I’m still fairly new to this, having run pfsense for only about a year or so, I know very little about networking and I"m incredibly stupid. Having said that, you’ll perhaps understand why I can’t seem to get anything to work. My initial installation with out-of-the-box settings worked great. But when I go to set up other stuff like VPN solutions or HAProxy, I inevitably get stuck at some point because I don’t see what the tutorials tell me I should see. And I’m very careful going step-by-step. For example, I tried setting up NordVPN (it’s what I have for now) for privacy, but a). it routed all traffic through the VPN and b). it shut down my access to the Internet. So a rollback was required.
But I ramble; I’m a little frustrated. The question I have is: what’s the best way to set up a privacy VPN. Secondary requirements are that it be dead simple (for this simpleton) to set up and allow me to choose what applications/servers are routed through it? I’ve looked through older posts, but most of them talk about access, rather than privacy, VPNs. I’ve wanted to switch from using Nord to setting up Tailscale with Mullvad, because it offers privacy with access, but I couldn’t get it to work. Any help would be appreciated. Thanks.
Why do you think you need a “privacy” VPN and what are you actually trying to achieve?
If you are planning to blindly shove all of your traffic up a VPN, do yourself a favour and don’t. All you are doing it reducing throughput and increasing latency - you are just moving who can snoop your traffic from your ISP to some (potentially shady) VPN operator.
VPNs have their place, but not for blindly shoving all traffic over.
I am a bit tired, so in short words:
I would setup via two VLAN two different networks. One protected via VPN, the other not protected and directly connected by the internet, without tunneling.
Then setup two SSID on your AP and connect with your devices to one you want to use.
I did it in a bigger setup. Have an own Windows 11 VM for downloading via JDownloader, Usenet etc., that is ALWAYS connected via VPN.
Separate routing for each application in PFSense is, I would say, impossbile to do for you. There is so much shitty data in the background for cookies, services from other providers, API etc., that it would end in an endless story getting it working properly. And from time to time websites are blocking your VPN IP. For me for example Amazon, Netflix etc.
So, either setup like I said, use the app of NordVPN for example and make there the rules to use VPN or not or forget about it. I don’t think you will be able to decide for every single application and website, how to route.
Device based routing YES, application / URL based routing via vpn / not via VPN, forget about it.
What’s your definition of privacy? What are your goals? Are you wanting to travel to Korea, hang in a coffee shop and do your online banking? Or are you looking to hide illicit activities? They’re two very different goals solved in 2 very different ways (hypothetically)
VPNs came about when http was used everywhere, including your bank, so it was really easy to grab packets that are not encrypted with SSL and get login information.
Google a very long time ago made the push for https to be used as a standard not an exception and SSL encrypts your traffic preventing creds from being stolen unless the attacker has the needed certs.
SSL was pushed to make needing a VPN not necessary, so what would a VPN do for you then? It allows access to restricted resources and that’s about it it doesn’t make your presence on the internet more secure in 2024, in fact webRTC does not care if you use a VPN and can id an track you no problem.
A proxy would actually give you privacy since the proxy is making the request for you so your traffic will always come from the proxy regardless of the tricks people use to look at your packets.
Your connection to your proxy can be over SSL or you can use a VPN to be able to reach your proxy and that is what I use a VPN for, reaching my proxy.
I use PIA vpn service, it has split tunnelling like it sounds you need, and a lot of other config ability. Quite affordable, and performs great for my bandwidth needs.
For secure remote access into my home network while away from home I’ve been using Twingate for over a year now. It’s free for a couple of access accounts and devices. Perfect for my needs. The performance is also just fine, but I’m only getting 70Mbps down 10Mbps up with my wireless ISP and twingate maxes that bandwidth out both ways when connected from away.
With that in mind, do you have system resources to run a VPN? Specifically, what is your Internet connection speed and what kind of processor does your router have?
VPNs work by encrypting all outgoing traffic and decrypting all incoming traffic, so you need a beefy processor if you want a decent speed on your VPN connection. As a reference point, a dual-core Atom or Celeron typical for entry-level commercial-grade routers typically tops out in the 300-500 Mbps range…
The question I have is: what’s the best way to set up a privacy VPN
That depends on hardware (see above). In the extreme case, (high Internet connection speed, low-spec processor), the answer is none; VPN would bog the processor down.
Secondary requirements are that it be dead simple
Sorry, that just ain’t gonna happen. VPNs are complicated by design. If you want simple, you have to get someone else to work out the complexities for you. As in, you get off pfSense and buy something where VPN setup is built into the stock firmware (Firewalla, Flint 2, etc.) or preconfigured for you (FlashRouters.com).
Excepting external access, what is the place for a VPN? Should I just ditch my VPN subscription altogether? My experience with providers tells me no.
Yeah, that thought occurred to me last night, but that’s part of the reason for the question – I don’t know how to do it otherwise (frankly, with my experience trying to install it twice, I don’t know how to do it in any case). While I agree with your point about trust, I don’t think my VPN will send me a threatening email if I trip across the wrong site.
I wanted to go the Tailscale route, because I thought i could get it working (I do have it on one device and it works like a charm for access) and that I’d be able to choose what to rout through it.
Yes a separate VLAN for VPN traffic! When you set your gateway on the VPN VLAN to use the VPN gateway to your service also exclude the subnet address from the NAT table. If your VPN craps out it the devices on the subnet won’t be able to get to the internet. Sometime PfSense will try and get the traffic to the internet even with a down gateway. Also disable IPv6 on your VPN subnet.
How about both? I could see a time when I’d want to protect myself in the wild. For the other, I wouldn’t exactly call it illicit. I once got a threatening nastygram from my provider because without downloading or looking at anything illegal, I’d visited a site that was on it’s list of verboten sites. Since then, I’ve been very sensitive to the provider knowing where I go on the Net. Also, I just don’t like being tracked in general because I hate being profiled and having my history sold to make someone else money.
Wait, you’re not saying use a proxy to replace a VPN, right? And are you talking like HAproxy on pfsense or an external proxy like Cloudflare? What are you using to do this?
I have a 2Gbps connection. My router is a Protectli with a Intel(R) Pentium(R) CPU J3710 @ 1.60GHz and 8Gb RAM. It comes with 2.5Gbps ports.
That’s a good point.
Yeah, I’ve figured that out, much to my chagrin. I think I’ll stick with my current router, though sometimes I think I might be better off with something simpler.
So for the coffee shop solution I mentioned above. I’d setup WireGuard on your pfsense box. Run it when your traveling or in areas your concerned. This will effectively make your connection egress from your home, no matter where you’re at.
As for the second, you have to assume no real privacy, but you can sign up for a WireGuard supported vpn service, and then do some creative configurations around how it gets enabled. You could setup a specific ssid that’s always on the WG, or just manually connect it.
Options B for that would be to run your own WG node from a hosted vps that you manage yourself, say in Europe.
Obviously like others mentioned, don’t route 100% of your traffic, all the time. It’ll suck.
Also note that you should consider dns leaks as well when you’re running traffic in these configurations
Squid proxy built on a BSD server, and yes if you want true privacy you would use a proxy. I used to have several around the world I could use depending on the activity.
We used them big time with IRC back in the day because you could lose your SN if you logged out so you would have servers like znc setup which was a IRC proxy that stayed logged in for you. You would also use them because IRC was dangerous with direct connections so to protect yourself and your privacy you used a proxy. I can’t think over a better example of how good a proxy is, IRC was the Wild West back in the day and just connecting to a server could be dangerous.
Thanks. I’ll look into WG. I don’t think Nord supports it directly, but I know there’s some docs out there about it.
And, yes, DNS leaks are a concern. The nastygram I got came when I was using a VPN and thought I was protected. Do you have any idea how to detect or protect against DNS leaks?