I am relatively new to PFsense and networking, and I have a few questions that I would appreciate some input on. Currently, I have set up a Site-to-Site WireGuard VPN between my home and my relatives. I am wondering if it’s possible to initially establish a Mullvad VPN to the internet and then establish the Site-to-Site VPN within that connection, as illustrated below.
In the pursuit of enhanced network obscurity, is it also feasible to automatically rotate the Mullvad VPN with a secondary Mullvad VPN tunnel to a different server?
EDIT: Side note: I acknowledge that this setup demands additional resources from the routers. At site A (main site), I am in the process of constructing an i7 system capable of managing this, complemented by my upgraded 1GB fiber internet. Conversely, site B poses no complications, as its internet speed is limited to 30MB down and 10MB up, making the current router sufficient for the task.
You’d need to coordinate endpoint / peer addresses somehow, and then there’s the issue of MTU, inner MTU would be (or should be configured) smaller than outer.
I would suggest using openvpn rather than wireguard as it allows you to specify the interface it uses. It’s a bit tricky to force wireguard to use a specific gateway for it’s traffic and I’ve never been able to get it to work reliably.
It would come at the cost of overhead. right? I’m worried it would be too much for the hardware.
Site A to Site B can only achieve a maximum of 30MB/s due to the bandwidth limitation at the remote site. I aim to utilize as much of this bandwidth as possible, especially considering the data synchronization requirements across the link.
Would OpenVPN give me the option to rotate the VPN connection periodically? Its a nice-to-have but I’d like to change the Mullvad server used every so often.
I don’t know if there’s a good way to automate rotating a VPN server in pfsense but either wireguard or openvpn will let you do it manually. I don’t know how significant the difference in performance is between openvpn and wireguard but wireguard in pfsense does not allow you to select which interface it uses to connect. If you want to use something other than the default gateway then I would suggest using openvpn over wireguard. You can try to use floating rules in the firewall to force wireguard to to use a specific gateway but I’ve never been able to get that to work reliably.
