Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller czcams.com/video/-9gXP6aaayw/video.html How to Setup The Tailscale VPN and Routing on pfsense czcams.com/video/P-q-8R67OPY/video.html Tutorial: pfsense Wireguard For Remote Access czcams.com/video/8jQ5UE_7xds/video.html Basic Site-to-Site VPN Using WireGuard and pfSense czcams.com/video/2oe7rTMFmqc/video.html ⏱ Timestamps ⏱ 00:00 ▶ Which VPN for pfsense 01:21 ▶ Tailscale Device VPN 03:16 ▶ Tailscale Site to Site VPN 04:09 ▶ Wireguard Device VPN 05:24 ▶ Wireguard site to site VPN 06:26 ▶ pfsense OpenVPN 08:07 ▶ OpenVPN Shared Key Deprecation 08:28 ▶ IPSEC VPN
reports on the internet says people should stay away from IPSec and 4 others I cant remember, because the NSA and other federal agencies have cracked these to the bone. and they have direct access keys into anyone's data going through IPSec.
With OpenVPN do you use DCO much? I am using hardware that supports QAT and will explore WireGuard too later. I had IPsec working to an untangle for a while. From an iPhone you’d say wireguard is the fastest?
Great vid. Many different options will work as long as your up to some config tinkering. I use the OpenVPN option with PIA client configs. Technically, my pfSense (PROXMOX VM) clients are double NATed becuase they sit behind an additional Ubiquiti edge router. Multiple PIA VPN tunnels to different endpoints stay up 24/7 with little problem other than the ocassional service restart. Traffic is routed to the VPN tunnels using pfSense firewall rules to send specific VLAN traffic to virtual gateways (VPN interfaces). Return traffic is routed from the edge router via static routes for the VLAN IP ranges back to the pfSense WAN interface. Good luck tinkering if you are reading this and go down the rabbit hole.
I had some trouble with configuring / starting out with WG in pfsense recently, I'm quite interested in testing it out though. I'll have to take another look - great video
Not quite perfect timing for me, I've just spent yesterday setting up Tailscale. However, I have to say it is SO IMPRESSIVE. No open ports, and close to zero config needed.
just installed openvpn in pfsense proxmox vm I really like I could export profile to PC and mobile. Configuration is very easy and everything works as intended
Personally, I use openvpn and tailscale at the same time, and I have to say I love mesh VPNs and the fact that I don't have to open any ports for it to work
I use Tailscale to create a secure connection from family members to my Unifi Controller, I don't have to open up ports that way , and I only need 1 controller. I also have a dedicated VLAN for the Unifi / network hardware.
@@MR-vj8dn The main things to know about IPSEC setup is that it is set up using two "phases" and that the settings for a site-to-site tunnel *must* be identical at each end. As different manufactures use different phraseology this can be tedious but there are great resources on the web. Once set up, it is very solid. Start with pre-shared key (PSK some call it) and move on to more ambitious encryption once you have that working, if you feel you need to. Having a fixed IP or DDNS is also a great security addition and adds to the ease of the setup.
@@connclissmann6514 yup, my journey was to set up 10 Sonicwall and 42 pfSenses as a fresh network tech 7 years ago. I had to do a lot of speed up learning without any help but forums and CZcams. I initially setup everything as a hub-and-spoke which was a nightmare to understand and troubleshoot at first. Once I got more experience and learned about OSFP I reconfigured it and it was so easy compared to my first setup. Just wish I had someone by my side in the beginning.
I have to deal with a lot of enterprise stuff... IPSEC and older with monsters of static routing tabels. Right now I try to replace them with a 3 Servers (in different Datacenters with different ISPs and Upstreams) where every Network (connects to all) and client (to one random) server. Networks speak BGP over every of the 3 connections. The 3 Servers each have sessions to another and the client pool is just nat'ed so I don't have to take care about routing for them. The servers are arch, wg, systemd-networkd, with rsynced client config.
I kind of like using L2TP for user VPN. The nice thing with it, it embeds the users credential for SMB. So if a user connects to a remote site and tries to use SMB to access one of the remote server is tries to authenticate using the VPN L2TP credentials first. OpenVPN doesn't do that. OpenVPN always work though. Windows has a tendency to always break L2TP every so often and it can be very much a pain to figure out how to fix it.
L2TP support is starting to get dropped by clients, so we moved to IPsec IKEv2 with user authentication to AD and it works great with built-in client support. Don't want to deal with extra apps.
I hope there's a wireguard client config generator added to pfsense. It didn't take me that long to make the configs for my phone and laptop but I had to use the wireguard program on my desktop to generate the public/private keys which was a bit of a faff.
I found a script on github that lets you do that. Still have to manually copy and paste the keys into pfsense which is fine. Hopefully the author of pfsense's Wireguard add-on will add this feature.
Do you have a best practice to configure multiple VPN-servers (WireGuard protocol) in your PfSense+ setup? So for example when VPN-server 1 (US) is down you can (automatically) switch to VPN-server 2 (UK)? Do you add multiple peers to the tunnel?
Hey! Can you cover some options for lan-wide ad blocking? I really want to get rid of youtube ads and trackers but i cant download adblock to my Apple TV
Very sad that you didn't bring up Zerotier as a VPN as well. I love this information though, and it brings up some very good points and issues with hosting a home VPN.
Your videos are the best, I would like to know if you could try or talk a little about the VPN that is also worked by Wireguard called Netmaker. Greetings from Peru.
A regular tailscale node can be configured to use another exit node, if that other node was approved to act as an exit node for the tailscale network. Is there a way to configure the pfSense tailscale node to use an existing exit node? I could not figure this out...
VPNs should also prevent screen recording, screen shots, have camera control, location control, and blocking the microphone. I've yet to see any VPNs doing this.
Just finished a CompTIA Net+, Sec+, and CCNA courses through the VA at an IT school for Veterans. Have applied to over 115 jobs in the past 2 months. Can't get a job anywhere. Everyone wants you to have a PHD for an entry level IT job. It's depressing and discouraging out here! So desperate for someone in IT somewhere to give me a chance to get started. Can't get a job without experience, can't get experience without a job. Yay.
I guess i know a solution for you. If you have any spare pc or laptop which have a cpu with virtualization support, and have minimum 2 cores and 4 threads, for that 8 GB Ram, 1-2 HDD and 1-2 SSD, a Gpu with 1 GB vRam, 2 network cards, you are good to go for a Proxmox server. 1-2 old pc with these specs or scaled up with the degree of 1 cpu and 2GB ram ways, you can make your own experience for a start. In proxmox you can make VMs, be it a pfsense or win or linux or anything. The minimum 2 network port is for reaching advanced level quickly, by adding more to your network and subnets as well. By the months you will find yourself gaining experience because you might break it and learn from it. An old pc, an old router or switch, few net cables and the above mentioned details and you'll be fine and will find work. Until, it will make you busy learning from your builds. Good luck, have fun.
Wireguard is the way. I used openvpn for years but it just clunky and has a large overhead. Plus I really don't need user tracking. Wireguard was also easy to tunnel only certain network traffic rather than forcing all traffic through the vpn. Very impressed currently and once I figured out my config files for clients It's easy to deploy.
I am new to pfSense and am now trying to direct certain traffic to bypass the VPN. I've added some hosts to an Alias, and put firewall rules for all interfaces to pass all traffic to Destination: Alias through the WAN gateway, but the traffic is still over the VPN. What I'm trying to do seems to be the inverse of what you find easy, I'd imagine the steps are very similar? I'd love some ideas, you seem knowledgable :)
I need to set up a Hub-and-spoke WAN topology for myself and two other parties - what do you think would be easiest for this? I also don't want one of the spoke sites to be able to reach back to me, but I assume that requires some firewall configuration?
Yes, I used to have it due to limitations of VPNs (20) on Sonicwall TZ 400. It was my first dive into networking and was quite a nightmare and crazy uphill learning experience. It took me a while to understand everything and make it work but once it worked it never broke.
I had 10 Sonicwalls and 42 pfSenes, so you can imagine. I found a guy who created me a management in the cloud for pfSenses. You could do a port scan from it, bulk reboot, bulk upgrade and it would upload config for each pfsense box anytime you make a change on it. There was telemetry as well and few other things.
I want to use an in-house software for the use of employees, do you think it meets my needs? Employees can connect from outside the company and use the software installed on the company's server
Comes down to using third party or not, be it a third party VPN provider or (tailscale servers). Being a MT user, its do I use zerotier or wireguard. I wonder which you prefer tailscale or zerotier?
Possibly an oddball question, wireguard on unraid vs on pfsense/opnsense? Which woukd be the preferred way to run it? Any "gotchas" to look out for one way or the other?
I know this is a bit long in the tooth now but one thought I have had as I use both pfSense and Unraid is if you’re running it via Docker and you isolated your additional docker servers to their own network then your client peers should tunnel in and be isolated to the docker network on the Unraid host vs your Unraid host via router and firewall rules. I’m thinking friends accessing gaming servers etc. in this case mostly. I have not tried it at the docker level on Unraid, so might be missing something. Just a minimal exposure thought mostly.
OpenVPN isn't even just password. Don't know about pfSense, but with OPNsense you can make 3-factor authentication - password, one-time password (TOTP) (adding static-challenge "OTP" 1 into config will separate password and code) and personal certificate with strict matching.
I love Tailscale but they have some serious issues. I have iOS and the client eats data for now good reason. It’s been reported quite a bit on their own forums. It ate 3GB of my cell plan for no good reason.
I recently tried site-to-site ipsec on two pc Intel i3 with 8gb of ram each. The performance was horrible and I had to drop encryption to the most basic to get it just to work. Any idea??? Is it possible to do a tutorial on setting up site-to -site ipsec on physical machines?
Do you have a video on how to implement OpenVPN with LDAP? If we have 50+ users on our AD, do I have to create user accounts on pfsense, or will users be pulled from AD once LDAP is configured?
Hey Lawrence, I'm having an issue with Wireguard on PfSense compared to using the VPN apps in Windows. The speed is considerably slower ( tested 2 different connections). Difference of 120/150 compared to almost full 500 down using the app. I'm using a Celeron N3160 with Realtek NICS (yeah I know whatever). Any ideas?
You're not providing even remotely enough information for anyone to tell you anything useful, like e.g. are those VPN-apps connecting to the same VPN-server as your pfSense-box? Or are you using the pfSense-box itself as a VPN-server? You'd be comparing apples to oranges. Also, you'd have to explain your routing setup, because you might have messed it up. I don't think CZcams's comments-section is the right place for troubleshooting something like that.
@@LAWRENCESYSTEMS The problem is not an issue of stability or compatibility. Its has been removed from the base system for security reasons and its still under active development. The package you're installing and using is experimental not intended for production use.
Regarding OpenVPN Site to Site: While it is true that its shared key mode is being deprecated (on pfSense is called Peer to Peer (Shared Key)), you don't mention that you can configure OpenVPN site to site using certificates Peer to Peer (SSL/TLS). There is actually a warning right in the pfSense webpage that tells you this for a long time now: WARNING: OpenVPN has deprecated shared key mode as it does not meet current security standards. Shared key mode will be removed from future versions. Convert any existing shared key VPNs to TLS and do not configure any new shared key OpenVPN instances. Why don't you mention this? Instead you just recommend, "switch to one of the other ones... wireguard..."?!? While it takes literally seconds (well maybe minutes) to create an OpenVPN server using shared key mode, it does take quite a bit more thought and planning to use TLS because you instead have to create a CA, along with the certs and export/import the CA and certs on the clients. With OpenVPN it is also easy to configure site to multi-site, which works very well because OpenVPN adds all the routes for you - this which would be much more challenging to setup in WG. You can also have remote site/networks that are each behind NAT/CGNAT able to talk to each other through the OpenVPN Server which has a static IP. Just have to make sure you are aware of client overrides for different sites and use correct certs and sub-nets, which all can be a bit confusing at first. Access control can also be done using pfSense firewall rules of course. The only issue I can think of is expiring certs, so just make the CA and site client certs are 10 years which is a very long time... and if you still want to make a server cert using the recommended "no more than 398 days" (currently not enforced on pfsense client but who knows if it will be in future), then just remember to login the server and click the renew icon every year or so. If you have a site to site running longer than 10 years on same hardware, it is probably an excuse to upgrade! WG is faster than OpenVPN, I will give it that. I am concerned of the implementation in WG moving forward with announcement of new FreeBSD coming eventually, and if the configuration is going to change?...seems like a WIP and hesitant to deploy in production right now - would not want to do a software update in a year or two and have remote site break because of way WG is implemented changes in pfSense... same reason I would not use Tailscale. Of course same thing could happen with OpenVPN but it does seem more mature and stable. Tailscale site to site is easy to setup, but you need to purchase a paid tailscale because of limitation of the free account only having one subnet router. You need at least two for a true bi-directional site to site VPN to be "equivalent" of OpenVPN, WG, IPSec S2S. Sure you could maybe get a way with two and they won't care because they don't hard lock... but wouldn't use this for a client if they decide to disable it. If you want a pfSense client to just access a remote pfSense server one direction then a free account will work, but for more sites and/or both directions it will cost $ and you do not point this out. Also, trying to figure out ACL tags in attempt to restrict access (pfsense firewall is useless with tailscale) negates the ease of setup. In my opinion, if there is no other way to connect two sites that are behing NAT, then this is a solution but in a multi-site if at least one site is a static then OpenVPN or WG could be a possibility. If you have at least one site that has static IP use OpenVPN or WG!
Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller
czcams.com/video/-9gXP6aaayw/video.html
How to Setup The Tailscale VPN and Routing on pfsense
czcams.com/video/P-q-8R67OPY/video.html
Tutorial: pfsense Wireguard For Remote Access
czcams.com/video/8jQ5UE_7xds/video.html
Basic Site-to-Site VPN Using WireGuard and pfSense
czcams.com/video/2oe7rTMFmqc/video.html
⏱ Timestamps ⏱
00:00 ▶ Which VPN for pfsense
01:21 ▶ Tailscale Device VPN
03:16 ▶ Tailscale Site to Site VPN
04:09 ▶ Wireguard Device VPN
05:24 ▶ Wireguard site to site VPN
06:26 ▶ pfsense OpenVPN
08:07 ▶ OpenVPN Shared Key Deprecation
08:28 ▶ IPSEC VPN
reports on the internet says people should stay away from IPSec and 4 others I cant remember, because the NSA and other federal agencies have cracked these to the bone.
and they have direct access keys into anyone's data going through IPSec.
@@TwstedTV Don't know "what reports on the internet" you are reading but they are not true. IPSec is safe.
Customer went a different route, dual ISPs separate networks for POS and survielance.
With OpenVPN do you use DCO much? I am using hardware that supports QAT and will explore WireGuard too later. I had IPsec working to an untangle for a while. From an iPhone you’d say wireguard is the fastest?
Great vid. Many different options will work as long as your up to some config tinkering. I use the OpenVPN option with PIA client configs. Technically, my pfSense (PROXMOX VM) clients are double NATed becuase they sit behind an additional Ubiquiti edge router. Multiple PIA VPN tunnels to different endpoints stay up 24/7 with little problem other than the ocassional service restart. Traffic is routed to the VPN tunnels using pfSense firewall rules to send specific VLAN traffic to virtual gateways (VPN interfaces). Return traffic is routed from the edge router via static routes for the VLAN IP ranges back to the pfSense WAN interface. Good luck tinkering if you are reading this and go down the rabbit hole.
Yes! I just setup Tailscale. Perfect timing. Thank you, your videos are great!
Literally thought about replacing OpenVPN with Wireguard for my S2S VPN between my pfSense boxes this exact morning! Once again, the perfect timing :D
Love the little homage to "The IT Crowd" !
Perfect, thank you for explaining these side by side!
Great to see you around GrrCon! Thanks for doing another great video!
I had some trouble with configuring / starting out with WG in pfsense recently, I'm quite interested in testing it out though. I'll have to take another look - great video
Good stuff here Tom. Thanks for the video !
LOVED this video! Thank you for this video!
Not quite perfect timing for me, I've just spent yesterday setting up Tailscale. However, I have to say it is SO IMPRESSIVE. No open ports, and close to zero config needed.
just installed openvpn in pfsense proxmox vm I really like I could export profile to PC and mobile. Configuration is very easy and everything works as intended
BROTHER, YOU ARE THE BEST!!! You oooh really helped me!! THANK YOU VERY MUCH!
For Wireguard without public Ip, I've set up wirguard server on Digital Ocean cheap droplet, work like a charm
Personally, I use openvpn and tailscale at the same time, and I have to say I love mesh VPNs and the fact that I don't have to open any ports for it to work
very helpful explanation, thanks for the video
Thanks for the information on these solutions. I am going to go with OPENVPN btw!
I use Tailscale to create a secure connection from family members to my Unifi Controller, I don't have to open up ports that way , and I only need 1 controller. I also have a dedicated VLAN for the Unifi / network hardware.
incredibly helpfull. Thank you!
Thanks for the run through. I am so old, I am still using IPSEC so I must look into the others you discussed.
I’d love to learn more about IPSEC. It’s my preferred VPN.
I still use IPSec for site to site VPN and it's a very solid platform long as its being updated with new ciphers.
@@MR-vj8dn The main things to know about IPSEC setup is that it is set up using two "phases" and that the settings for a site-to-site tunnel *must* be identical at each end. As different manufactures use different phraseology this can be tedious but there are great resources on the web. Once set up, it is very solid. Start with pre-shared key (PSK some call it) and move on to more ambitious encryption once you have that working, if you feel you need to. Having a fixed IP or DDNS is also a great security addition and adds to the ease of the setup.
@@connclissmann6514 yup, my journey was to set up 10 Sonicwall and 42 pfSenses as a fresh network tech 7 years ago. I had to do a lot of speed up learning without any help but forums and CZcams. I initially setup everything as a hub-and-spoke which was a nightmare to understand and troubleshoot at first. Once I got more experience and learned about OSFP I reconfigured it and it was so easy compared to my first setup. Just wish I had someone by my side in the beginning.
I've been using OpenVPN on pfSense with users authenticating FreeIPA (which is based on OpenLDAP) for the past 6 years
I have to deal with a lot of enterprise stuff... IPSEC and older with monsters of static routing tabels. Right now I try to replace them with a 3 Servers (in different Datacenters with different ISPs and Upstreams) where every Network (connects to all) and client (to one random) server. Networks speak BGP over every of the 3 connections. The 3 Servers each have sessions to another and the client pool is just nat'ed so I don't have to take care about routing for them.
The servers are arch, wg, systemd-networkd, with rsynced client config.
I tried and it is installed thank u very much anda
I kind of like using L2TP for user VPN. The nice thing with it, it embeds the users credential for SMB. So if a user connects to a remote site and tries to use SMB to access one of the remote server is tries to authenticate using the VPN L2TP credentials first. OpenVPN doesn't do that. OpenVPN always work though. Windows has a tendency to always break L2TP every so often and it can be very much a pain to figure out how to fix it.
L2TP support is starting to get dropped by clients, so we moved to IPsec IKEv2 with user authentication to AD and it works great with built-in client support. Don't want to deal with extra apps.
I hope there's a wireguard client config generator added to pfsense. It didn't take me that long to make the configs for my phone and laptop but I had to use the wireguard program on my desktop to generate the public/private keys which was a bit of a faff.
I found a script on github that lets you do that. Still have to manually copy and paste the keys into pfsense which is fine. Hopefully the author of pfsense's Wireguard add-on will add this feature.
Do you have a best practice to configure multiple VPN-servers (WireGuard protocol) in your PfSense+ setup? So for example when VPN-server 1 (US) is down you can (automatically) switch to VPN-server 2 (UK)? Do you add multiple peers to the tunnel?
If site 2 site open VPN shared key goes depreciated, what would be the alternative open VPN mode? Authorize with certificate?
Hey! Can you cover some options for lan-wide ad blocking? I really want to get rid of youtube ads and trackers but i cant download adblock to my Apple TV
Very sad that you didn't bring up Zerotier as a VPN as well.
I love this information though, and it brings up some very good points and issues with hosting a home VPN.
I have a few videos on Zerotier but it is not officially supported in pfsense so it's not in this video.
@@LAWRENCESYSTEMS My mistake. I use Opnsense and forgot they don't have the same packages.
great job
I've been using openconnect and anyconnect (Cisco) for ages now.
Your videos are the best, I would like to know if you could try or talk a little about the VPN that is also worked by Wireguard called Netmaker. Greetings from Peru.
I am aware of it but have not had any time or reason to test it.
A regular tailscale node can be configured to use another exit node, if that other node was approved to act as an exit node for the tailscale network.
Is there a way to configure the pfSense tailscale node to use an existing exit node? I could not figure this out...
Badass shirt 😎👍🏼
I just won't use packages in pfSense so I only use OpenVPN at the moment.
VPNs should also prevent screen recording, screen shots, have camera control, location control, and blocking the microphone. I've yet to see any VPNs doing this.
Can you do a video and share your thoughts on Twingate? It’s been a great option for me and I am curious your thoughts. Thanks!
Nope, I don't use or plan to use Twingate don't see anything compelling they offer.
Does someone know a good industrial router that support pfsense with 24v input power supply ?
I love Wireguard
Where can we get the shirt?
Just finished a CompTIA Net+, Sec+, and CCNA courses through the VA at an IT school for Veterans. Have applied to over 115 jobs in the past 2 months. Can't get a job anywhere. Everyone wants you to have a PHD for an entry level IT job. It's depressing and discouraging out here! So desperate for someone in IT somewhere to give me a chance to get started. Can't get a job without experience, can't get experience without a job. Yay.
I guess i know a solution for you. If you have any spare pc or laptop which have a cpu with virtualization support, and have minimum 2 cores and 4 threads, for that 8 GB Ram, 1-2 HDD and 1-2 SSD, a Gpu with 1 GB vRam, 2 network cards, you are good to go for a Proxmox server. 1-2 old pc with these specs or scaled up with the degree of 1 cpu and 2GB ram ways, you can make your own experience for a start. In proxmox you can make VMs, be it a pfsense or win or linux or anything. The minimum 2 network port is for reaching advanced level quickly, by adding more to your network and subnets as well. By the months you will find yourself gaining experience because you might break it and learn from it. An old pc, an old router or switch, few net cables and the above mentioned details and you'll be fine and will find work. Until, it will make you busy learning from your builds. Good luck, have fun.
Same here
Wireguard is the way. I used openvpn for years but it just clunky and has a large overhead. Plus I really don't need user tracking. Wireguard was also easy to tunnel only certain network traffic rather than forcing all traffic through the vpn. Very impressed currently and once I figured out my config files for clients It's easy to deploy.
I am new to pfSense and am now trying to direct certain traffic to bypass the VPN. I've added some hosts to an Alias, and put firewall rules for all interfaces to pass all traffic to Destination: Alias through the WAN gateway, but the traffic is still over the VPN.
What I'm trying to do seems to be the inverse of what you find easy, I'd imagine the steps are very similar? I'd love some ideas, you seem knowledgable :)
for privacy... own VPN on own VPS with own CA, no log, all devices connected, access to home nas from internet
I need to set up a Hub-and-spoke WAN topology for myself and two other parties - what do you think would be easiest for this? I also don't want one of the spoke sites to be able to reach back to me, but I assume that requires some firewall configuration?
Yes, I used to have it due to limitations of VPNs (20) on Sonicwall TZ 400. It was my first dive into networking and was quite a nightmare and crazy uphill learning experience. It took me a while to understand everything and make it work but once it worked it never broke.
I had 10 Sonicwalls and 42 pfSenes, so you can imagine. I found a guy who created me a management in the cloud for pfSenses. You could do a port scan from it, bulk reboot, bulk upgrade and it would upload config for each pfsense box anytime you make a change on it. There was telemetry as well and few other things.
Does the 1100 support IDS/IPS? I plan to use one of these devices in a very low bandwidth scenario. Probably less than one megabyte/sec.
I would not use IDS/IPS on the 1100.
I want to use an in-house software for the use of employees, do you think it meets my needs?
Employees can connect from outside the company and use the software installed on the company's server
I don't understand your question.
Comes down to using third party or not, be it a third party VPN provider or (tailscale servers). Being a MT user, its do I use zerotier or wireguard. I wonder which you prefer tailscale or zerotier?
tailscale has really nice integration with pfsense which is why I mentioned it in the video, but Zerotier is great as well.
Hamachi burned before so will stick to building my own thing with WireGuard
Wireguard has filled the Hamachi shaped hole in my heart. Still stings though, even after all these years.
Possibly an oddball question, wireguard on unraid vs on pfsense/opnsense? Which woukd be the preferred way to run it? Any "gotchas" to look out for one way or the other?
I prefer the VPN to run on the firewall.
I know this is a bit long in the tooth now but one thought I have had as I use both pfSense and Unraid is if you’re running it via Docker and you isolated your additional docker servers to their own network then your client peers should tunnel in and be isolated to the docker network on the Unraid host vs your Unraid host via router and firewall rules. I’m thinking friends accessing gaming servers etc. in this case mostly. I have not tried it at the docker level on Unraid, so might be missing something. Just a minimal exposure thought mostly.
OpenVPN isn't even just password. Don't know about pfSense, but with OPNsense you can make 3-factor authentication - password, one-time password (TOTP) (adding static-challenge "OTP" 1 into config will separate password and code) and personal certificate with strict matching.
Yes, you can have multiple auth mechanism with OpenVPN
I love Tailscale but they have some serious issues. I have iOS and the client eats data for now good reason. It’s been reported quite a bit on their own forums. It ate 3GB of my cell plan for no good reason.
In my experience tailscale and openvpn is significantly slower than wireguard or ipsec.
I recently tried site-to-site ipsec on two pc Intel i3 with 8gb of ram each. The performance was horrible and I had to drop encryption to the most basic to get it just to work. Any idea???
Is it possible to do a tutorial on setting up site-to -site ipsec on physical machines?
As I said in the video, I prefer to use Wireguard
I'm currently labbing in Azure, confguring S2S VPN (ipsec). And then this video just appeared - lol.
No mention of Zerotier? I use it widely for secure linking. Never got it's site 2 site working though, so there is that...
the video was about VPN's in pfsense and It's not built in.
@@LAWRENCESYSTEMS Ahh, yes fair enough. Good video.
Do you have a video on how to implement OpenVPN with LDAP? If we have 50+ users on our AD, do I have to create user accounts on pfsense, or will users be pulled from AD once LDAP is configured?
Users will be pulled from AD after LDAP is configured.
Would wireguard for site to site and OpenVPN for client auth in one of the sites work?
You can use both
can we use restricted region video using mesh vpan, such as tailscale twingate?
Tailscale let's you choose devices to be an exit node.
Hey Lawrence, I'm having an issue with Wireguard on PfSense compared to using the VPN apps in Windows. The speed is considerably slower ( tested 2 different connections). Difference of 120/150 compared to almost full 500 down using the app. I'm using a Celeron N3160 with Realtek NICS (yeah I know whatever). Any ideas?
You're not providing even remotely enough information for anyone to tell you anything useful, like e.g. are those VPN-apps connecting to the same VPN-server as your pfSense-box? Or are you using the pfSense-box itself as a VPN-server? You'd be comparing apples to oranges. Also, you'd have to explain your routing setup, because you might have messed it up.
I don't think CZcams's comments-section is the right place for troubleshooting something like that.
Hi, do you have video how to setup openVPN in Pfsense with Google LDAP authentication? thanks! greate content and very informative. thank you
I don't have a write up on that
So Talescale kinda similar to Zerotier?
Yes
WG and Talscale FTW!
Why can my Android devices still talk to my smart TV on the local network, even though all the traffic is supposedly configured to go through the VPN?
Sounds like you haven't forced the Route to be through VPN.
@@stan464 I have turned on every setting that says it will do just that
How do I use IPVanish with pfsense
imo, wireguard has had the highest performance on every setup ive made.
Why? Pfsense hotspot in each order
Jesus. Have a question about Pfsense and/or Netgate and you've answered it. Lol.
"Tailscale is reasonably fast even though it's written in Go"
I've got to assume you meant to say *because* it's written in Go.
No, Go version is slower not because of the language but because the Go implementation of Wireguard is using user space not kernal space.
Hi can you look at Fortigate?and have speed tests done to see which vpn is faster in accessing home server
Not likelt, I Don't really have any interest in Fortigate
wireguard is not production ready as it is under "active development". Why someone would recommend makes no sense to me.
Works great in lots of platforms and is very stable.
@@LAWRENCESYSTEMS The problem is not an issue of stability or compatibility. Its has been removed from the base system for security reasons and its still under active development. The package you're installing and using is experimental not intended for production use.
first
openvpn its free
....erm, zerotier !?
Not currently available in pfSense.
Just use a iphone no vpn needed
Regarding OpenVPN Site to Site: While it is true that its shared key mode is being deprecated (on pfSense is called Peer to Peer (Shared Key)), you don't mention that you can configure OpenVPN site to site using certificates Peer to Peer (SSL/TLS). There is actually a warning right in the pfSense webpage that tells you this for a long time now: WARNING: OpenVPN has deprecated shared key mode as it does not meet current security standards. Shared key mode will be removed from future versions. Convert any existing shared key VPNs to TLS and do not configure any new shared key OpenVPN instances. Why don't you mention this? Instead you just recommend, "switch to one of the other ones... wireguard..."?!?
While it takes literally seconds (well maybe minutes) to create an OpenVPN server using shared key mode, it does take quite a bit more thought and planning to use TLS because you instead have to create a CA, along with the certs and export/import the CA and certs on the clients. With OpenVPN it is also easy to configure site to multi-site, which works very well because OpenVPN adds all the routes for you - this which would be much more challenging to setup in WG. You can also have remote site/networks that are each behind NAT/CGNAT able to talk to each other through the OpenVPN Server which has a static IP. Just have to make sure you are aware of client overrides for different sites and use correct certs and sub-nets, which all can be a bit confusing at first. Access control can also be done using pfSense firewall rules of course. The only issue I can think of is expiring certs, so just make the CA and site client certs are 10 years which is a very long time... and if you still want to make a server cert using the recommended "no more than 398 days" (currently not enforced on pfsense client but who knows if it will be in future), then just remember to login the server and click the renew icon every year or so. If you have a site to site running longer than 10 years on same hardware, it is probably an excuse to upgrade! WG is faster than OpenVPN, I will give it that. I am concerned of the implementation in WG moving forward with announcement of new FreeBSD coming eventually, and if the configuration is going to change?...seems like a WIP and hesitant to deploy in production right now - would not want to do a software update in a year or two and have remote site break because of way WG is implemented changes in pfSense... same reason I would not use Tailscale. Of course same thing could happen with OpenVPN but it does seem more mature and stable.
Tailscale site to site is easy to setup, but you need to purchase a paid tailscale because of limitation of the free account only having one subnet router. You need at least two for a true bi-directional site to site VPN to be "equivalent" of OpenVPN, WG, IPSec S2S. Sure you could maybe get a way with two and they won't care because they don't hard lock... but wouldn't use this for a client if they decide to disable it. If you want a pfSense client to just access a remote pfSense server one direction then a free account will work, but for more sites and/or both directions it will cost $ and you do not point this out. Also, trying to figure out ACL tags in attempt to restrict access (pfsense firewall is useless with tailscale) negates the ease of setup. In my opinion, if there is no other way to connect two sites that are behing NAT, then this is a solution but in a multi-site if at least one site is a static then OpenVPN or WG could be a possibility. If you have at least one site that has static IP use OpenVPN or WG!
I ain't reading all that.
I'm happy for you though
or sorry that happened.
NETMAKER
That is a very different solution and not one built into pfsense.
hi