probably mean both those devices having all their traffic routed over the VPN but I don't think that's a problem for you.

    Really the difficult part of what you're suggesting is trying to achieve it in a VM. And that isn't really that difficult if you're familiar with the hypervisor.

    Steve



  • I wouldn't use either workstation or player.  I'd use ESXI.  But thats a dedicated box, so an small hardware appliance is probably better.


  • Netgate Administrator

    Yep I'd use ESXi too but that does limit the retro gaming potential.  ;) Maybe very very retro games?  ;D

    Steve


  • Rebel Alliance Global Moderator

    I don't get it.. Either put pfsense on a type 1 vm host, or run pfsense direct on it.  Or get some hardware for pfsense to run on, etc.  Its not like any of these options bust the bank.. A OLD pc will run pfsense just great!!

    Not like this poster doesn't have spendable cash with multiple server all over the globe for it seems to circumvent regional restrictions.  If not mistaken netflix and stuff just needs dns redirection to by pass most of those - not full blown vpn.



  • I agree that esxi is probably the best solution for it.
    But I had hoped for an all in one solution as I'd like to keep devices used and physical space consumed to a minimum. I'll try the method stephen has explained tomorrow when I've found some docs on it. Thank you for that :)