VPN on a separate LAN?
I'm a home user. I have a zotac ci321 running pfsense as a router. The zotac has two nic's, one which I use for my lan and one that I use for wan/connecting to my isp. My lan is on 192.168.1.0/24 and my wan has a static ip my isp provides.
Everything is running just fine.
Around april I'm going back to study for a while and I plan buying a new laptop for that purpose. The school runs a wide open wifi network, no security what so ever, just a bunch of posters on the walls informing you of what wifi network to add. Personally I don't really get why they run it like that, but that's their pain.
Personally I don't feel like using unencrypted wifi, sharing my packets with whomever feels like sniffing stuff with wireshark. Last time I went to the school I brought my work laptop and connected to the work vpn before doing anything substantial on the net, but my work laptop is old and slow and heavy and bugs me in a lot of ways, so this april I'll be sporting a nice new laptop of my own - however my new laptop won't be allowed on the company vpn, so I need to figure out something else.
There are plenty of guides teeling me how to set up a vpn service on pfsense, letting my new laptop connect to my home lan and surfing the net through my home internet connection. However I don't really feel like opening up my home lan to a vpn from the outside, I just want a way to surf the net in a more secure fashion than through an unencrypted wifi at school.
Here's what I'm thinking, let me know if it's possible.
I add a virtual nic/loopback address in pfsense, if possible?
I create a 192.168.2.0/24 lan on the virtual nic.
That leaves me with:
1 physical nic connected to my wan.
1 physical nic connected to my 192.168.1.0/24 lan.
1 virtual nic connected to a virtual 192.168.2.0/24 lan.
I set up a vpn service on the 192.168.2.0 network, so when I connect my laptop through vpn from the outside, it get's a connection to my otherwise empty 192.168.2.0 network.
I set up routing so that the 192.168.2.0 is allowed to use my wan connection, but not connect to my 192.168.1.0 network.
I make sure that pfsense configuration can only be done from the 192.168.1.0 network.
I have no need or wish for my laptop (or anyone else) to be able to connect to my 192.168.1.0 lan from the outside.
My thinking behind it all is, that in the unlucky event that someone manages to hack my vpn password, all they will find is an empty 192.168.2.0 network and the ability to use my internet connection. They won't be able to get to my 192.168.1.0 lan or make a mess of my pfsense.
Meanwhile I'll be able to use the open wifi at school to make a vpn connection and use my home internet connection, forcing whomever runs wireshark to have to crack my vpn security in order to sniff anything useful from my data packets.
Is the above a viable solution or is there a better way to do it?
That should work just fine. You set up an OpenVPN server on pfSense, assign it to the interface you created, and create firewall rules on the new interface to allow traffic back out the WAN. Nothing will touch your home LAN unless you explicitly allow it and your traffic on the school network will be ignored in favor of lower hanging fruit.
After a bit of struggle I got it working.
It's been a crash course in certificates and stuff like that, I just couldn't get everything to line up properly. Most guides shows how easy it is to export vpn settings to a windows client, but I run linux and had to struggle some more.
At one point I even swapped out the drive in my laptop to an old harddrive installed with windows - just to see it work - which it didn't..
Then I discovered that even though I've told my ISP supplied router/modem to fork over the entire connection and external ip to my pfsense box, believing that would make the router/modem function as a pure modem, for some peculiar reason the firewall in the router/modem were still active. I disabled that, leaving the firewall duties to pfsense and suddenly everything worked.
I flopped the linux drive back into the laptop and whadda'ya'know the linux vpn client worked just fine too..
Finally I modified the firewall rule for openvpn to block access to my local lan, so now I can connect to the virtual lan and use my internet connection to surf the web, while my home lan remains off limits fomr the outside.
All in all I'm a happy camper!