Forgive me if this is posted in other places. I have an HP mini PC (10700F) that I want to re-purpose into a home firewall and also host a VPN on it.
Do y’all have suggestions for the better/easier software configs? I currently have both Windows 11 and Ubuntu installed on it so I’m agnostic for the OS. I want to put it between my home network and the Comcast gateway.
Do take note that pfSense will complain if you are not using an Intel LAN (That means you, Realtek), so you may want (need?) to buy a separate Intel PCIe card for it to run smoother.
For VPN. If you want simple I can recommend just deploying tailscale and calling it a day.
If don’t mind putting in some work I can heavily recommend wireguard(which is what tailscale is built off of). I didn’t find it very hard to setup, but not 100% sure where you sit on a technical level.
OpenWRT + either wireguard or tailscale / headscale, depending on your level of knowledge.
Normally I’d say FreeBSD or OpenBSD, but you said “easier,” so…
(not that freebsd or openbsd are difficult, they have extensive documentation for routers and firewall setups, but the question is how comfortable you are with the command-line)
I do however find it easier to look at pf.conf rather than having a GUI around it.
I would also favour FreeBSD but as you said, cmd line. pf/opnsense < OpenWrt by fair especially if you want the easiest route. In that regard I would say OpenWrt is actually the hardest one as you need to work around all limitations since it mainly targets embedded systems with very limited storage and processing power if you want to accomplish something except the very basic functionality.
These are fantastic replies, thanks! I’m technical enough to feel comfy but will probably break somethings along the way. I grew up with DOS so command lines aren’t too scary.
I should clarify that I was wanting the VPN to disguise traffic leaving my house. Has anyone had any conflicts with, say, OPNsense and PIA?
I can assure you that because of FreeBSD’s more open nature, you can run some realtek hardware way easier than you can with OPNsense / pfSense. Proof: my odroid h3+ has 2x RTL8125B (2.5G realtek NICs), which did not work under default freebsd installation. After using a USB gigabit NIC to download updates and a realtek kernel module driver and setting it up in /boot/loader.conf, the realtek NICs worked perfectly.
Try doing that under opnsense / pfsense! And it doesn’t come down to just this, you have way more freedom to control the system that you own in freebsd compared to the restricted nature of opnsense and pfsense.
Running openbsd or freebsd as a router is just so much better.
Any router OS can be set to block traffic coming in from one interface and going out another. All of them will have openvpn and wireguard clients. You can set up a VPN Service Provider’s (VPS) certificates and configuration in your VPN client on the router, block traffic from LAN going to WAN and only allow traffic from LAN going to the VPN interface (wg0 or tun0 or however else it’s going to be named).
You can do this easily with a Unifi router. Just configure the VPN client and assign to the networks or clients you want to use the VPN as their WAN connection.
While you can certainly roll your own router with pfSense or similar that mini PC is overkill and would be more useful as a media server IMO.
That doesn’t proof anything. OPNsense is an appliance software on top of FreeBSD that gives you root access and presumably pfSense does the same. So in no way would you be handicapped to do the same there.
And while it’s great that those drives work perfectly for you, they don’t appear to work perfectly for everyone, otherwise you wouldn’t hear frequent warnings about issues with Realtek NICs.
Root access means nothing when your settings get overwritten by the system or other software you’re running.
I specified the realtek NIC model for a reason. And even more, because people were complaining on freebsd forums, there was a fix for it in freebsd. Obviously not all realtek NICs will work, you’d have to look up what does and what does not. Even I generally recommend Intel NICs.
Did you even read (or comprehend) my previous response? Or are you half-asleep reading? Do I really have to quote myself?
The whole point of the comment was to point out that freebsd is better than opnsense and pfsense because of its more open nature. Here’s some more examples of opnsense and pfsense shenanigans.
Both opnsense and pfsense will override changes to loader.conf, because you don’t control your own system.
Look at the freebsd forum for the same thing.
On freebsd, your /boot/loader.conf won’t be overwritten after an update. Hopefully, maybe, if opnsense and pfsense work remotely like freebsd (you can never assume they do, because they do a lot of changes to the base OS), then at least maybe you could do what I did on freebsd, on one of these using loader.conf.local, which I didn’t know about.
I hope everyone here is convinced why I hold my position that freebsd is superior to pfsense and opnsense. The latter 2’s hand-holding has burned me more than once. All I’m hoping is to reduce people’s suffering in the long run.