Which VPN To Use In pfsense?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

time here from one systems and a question I get a lot is which VPN should I use in pf sense and because pfSense offers multiple vpns there's multiple answers to the question and each one does have a use case now these use cases May overlap a little but this is where I wanted to explain today is what the use case is and where we use them there may be other use cases you have but I'll give the explainer here so you can kind of narrow down your choices of vpns when you're setting it up and understand why you would or would not use one of these other Technologies and you know what the advantages and disadvantages are of each of them before we dive into this video let's first are you an individual or company looking for support on a network engineering storage or virtualization project is your company or internal it team looking for someone to proactively monitor your system security or offer strategic guidance to keep your it systems operating smoothly not only will we love to help Consulting your project we also offer fully managed or co-managed it service plans for businesses in need of it Administration or it teams in need of additional support with our expert install team we can also assist you with all of your structured cabling and Wi-Fi planning projects if any of this piques your interest fill out our higher us form at lawrencesystems.com so we can start crafting a solution that works for you if you're not interested in hiring us but you're looking for other ways you want to support this channel there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel and now back to our content now the first one on our list here is tailscale and I've got videos linked Down Below on all these different ones for actually setting it up we're just going to talk about which one to use I am excited that they put tail scale and pfSense because it solves so many people's problems when they don't have a public IP address that's why I have the notes right there above me that says no public IP needed on any device the tailscale coordination server solves that by figuring out where these devices are because they Beacon out to the tailscale server and then from there it coordinates getting them all connected even when they're behind double and triple Nat it can do some really clever things including giving me around cgnat but that requires them all all the devices to talk to the tailscale coordination server maybe you don't want to use that server that is a private server it is a company and a service that they offer the alternative to that is using head scale which I have a video on you have to build a head scale server in the cloud but it can act as a coordination server that you talk to with all your devices and then can coordinate where these devices are so it still works the same it's still tail scale because the tailscale client is all completely open source so is the head scale system so it's kind of an alternative way to do it but it requires a little bit more techno expertise so just using the tail scale server for a lot of users is easy enough now there is no username or management you authorize the devices to be on there you don't authenticate the users so the coordination server is going to decide which ones are allowed to be on the network when you set them up but the authentication model is not at the device level because essentially an always on VPN I mean you can turn it off but you can just leave it on and whenever a route call goes across the network and matches any of the routes published in the tail scale system it will then redirect those packets over there now telescale is reasonably fast even though it's written in go and it does use wire guard on the back end the advantage of just using wireguard which we'll get to is going to be that coordination server and it punches through the NAT firewalls and cgnat firewalls really well telescope can also be used as a site-to-site device this is a really cool feature and even if both of these PF sensors don't have public IPS it can still coordinate getting them talking to each other by having it as a site to site your devices on either side you can set up bi-directional communication between all of them and not have to worry about public IPS or your IP changing so if your IP rolls or changes the coordination server sees that change and updates everything to keep the connections going and it will scale rather well for more complicated networks when you have multiple PF senses with multiple routes with multiple subnets that you want published across here you even have the ability to select an exit node where maybe you want all this traffic to Tunnel out and go out of one device this is really uh some clever networking that tailscale uses I've always recommended people read through their documentation because they outline very very well how Nat and how all the things work they've done a great job on their site for that now next we have wireguard wireguard is awesome it is a kernel level implementation of wireguard here in pfSense but you are going to need a public accessible IP address it is best not impossible to do if it's not static but best if it's static I see that because you can use things like Dynamic DNS and deal with an updating PF sense uh public IP but some of the other devices may try to hold on for a little while to that other IP you had or the other you know entry before they do a DNS look up again this can cause some disruption in service but that being said it's fast it's effective it works rather well you can connect phones and devices that'll cut through different firewalls and cut through an app as long as your PF sense is accessible and has that static IP now once again there's no username or password you're dealing with key authentication so you're going to generate keys for these devices and place them in there for wireguard and it works great but those devices are always going to be on so you have to have a contingency plan if one of these devices goes Rogue you have to make sure you understand and you'll have to delete them out of the PF sense but you're not authenticating them as a user you're authorizing that device with a key e but it's a good system overall and there's a broad support for all the different platforms on it alternatively you can use this also as a site to site VPN and I really feel wireguard is replacing ipsec which we'll talk about later but it works great as a site to site VPN It's relatively easy to set up the ease of setup comes in wireguard from the fact that it does not have a lot of different protocol support it has a narrower limited Cipher support like a cipher support but it's been well vetted it's based on good cryptography and being that it's a kernel implementation you can build this but you have to build all of this this is all done with all these PF senses talking to each other and building all the route information in there it does work rather well and still even with multiple on here only one PF sense really needs to have a static IP you can have your other PF sensors that you're doing site to site with completely independent so someone might behind the CG net some are just behind whatever Dynamic one as long as when you're setting it up you leave the site to site to be dynamic and the PF sense with that one static IP or multiple static IPS it knows to have those connections coming in so that can work perfectly fine openvpn now this one is pretty much a go-to for user authentication and you really should have EPF sensible public IP Dynamic DNS should work but it works quite well now there are some complexities to openvp piano I have tutorials on it it's a good VPN but those complexities are because well there's so many different Cipher supports and a lot of options in there the tutorials I have do cover which ones are good choices I'll make some new ones coming up soon but the openvpn does use username and password so you can track log and control everyone from a username and password perspective that are logging in the real advantage and where we use this a lot in businesses is not just having the usernames and passwords and PF sense but you can hand it off to things like radius server or active directory so you can do different tie-ins that way you can just set the same VPN tool up on many different devices and you'll know one when that user logged in because you can log and track it too if you have to revoke a user's username and password you can simply go and do that whether the back end is 80 or radius or just the built-in PF sense you can go delete that user lock out that user and they can't log anymore without having to get to the device to de-authorize it so there's different way you control it there but openvpn works rather well now openvpn does not have a problem with Nat devices so if the other devices are behind that that generally is doesn't present a problem for open bpn the protocol Works getting through different firewalls getting through different networks whether the phones are on whatever 4G 5G LTE networks or there's devices behind different CG now as long as they can get to that PF Sense on the public IP openvpn cuts through that quite well openvpn shared key deprecation openvpn this is the to do 12 981 on pfSense this is a notice they are getting rid of this as an authentication model so openvpn is really not ideal site to site with this this is going to be deprecated over time so switch to one of the other ones wireguard would be a good suggestion on that ipsec this has been around forever and when would you use this you can still use this in pfSense ipsec is good it's fast it's well documented it's been around for a long time but it has a real problem when everything doesn't have public IPS now someone's going to leave a comment comment there's an easy way to get through that and leave a list of commands yes there's ways to get to that but occasionally it doesn't go through net because there's just different problems you may run into and different scenarios because the firewalls may be hind another firewall that well just doesn't do the proper Port translation to get the NAT through or just disrupts the IP set connection so ibsec is good but can have some issues when it comes to dealing with nap but if everything has public IPS yeah it'll work now of note this is the most common use case we have for ipsec when we're setting up site to sites for clients and that's going to be when some other firewall is involved because ipsec as I said is an old standard therefore it's going to be pretty interoperable with a lot of different firewalls so we have a lot of times and a lot of clients that have access to certain medical companies these little doctor's offices have to set up ipsec tunnels they have a PF sense and we'll have to set up ipsec tunnels to whatever on-prem equipment there is for the other client and we've got this working with many different firewalls many different brands there's Sometimes some nuances because you have to figure out if they're using different nomenclature to do it but it's something that can be done when you want interoperability so ipsec is mostly from my perspective used when I have a other firewall that's not PF sense so I hope this video left you the better understanding of the VPN options currently available in October of 2022 with pfSense leave your thoughts and comments down below about which VPN you think you should use or what other vpns maybe you'd like to see in pf sensor if you have some comments or questions about this video or head over to my forums for forums.lorentsystems.com for a more in-depth discussion on this topic where you find this video a link there also check out the tutorials I have on things like tailscale head scale just in general also specifically to PF sense I've covered a lot of these topics in over time and it's always just really fascinating diving into all these different VPN options it's so much different than when I started in this business 25 years ago but hey nonetheless leave your thoughts down below see you next time and thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the Subscribe button and the bell icon if you'd like to hire a sure project head over to lawrencesystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for YouTube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and Designs come out well randomly so check back frequently and finally our forums forums.lorentsystems.com is where you can have a more in-depth discussion about this video and other Tech topics covered on this channel thanks again for watching and look forward to hearing from you

Info

Channel: Lawrence Systems

Views: 79,979

Rating: undefined out of 5

Keywords: LawrenceSystems, Which VPN To Use In pfsense?, vpn pfsense, vpn pfsense openvpn, vpn pfsense setup, vpn pfsense site to site, vpn pfsense ipsec, pfsense vpn client, pfsense vpn site to site ipsec, pfsense vpn killswitch, pfsense vpn lawrence, tailsacle pfsense, tailscale pfsense, tailscale pfsense dns, tailscale pfsense routes, wireguard pfsense, wireguard pfsense site to site, wireguard pfsense remote access, wireguard pfsense 2.6

Id: GDC9aKtebAU

Channel Id: undefined

Length: 11min 42sec (702 seconds)

Published: Mon Oct 17 2022