Тёмный

Which VPN To Use In pfsense? 

Lawrence Systems
Подписаться 333 тыс.
Просмотров 84 тыс.
50% 1

Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller
• Tutorial: Using Tailsc...
How to Setup The Tailscale VPN and Routing on pfsense
• How to Setup The Tails...
Tutorial: pfsense Wireguard For Remote Access
• Tutorial: pfsense Wire...
Basic Site-to-Site VPN Using WireGuard and pfSense
• Basic Site-to-Site VPN...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Timestamps ⏱️
00:00 Which VPN for pfsense
01:21 Tailscale Device VPN
03:16 Tailscale Site to Site VPN
04:09 Wireguard Device VPN
05:24 Wireguard site to site VPN
06:26 pfsense OpenVPN
08:07 OpenVPN Shared Key Deprecation
08:28 IPSEC VPN
#pfsense #VPN #firewalls

Наука

Опубликовано:

 

23 июл 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 123   
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--9gXP6aaayw.html How to Setup The Tailscale VPN and Routing on pfsense ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-P-q-8R67OPY.html Tutorial: pfsense Wireguard For Remote Access ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-8jQ5UE_7xds.html Basic Site-to-Site VPN Using WireGuard and pfSense ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-2oe7rTMFmqc.html ⏱ Timestamps ⏱ 00:00 ▶ Which VPN for pfsense 01:21 ▶ Tailscale Device VPN 03:16 ▶ Tailscale Site to Site VPN 04:09 ▶ Wireguard Device VPN 05:24 ▶ Wireguard site to site VPN 06:26 ▶ pfsense OpenVPN 08:07 ▶ OpenVPN Shared Key Deprecation 08:28 ▶ IPSEC VPN
@TwstedTV
@TwstedTV Год назад
reports on the internet says people should stay away from IPSec and 4 others I cant remember, because the NSA and other federal agencies have cracked these to the bone. and they have direct access keys into anyone's data going through IPSec.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
@@TwstedTV Don't know "what reports on the internet" you are reading but they are not true. IPSec is safe.
@jamescampolo7824
@jamescampolo7824 Год назад
Customer went a different route, dual ISPs separate networks for POS and survielance.
@mikescott4008
@mikescott4008 10 месяцев назад
With OpenVPN do you use DCO much? I am using hardware that supports QAT and will explore WireGuard too later. I had IPsec working to an untangle for a while. From an iPhone you’d say wireguard is the fastest?
@J-D248
@J-D248 Год назад
Yes! I just setup Tailscale. Perfect timing. Thank you, your videos are great!
@Ingeanous
@Ingeanous Год назад
Great vid. Many different options will work as long as your up to some config tinkering. I use the OpenVPN option with PIA client configs. Technically, my pfSense (PROXMOX VM) clients are double NATed becuase they sit behind an additional Ubiquiti edge router. Multiple PIA VPN tunnels to different endpoints stay up 24/7 with little problem other than the ocassional service restart. Traffic is routed to the VPN tunnels using pfSense firewall rules to send specific VLAN traffic to virtual gateways (VPN interfaces). Return traffic is routed from the edge router via static routes for the VLAN IP ranges back to the pfSense WAN interface. Good luck tinkering if you are reading this and go down the rabbit hole.
@Ecker00
@Ecker00 Год назад
Perfect, thank you for explaining these side by side!
@h4X0r99221
@h4X0r99221 Год назад
Literally thought about replacing OpenVPN with Wireguard for my S2S VPN between my pfSense boxes this exact morning! Once again, the perfect timing :D
@NeilHyndman
@NeilHyndman Год назад
LOVED this video! Thank you for this video!
@michaellerch
@michaellerch Год назад
Great to see you around GrrCon! Thanks for doing another great video!
@STS
@STS Год назад
I had some trouble with configuring / starting out with WG in pfsense recently, I'm quite interested in testing it out though. I'll have to take another look - great video
@PowerUsr1
@PowerUsr1 Год назад
Good stuff here Tom. Thanks for the video !
@amarkhadka8777
@amarkhadka8777 Год назад
BROTHER, YOU ARE THE BEST!!! You oooh really helped me!! THANK YOU VERY MUCH!
@ctid107
@ctid107 Год назад
Love the little homage to "The IT Crowd" !
@Nixxx2000
@Nixxx2000 Год назад
just installed openvpn in pfsense proxmox vm I really like I could export profile to PC and mobile. Configuration is very easy and everything works as intended
@ramrod2k
@ramrod2k Год назад
very helpful explanation, thanks for the video
@RustyBrakes
@RustyBrakes Год назад
Not quite perfect timing for me, I've just spent yesterday setting up Tailscale. However, I have to say it is SO IMPRESSIVE. No open ports, and close to zero config needed.
@privacypendulum3435
@privacypendulum3435 Год назад
Thanks for the information on these solutions. I am going to go with OPENVPN btw!
@philippe_demartin
@philippe_demartin Год назад
For Wireguard without public Ip, I've set up wirguard server on Digital Ocean cheap droplet, work like a charm
@ronsflightsimlab9512
@ronsflightsimlab9512 4 месяца назад
incredibly helpfull. Thank you!
@leaderbot_x400
@leaderbot_x400 Год назад
Personally, I use openvpn and tailscale at the same time, and I have to say I love mesh VPNs and the fact that I don't have to open any ports for it to work
@connclissmann6514
@connclissmann6514 Год назад
Thanks for the run through. I am so old, I am still using IPSEC so I must look into the others you discussed.
@MR-vj8dn
@MR-vj8dn Год назад
I’d love to learn more about IPSEC. It’s my preferred VPN.
@Darkk6969
@Darkk6969 Год назад
I still use IPSec for site to site VPN and it's a very solid platform long as its being updated with new ciphers.
@connclissmann6514
@connclissmann6514 Год назад
@@MR-vj8dn The main things to know about IPSEC setup is that it is set up using two "phases" and that the settings for a site-to-site tunnel *must* be identical at each end. As different manufactures use different phraseology this can be tedious but there are great resources on the web. Once set up, it is very solid. Start with pre-shared key (PSK some call it) and move on to more ambitious encryption once you have that working, if you feel you need to. Having a fixed IP or DDNS is also a great security addition and adds to the ease of the setup.
@ricknroll963
@ricknroll963 Год назад
@@connclissmann6514 yup, my journey was to set up 10 Sonicwall and 42 pfSenses as a fresh network tech 7 years ago. I had to do a lot of speed up learning without any help but forums and RU-vid. I initially setup everything as a hub-and-spoke which was a nightmare to understand and troubleshoot at first. Once I got more experience and learned about OSFP I reconfigured it and it was so easy compared to my first setup. Just wish I had someone by my side in the beginning.
@MichalSedilek
@MichalSedilek Год назад
I tried and it is installed thank u very much anda
@mennod5193
@mennod5193 Год назад
Do you have a best practice to configure multiple VPN-servers (WireGuard protocol) in your PfSense+ setup? So for example when VPN-server 1 (US) is down you can (automatically) switch to VPN-server 2 (UK)? Do you add multiple peers to the tunnel?
@zenja42
@zenja42 Год назад
I have to deal with a lot of enterprise stuff... IPSEC and older with monsters of static routing tabels. Right now I try to replace them with a 3 Servers (in different Datacenters with different ISPs and Upstreams) where every Network (connects to all) and client (to one random) server. Networks speak BGP over every of the 3 connections. The 3 Servers each have sessions to another and the client pool is just nat'ed so I don't have to take care about routing for them. The servers are arch, wg, systemd-networkd, with rsynced client config.
@techsx
@techsx Год назад
If site 2 site open VPN shared key goes depreciated, what would be the alternative open VPN mode? Authorize with certificate?
@cp-tu8tb
@cp-tu8tb Год назад
I use Tailscale to create a secure connection from family members to my Unifi Controller, I don't have to open up ports that way , and I only need 1 controller. I also have a dedicated VLAN for the Unifi / network hardware.
@timothyreed7709
@timothyreed7709 Год назад
Hey! Can you cover some options for lan-wide ad blocking? I really want to get rid of youtube ads and trackers but i cant download adblock to my Apple TV
@KennethQvarfordt
@KennethQvarfordt Год назад
I kind of like using L2TP for user VPN. The nice thing with it, it embeds the users credential for SMB. So if a user connects to a remote site and tries to use SMB to access one of the remote server is tries to authenticate using the VPN L2TP credentials first. OpenVPN doesn't do that. OpenVPN always work though. Windows has a tendency to always break L2TP every so often and it can be very much a pain to figure out how to fix it.
@Jerryhze0129
@Jerryhze0129 Год назад
L2TP support is starting to get dropped by clients, so we moved to IPsec IKEv2 with user authentication to AD and it works great with built-in client support. Don't want to deal with extra apps.
@radupopa6642
@radupopa6642 Год назад
A regular tailscale node can be configured to use another exit node, if that other node was approved to act as an exit node for the tailscale network. Is there a way to configure the pfSense tailscale node to use an existing exit node? I could not figure this out...
@DarrolKHarris
@DarrolKHarris Год назад
great job
@zparihar
@zparihar Год назад
I've been using OpenVPN on pfSense with users authenticating FreeIPA (which is based on OpenLDAP) for the past 6 years
@UntouchedWagons
@UntouchedWagons Год назад
I hope there's a wireguard client config generator added to pfsense. It didn't take me that long to make the configs for my phone and laptop but I had to use the wireguard program on my desktop to generate the public/private keys which was a bit of a faff.
@Darkk6969
@Darkk6969 Год назад
I found a script on github that lets you do that. Still have to manually copy and paste the keys into pfsense which is fine. Hopefully the author of pfsense's Wireguard add-on will add this feature.
@z400racer37
@z400racer37 Год назад
Badass shirt 😎👍🏼
@raul230285
@raul230285 Год назад
Your videos are the best, I would like to know if you could try or talk a little about the VPN that is also worked by Wireguard called Netmaker. Greetings from Peru.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
I am aware of it but have not had any time or reason to test it.
@BradBazooka
@BradBazooka Год назад
Where can we get the shirt?
@StateOfCharge
@StateOfCharge Год назад
Can you do a video and share your thoughts on Twingate? It’s been a great option for me and I am curious your thoughts. Thanks!
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
Nope, I don't use or plan to use Twingate don't see anything compelling they offer.
@jamescampolo7824
@jamescampolo7824 Год назад
Does the 1100 support IDS/IPS? I plan to use one of these devices in a very low bandwidth scenario. Probably less than one megabyte/sec.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
I would not use IDS/IPS on the 1100.
@maxpuissant2
@maxpuissant2 Год назад
Does someone know a good industrial router that support pfsense with 24v input power supply ?
@jeevis2
@jeevis2 Год назад
Very sad that you didn't bring up Zerotier as a VPN as well. I love this information though, and it brings up some very good points and issues with hosting a home VPN.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
I have a few videos on Zerotier but it is not officially supported in pfsense so it's not in this video.
@jeevis2
@jeevis2 Год назад
@@LAWRENCESYSTEMS My mistake. I use Opnsense and forgot they don't have the same packages.
@SB-qm5wg
@SB-qm5wg Год назад
I've been using openconnect and anyconnect (Cisco) for ages now.
@Anavllama
@Anavllama Год назад
Comes down to using third party or not, be it a third party VPN provider or (tailscale servers). Being a MT user, its do I use zerotier or wireguard. I wonder which you prefer tailscale or zerotier?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
tailscale has really nice integration with pfsense which is why I mentioned it in the video, but Zerotier is great as well.
@kyopan23
@kyopan23 Год назад
Would wireguard for site to site and OpenVPN for client auth in one of the sites work?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
You can use both
@faxmodem2397
@faxmodem2397 Год назад
I want to use an in-house software for the use of employees, do you think it meets my needs? Employees can connect from outside the company and use the software installed on the company's server
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
I don't understand your question.
@Str8ChillinOfficial
@Str8ChillinOfficial Год назад
I need to set up a Hub-and-spoke WAN topology for myself and two other parties - what do you think would be easiest for this? I also don't want one of the spoke sites to be able to reach back to me, but I assume that requires some firewall configuration?
@ricknroll963
@ricknroll963 Год назад
Yes, I used to have it due to limitations of VPNs (20) on Sonicwall TZ 400. It was my first dive into networking and was quite a nightmare and crazy uphill learning experience. It took me a while to understand everything and make it work but once it worked it never broke.
@ricknroll963
@ricknroll963 Год назад
I had 10 Sonicwalls and 42 pfSenes, so you can imagine. I found a guy who created me a management in the cloud for pfSenses. You could do a port scan from it, bulk reboot, bulk upgrade and it would upload config for each pfsense box anytime you make a change on it. There was telemetry as well and few other things.
@rollinthedice7355
@rollinthedice7355 Год назад
I just won't use packages in pfSense so I only use OpenVPN at the moment.
@musicindus1
@musicindus1 11 месяцев назад
can we use restricted region video using mesh vpan, such as tailscale twingate?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 11 месяцев назад
Tailscale let's you choose devices to be an exit node.
@AceBoy2099
@AceBoy2099 Год назад
Possibly an oddball question, wireguard on unraid vs on pfsense/opnsense? Which woukd be the preferred way to run it? Any "gotchas" to look out for one way or the other?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
I prefer the VPN to run on the firewall.
@Dezjam1
@Dezjam1 Год назад
I know this is a bit long in the tooth now but one thought I have had as I use both pfSense and Unraid is if you’re running it via Docker and you isolated your additional docker servers to their own network then your client peers should tunnel in and be isolated to the docker network on the Unraid host vs your Unraid host via router and firewall rules. I’m thinking friends accessing gaming servers etc. in this case mostly. I have not tried it at the docker level on Unraid, so might be missing something. Just a minimal exposure thought mostly.
@samimkaddem7437
@samimkaddem7437 Год назад
I recently tried site-to-site ipsec on two pc Intel i3 with 8gb of ram each. The performance was horrible and I had to drop encryption to the most basic to get it just to work. Any idea??? Is it possible to do a tutorial on setting up site-to -site ipsec on physical machines?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
As I said in the video, I prefer to use Wireguard
@LandOfAbundance
@LandOfAbundance 9 месяцев назад
I love Wireguard
@protextheptxperts2204
@protextheptxperts2204 Год назад
Do you have a video on how to implement OpenVPN with LDAP? If we have 50+ users on our AD, do I have to create user accounts on pfsense, or will users be pulled from AD once LDAP is configured?
@timalbrecht5120
@timalbrecht5120 9 месяцев назад
Users will be pulled from AD after LDAP is configured.
@dougle03
@dougle03 Год назад
No mention of Zerotier? I use it widely for secure linking. Never got it's site 2 site working though, so there is that...
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
the video was about VPN's in pfsense and It's not built in.
@dougle03
@dougle03 Год назад
@@LAWRENCESYSTEMS Ahh, yes fair enough. Good video.
@splinters_pinter
@splinters_pinter Год назад
I love Tailscale but they have some serious issues. I have iOS and the client eats data for now good reason. It’s been reported quite a bit on their own forums. It ate 3GB of my cell plan for no good reason.
@Prime_BDE
@Prime_BDE Год назад
Hey Lawrence, I'm having an issue with Wireguard on PfSense compared to using the VPN apps in Windows. The speed is considerably slower ( tested 2 different connections). Difference of 120/150 compared to almost full 500 down using the app. I'm using a Celeron N3160 with Realtek NICS (yeah I know whatever). Any ideas?
@WereCatf
@WereCatf Год назад
You're not providing even remotely enough information for anyone to tell you anything useful, like e.g. are those VPN-apps connecting to the same VPN-server as your pfSense-box? Or are you using the pfSense-box itself as a VPN-server? You'd be comparing apples to oranges. Also, you'd have to explain your routing setup, because you might have messed it up. I don't think RU-vid's comments-section is the right place for troubleshooting something like that.
@janlee4997
@janlee4997 Год назад
Hi, do you have video how to setup openVPN in Pfsense with Google LDAP authentication? thanks! greate content and very informative. thank you
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
I don't have a write up on that
@mormegil231
@mormegil231 Год назад
So Talescale kinda similar to Zerotier?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
Yes
@FaithMediaChannel
@FaithMediaChannel Год назад
Same here
@dwaynelarose278
@dwaynelarose278 Год назад
Hamachi burned before so will stick to building my own thing with WireGuard
@spoonydx
@spoonydx Год назад
Wireguard has filled the Hamachi shaped hole in my heart. Still stings though, even after all these years.
@RD4888
@RD4888 Год назад
How do I use IPVanish with pfsense
@maxhax4243
@maxhax4243 Год назад
I'm currently labbing in Azure, confguring S2S VPN (ipsec). And then this video just appeared - lol.
@bikes-hikes-travels8814
@bikes-hikes-travels8814 Год назад
WG and Talscale FTW!
@shanent5793
@shanent5793 Год назад
Why can my Android devices still talk to my smart TV on the local network, even though all the traffic is supposedly configured to go through the VPN?
@stan464
@stan464 Год назад
Sounds like you haven't forced the Route to be through VPN.
@shanent5793
@shanent5793 Год назад
@@stan464 I have turned on every setting that says it will do just that
@elcolin_
@elcolin_ Год назад
Just finished a CompTIA Net+, Sec+, and CCNA courses through the VA at an IT school for Veterans. Have applied to over 115 jobs in the past 2 months. Can't get a job anywhere. Everyone wants you to have a PHD for an entry level IT job. It's depressing and discouraging out here! So desperate for someone in IT somewhere to give me a chance to get started. Can't get a job without experience, can't get experience without a job. Yay.
@Monarchias
@Monarchias Год назад
I guess i know a solution for you. If you have any spare pc or laptop which have a cpu with virtualization support, and have minimum 2 cores and 4 threads, for that 8 GB Ram, 1-2 HDD and 1-2 SSD, a Gpu with 1 GB vRam, 2 network cards, you are good to go for a Proxmox server. 1-2 old pc with these specs or scaled up with the degree of 1 cpu and 2GB ram ways, you can make your own experience for a start. In proxmox you can make VMs, be it a pfsense or win or linux or anything. The minimum 2 network port is for reaching advanced level quickly, by adding more to your network and subnets as well. By the months you will find yourself gaining experience because you might break it and learn from it. An old pc, an old router or switch, few net cables and the above mentioned details and you'll be fine and will find work. Until, it will make you busy learning from your builds. Good luck, have fun.
@nully.emptier
@nully.emptier Год назад
for privacy... own VPN on own VPS with own CA, no log, all devices connected, access to home nas from internet
@elksalmon84
@elksalmon84 Год назад
OpenVPN isn't even just password. Don't know about pfSense, but with OPNsense you can make 3-factor authentication - password, one-time password (TOTP) (adding static-challenge "OTP" 1 into config will separate password and code) and personal certificate with strict matching.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
Yes, you can have multiple auth mechanism with OpenVPN
@muhammedtunkara303
@muhammedtunkara303 Год назад
Why? Pfsense hotspot in each order
@alphakamp
@alphakamp Год назад
In my experience tailscale and openvpn is significantly slower than wireguard or ipsec.
@ernestyeap3053
@ernestyeap3053 3 месяца назад
VPNs should also prevent screen recording, screen shots, have camera control, location control, and blocking the microphone. I've yet to see any VPNs doing this.
@silverbackag9790
@silverbackag9790 Год назад
Jesus. Have a question about Pfsense and/or Netgate and you've answered it. Lol.
@heimanalwadi1518
@heimanalwadi1518 Год назад
Hi can you look at Fortigate?and have speed tests done to see which vpn is faster in accessing home server
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
Not likelt, I Don't really have any interest in Fortigate
@RocketLR
@RocketLR Год назад
imo, wireguard has had the highest performance on every setup ive made.
@sambashton4966
@sambashton4966 Год назад
"Tailscale is reasonably fast even though it's written in Go" I've got to assume you meant to say *because* it's written in Go.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
No, Go version is slower not because of the language but because the Go implementation of Wireguard is using user space not kernal space.
@stownplayer
@stownplayer Год назад
Wireguard is the way. I used openvpn for years but it just clunky and has a large overhead. Plus I really don't need user tracking. Wireguard was also easy to tunnel only certain network traffic rather than forcing all traffic through the vpn. Very impressed currently and once I figured out my config files for clients It's easy to deploy.
@Casper76
@Casper76 10 месяцев назад
I am new to pfSense and am now trying to direct certain traffic to bypass the VPN. I've added some hosts to an Alias, and put firewall rules for all interfaces to pass all traffic to Destination: Alias through the WAN gateway, but the traffic is still over the VPN. What I'm trying to do seems to be the inverse of what you find easy, I'd imagine the steps are very similar? I'd love some ideas, you seem knowledgable :)
@softwareengineer9435
@softwareengineer9435 Год назад
wireguard is not production ready as it is under "active development". Why someone would recommend makes no sense to me.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
Works great in lots of platforms and is very stable.
@softwareengineer9435
@softwareengineer9435 Год назад
@@LAWRENCESYSTEMS The problem is not an issue of stability or compatibility. Its has been removed from the base system for security reasons and its still under active development. The package you're installing and using is experimental not intended for production use.
@TechySpeaking
@TechySpeaking Год назад
first
@MrAntropex
@MrAntropex Год назад
....erm, zerotier !?
@williamp6800
@williamp6800 Год назад
Not currently available in pfSense.
@CasualtyGaming
@CasualtyGaming Год назад
openvpn its free
@bsem68
@bsem68 Год назад
Regarding OpenVPN Site to Site: While it is true that its shared key mode is being deprecated (on pfSense is called Peer to Peer (Shared Key)), you don't mention that you can configure OpenVPN site to site using certificates Peer to Peer (SSL/TLS). There is actually a warning right in the pfSense webpage that tells you this for a long time now: WARNING: OpenVPN has deprecated shared key mode as it does not meet current security standards. Shared key mode will be removed from future versions. Convert any existing shared key VPNs to TLS and do not configure any new shared key OpenVPN instances. Why don't you mention this? Instead you just recommend, "switch to one of the other ones... wireguard..."?!? While it takes literally seconds (well maybe minutes) to create an OpenVPN server using shared key mode, it does take quite a bit more thought and planning to use TLS because you instead have to create a CA, along with the certs and export/import the CA and certs on the clients. With OpenVPN it is also easy to configure site to multi-site, which works very well because OpenVPN adds all the routes for you - this which would be much more challenging to setup in WG. You can also have remote site/networks that are each behind NAT/CGNAT able to talk to each other through the OpenVPN Server which has a static IP. Just have to make sure you are aware of client overrides for different sites and use correct certs and sub-nets, which all can be a bit confusing at first. Access control can also be done using pfSense firewall rules of course. The only issue I can think of is expiring certs, so just make the CA and site client certs are 10 years which is a very long time... and if you still want to make a server cert using the recommended "no more than 398 days" (currently not enforced on pfsense client but who knows if it will be in future), then just remember to login the server and click the renew icon every year or so. If you have a site to site running longer than 10 years on same hardware, it is probably an excuse to upgrade! WG is faster than OpenVPN, I will give it that. I am concerned of the implementation in WG moving forward with announcement of new FreeBSD coming eventually, and if the configuration is going to change?...seems like a WIP and hesitant to deploy in production right now - would not want to do a software update in a year or two and have remote site break because of way WG is implemented changes in pfSense... same reason I would not use Tailscale. Of course same thing could happen with OpenVPN but it does seem more mature and stable. Tailscale site to site is easy to setup, but you need to purchase a paid tailscale because of limitation of the free account only having one subnet router. You need at least two for a true bi-directional site to site VPN to be "equivalent" of OpenVPN, WG, IPSec S2S. Sure you could maybe get a way with two and they won't care because they don't hard lock... but wouldn't use this for a client if they decide to disable it. If you want a pfSense client to just access a remote pfSense server one direction then a free account will work, but for more sites and/or both directions it will cost $ and you do not point this out. Also, trying to figure out ACL tags in attempt to restrict access (pfsense firewall is useless with tailscale) negates the ease of setup. In my opinion, if there is no other way to connect two sites that are behing NAT, then this is a solution but in a multi-site if at least one site is a static then OpenVPN or WG could be a possibility. If you have at least one site that has static IP use OpenVPN or WG!
@bahadirm
@bahadirm Год назад
I ain't reading all that. I'm happy for you though or sorry that happened.
@cucumberinass477
@cucumberinass477 11 месяцев назад
Just use a iphone no vpn needed
@dahoudkourdi4936
@dahoudkourdi4936 Год назад
NETMAKER
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Год назад
That is a very different solution and not one built into pfsense.
@SchulteMK
@SchulteMK Год назад
hi
Далее
Tutorial: pfsense and pfBlockerNG Version 3
27:54
Просмотров 212 тыс.
Копия iPhone с WildBerries
01:00
Просмотров 3,2 млн
НРАВИТСЯ ЭТОТ ФОРМАТ??
00:37
Просмотров 1,9 млн
pfsense: Blocking Threats With pfblockerNG Lists
18:30
Basic Site-to-Site VPN Using WireGuard and pfSense
45:07
pfSense CE vs OPNsense 2024 ...and that video
43:05
Просмотров 4,9 тыс.
Tailscale VPN - WireGuard was never so easy!
15:41
Просмотров 195 тыс.
Why VPNs are a WASTE of Your Money (usually…)
14:40
Choose a phone for your mom
0:20
Просмотров 7 млн
Собираем комп за 500 000 рублей!
6:44:35