Unless you’re married to pfSense for some reason, you could use a Debian system as a router/firewall… or OpenWRT… or VyOS… there’s no inherent reason one would be any safer than the other, or easier.
With wireguard, if you want to be able to receive internet traffic through an interface you need to set allowed IPs 0/0 in there. Similarly, on your proxy host (wireguard host that touches the world) you should probably set Allowed IPs to include your whole LAN at home, unless you want to NAT at home before passing packets to wireguard, … and then NAT again on Linode.
Its got easier setup information and back story on the crypto. It’s a good guide but I’ve never updated it much for various other configs as I have no way of debugging them
So, I did some experimentation and discovered that my server’s Wireguard configuration works perfectly. I am currently at a restaurant where I just completed said experiment using my ThinkPad T480 and my phone’s mobile hotspot, which uses the Verizon network. (Verizon throttles my hotspot to lovely 2G speeds, but continues to run that against my high speed data so this was fun because SSH was super laggy, though this may be more so the latency than anything else). I think my next step is to see if I can still connect to my server behind my home’s Xfinity-powered network. This way I can truly figure out if it is a problem with my ISP or if it is just me doing something wrong with PFSense.
Okay, I am not entirely sure yet, because I did have some filtering initially and I can’t seem to connect both my desktop and laptop peers to the server peer at the same time, but sending an ICMP request to 10.0.0.1 from my desktop worked. I am thinking that it is indeed my PFSense configuration that is incorrect.
Yeah, I’ve watched that 4 years ago, I can see my comment in the comment section. Back then I was asking for a tutorial on how to host your own VPN, as opposed to do a whole network VPN to a VPN Service Provider.
Also, unashamed self-promotion:
I should probably work on this, I haven’t yet added new rules in Ubuntu and haven’t updated it for Alpine.
I still haven’t figured out how to get my router to connect to my server over a VPN tunnel. Honestly, I kinda want to use wireguard because of how simple it is to configure and everything. Plus it’s supposed to be faster than OpenVPN - which matters to me tbh. I’ve successfully gotten it to connect to two clients - my laptop and my desktop. Though I haven’t managed to get simultaneous connections and I haven’t figured out how to actually route my internet traffic through the VPN tunnel.
I’ve put that on temporary hold in favor of classwork and my Devember project though.
When you want to continue the VPN project, give me an @ here. PLL and oO.o are also likely to help if they have time.
If you put wireguard on your router, it should be as easy as adding routes in “AllowedIPs=” in the wg conf. If you did a separate VPN, you’d have to either set that as the default gateway for your devices, or create special routing rules to it for devices on the network.
However, VSPs don’t provide the same wireguard configuration, they have some custom settings and you need to use their clients, which are likely to not be available on Linux or *BSDs. So if you want a VPN to a VSP, OpenVPN like in the video Wendell did 4 years ago is an option. If you are using your own VPS for VPN, either wireguard or OpenVPN will work fine.
In my experience, wireguard was indeed faster than ovpn when it came to connection and reconnecting time, but if your server is far away, doesn’t really make a difference in speed and latency (both my wg and ovpn servers are over the pond, but now that I think about it, I think I’m more limited by the wifi n speed rather than anything else).
If you have to pay I personally suggest you buy VPS. but buy a trusted & reliable place. In my opinion, Hostnoc is best because that provides 24/7 support.
A VpS is a great option, as you can wireguard straight to it, but VPS hosts have even less fewer promises not to log than VPN companies. But, it does protect the traffic from the isp
This isn’t really an issue for me anynore. Google Fiber is now my ISP, and oddly enough I trust them more than Comcast. That isn’t to say that I trust them, because I don’t, but I trust them more than 98% of the VPN companies in existence.
