Where do you set your VPN to connect into for your homelab and why?
Bonus points if you can give suggestions for good site to site VPN setups that can sync up two file servers (both windows)
Depends.
But best is IMO if the VPN is terminated on the default gw’s of the networks. That way you don’t need any manual static routing on clients.
It is doable with Windows Server (to be the default gateway & vpn terminator), but it’s not pretty*. Probably pfSense on a random (aes-ni) hardware would be the easiest & cheapest approach - at least that’s what I’ve found, but it depends on network speeds as well.
*But it would be possible to run pfSense under Hyper-V with them - still not pretty, but better than the native windows ras server. Proxmox/esxi would be even neater - if you must run pfSense and WSRV on the same machine.
I also prefer ipsec nowdays over openvpn for speed (I’m talking about 2-300+ mbit/s).
It is doable with unifi, but why waste the money (and perhaps run into annoying bugs & the lack of openvpn (yet))?
As for the file sync… Well if it’s a backup kind of approach, let’s say ran daily, then windows scheduler & robocopy is hard to beat. If you’d like real-time sync, well I don’t know a reliable software for that (doesn’t mean it doesn’t exist). But something like NextCloud or similair might be the thing you’re looking for - in which case you don’t even need Windows - you can use it as a docker container or an esxi vm appliance out of the box.
So the best buck for value IMO, and let’s say with an internet bandwith of at least 200/200mbit/s, today is 2 x Dell r210ii’s (e3-13xx v1/v2) running pfsense on both sites as the default gw (main router basicly) and running ipsec site-to-site tunnel vpn also on them. There is a pretty good guide on the pfSense page how to configure it (with the proper & fastest cyphers and stuff (aes-128-gcm)). Heck I’m running ipsec site-to-site vpn on an i3-4130 pfsense on top of an esxi at one place, and that can push 800mbits. It’s a Fujitsu desktop “converted” into a server.
Also you could like buy 3-4 r210ii’s for the price of an UDM-PRO. That said, the Dell’s pull a bit more power (~30-40 watts).
Sounds like you have a Unifi gateway - USG I assume? That’s where I’d set it up. I run a number of VPN services in my lab including an OpenVPN site-to-site tunnel to a few cloud-hosted VPSes. They all terminate at my gateway (OPNsense).
My reasoning for this is that I like using my firewall to control routing/traffic across the VPN tunnels, so I can easily apply firewall rules/IDS/IPS…etc to it. It also allows any devices I choose on my home network to be able to communicate with the cloud servers and vice-versa, and requires no further configuration on any of the actual servers. Syncing Windows file servers can certainly be accomplished this way.
I have my vpn server running on my pfsense router. In the past I’ve used a VM. I have openvpn running on my router because it feels like an appropriate place for it. My router is unlikely to go offline for some reason compared to my hypervisor. Getting openvpn set up on pfsense is a bit of a faff however.
How much better are you getting for IPSEC vs OpenVPN?
Interesting, I definitely see the benefits of using existing hardware. How do you deal with dynamic IP updates especially for Site to Site VPN? Usually if it goes down for me I just need to reboot both routers multiple times till it reconnects, I fell there must be a better way than doing that!
I have an 1/1gbps connection on site1, and an 1/0.3gpbs on site2. With ipsec I’m seeing 800mbit/s from site1 to site2 (and 300 from site2 to site1).
With openvpn it was about 2-250ish mbit/s in both directions.
That’s with the same encryption algorythms.
site1 being the i3-4130, and site2 being an e5-2695v2 (which (was expensive af) is slower by the way than the i3 in this task, and is the limiting factor I believe). I’m thinking of going back to the r210ii with the e3-1270v1 for my router on site2 because of this (which I would have liked to avoid when I thought the r720 will do all the jobs in one machine).
It is why I say that it is upload bandwith dependent, because if I had let’s say “only” 150mbits uplink, than it wouldn’t matter which one I’ve used. The ipsec configuration part of the webui is maybe a touch easier to understand/set up in pfsense, compared to openvpn, but I guess it’s just a matter of taste.
Good question. In my case, I have a static public IP on my cloud-hosted firewall, so I use that as the OpenVPN server for the tunnel, and my home firewall is the client which connects to it directly by IP.
Side note: My only reason for doing it this way is because I had the same concern as you do about IPs changing (I do not have a static IP at home). For purposes of traffic routing through the tunnel though, it’s irrelevant which is the client/server.
If none of your sites have a static IP, then you could probably use dynamic DNS, and use the public DNS name of the VPN server to connect to it, instead of direct with an IP.