{"id":6,"date":"2021-04-13T16:22:00","date_gmt":"2021-04-13T15:22:00","guid":{"rendered":""},"modified":"2021-06-08T18:50:58","modified_gmt":"2021-06-08T17:50:58","slug":"pfsense-and-vpn-tunnels","status":"publish","type":"post","link":"https:\/\/blog.hslracing.com\/myhome\/2021\/04\/pfsense-and-vpn-tunnels.html","title":{"rendered":"pfSense and VPN Tunnels"},"content":{"rendered":"<p>I have used <a href=\"https:\/\/www.privateinternetaccess.com\/\">Private Internet Access<\/a> (PIA) Virtual Private Network (VPN) tunnels for a number of years now and was keen to find out what else I could do with them.<\/p>\n<div style=\"clear: both;text-align: center\"><a href=\"https:\/\/blog.hslracing.com\/wp-content\/uploads\/sites\/6\/2021\/04\/pia-mascot.png\" style=\"margin-left: 1em;margin-right: 1em\"><img decoding=\"async\" border=\"0\" data-original-height=\"1024\" data-original-width=\"914\" height=\"320\" src=\"https:\/\/blog.hslracing.com\/wp-content\/uploads\/sites\/6\/2021\/04\/pia-mascot-268x300.png\" \/><\/a><\/div>\n<\/p>\n<p>I setup a couple of VPN tunnels using <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> on my <a href=\"https:\/\/www.pfsense.org\/\">pfSense<\/a> firewall, one to <a href=\"https:\/\/www.privateinternetaccess.com\/\">PIA<\/a>&#8216;s London gateway and one to their Southampton gateway.<\/p>\n<p>The setup was performed partly by following the <a href=\"https:\/\/twitter.com\/tomlawrencetech?lang=en\">Tom Lawrence<\/a>&#8216;s <a href=\"https:\/\/www.youtube.com\/watch?v=TglViu6ctWE\">YouTube<\/a> video, partly by reading the PIA <a href=\"https:\/\/www.privateinternetaccess.com\/helpdesk\/guides\/routers\/pfsense-2-4-5-openvpn-setup\">documentation<\/a> and partly guesswork and investigation.<\/p>\n<p>The reason I could not follow any of the guides directly is because they are based on <a href=\"https:\/\/www.pfsense.org\/\">pfSense<\/a> 2.4.5 and I am running 2.5, which seems to be significantly different in many ways, to the point that people who had working <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> tunnels under 2.4.5 had broken <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> tunnels after upgrading to 2.5!<\/p>\n<p>After finally persuading the <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> tunnels to start and adding the firewall rules, I discovered my first issue &#8211; despite having a rule that supposedly only places one device behind the firewall (my desktop), all devices are making use of the <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> tunnel and appearing to have the same IP as far as the tunnel is concerned.<\/p>\n<p>Previously I was using the  <a href=\"https:\/\/www.privateinternetaccess.com\/\">PIA<\/a> app on my iMac or iPad to provide a VPN tunnel and so the tunnel was private to that device.<\/p>\n<p>Now because I have set up the VPN tunnel on the <a href=\"https:\/\/www.pfsense.org\/\">pfSense<\/a> device, I now seem to have a &#8216;whole house&#8217; VPN since this is a gateway device, it does not seem to differentiate between different devices.<\/p>\n<p>An additional drawback I discovered was the bandwidth penalty from using the <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> tunnel on the firewall.<\/p>\n<p>I am used to losing a small amount of bandwidth to the VPN, but these figures were just unacceptable.<\/p>\n<table cellspacing=\"8\">\n<tbody>\n<tr>\n<th>Test Case<\/th>\n<th>Down<\/th>\n<th>Up<\/th>\n<\/tr>\n<tr>\n<td>iMac No VPN<\/td>\n<td>386<\/td>\n<td align=\"right\">20.8<\/td>\n<\/tr>\n<tr>\n<td>iMac pfSense <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> to London<\/td>\n<td>152<\/td>\n<td align=\"right\">19.8<\/td>\n<\/tr>\n<tr>\n<td>iMac pfSense <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> to Southampton<\/td>\n<td>205<\/td>\n<td align=\"right\">19.4<\/td>\n<\/tr>\n<tr>\n<td>iMac PIA app <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> to London<\/td>\n<td>303<\/td>\n<td align=\"right\">19.5<\/td>\n<\/tr>\n<tr>\n<td>iMac PIA app <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> to Southampton<\/td>\n<td>293<\/td>\n<td align=\"right\">19.6<\/td>\n<\/tr>\n<tr>\n<td>iMac No VPN (CLI)<\/td>\n<td>317<\/td>\n<td align=\"right\">21.2<\/td>\n<\/tr>\n<tr>\n<td>iMac PIA app <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> to London (CLI)<\/td>\n<td>234<\/td>\n<td align=\"right\">19.5<\/td>\n<\/tr>\n<tr>\n<td>Media Server No VPN (CLI)<\/td>\n<td>322<\/td>\n<td align=\"right\">21.0<\/td>\n<\/tr>\n<tr>\n<td>Media Server PIA <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> to London (CLI)<\/td>\n<td>317<\/td>\n<td align=\"right\">19.6<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The first 5 tests listed above were all performed on my iMac desktop using the <a href=\"https:\/\/www.speedtest.net\/\">Ookla<\/a> Speedtest desktop app for MacOS. <\/p>\n<p>All the Command Line (CLI) tests were performed using a python script that can be obtained from the following <a href=\"https:\/\/raw.githubusercontent.com\/sivel\/speedtest-cli\/master\/speedtest.py\">location<\/a>.<\/p>\n<p>The <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> <a href=\"https:\/\/www.privateinternetaccess.com\/\">PIA<\/a> connection on the media server was setup using the scripts available from the <a href=\"https:\/\/www.privateinternetaccess.com\/\">PIA<\/a> <a href=\"https:\/\/github.com\/pia-foss\/manual-connections\">GitHub<\/a> repository and are presented for comparison. <\/p>\n<p>The current <a href=\"https:\/\/www.privateinternetaccess.com\/\">PIA<\/a> apps make use of <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> rather than <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a>, although until recently it also used <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> and even with that option, I rarely lost more than 50-60 Mb\/s.<\/p>\n<p>I tried to setup a <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> connection from my <a href=\"https:\/\/www.pfsense.org\/\">pfSense<\/a> firewall using the settings obtained from setting up the media server, however the VPN tunnel would not establish.<\/p>\n<p>Looks like for now at least I will continue to use the local <a href=\"https:\/\/www.privateinternetaccess.com\/\">PIA<\/a> VPN apps for both speed and ease of segregation.<\/p>\n<p>I did also set up a Radius based VPN tunnel using <a href=\"https:\/\/openvpn.net\/\">OpenVPN<\/a> for remote access to my servers by following another one of <a href=\"https:\/\/twitter.com\/tomlawrencetech?lang=en\">Tom Lawrence<\/a>&#8216;s <a href=\"https:\/\/www.youtube.com\/watch?v=PgielyUFGeQ\">Youtube<\/a> videos.<\/p>\n<p>This one works as expected and I can remotely connect to my servers from my iPad, iPhone or MacBook.<\/p>\n<p>Throughput bandwitdh is not really a concern for this connection, although I may also see if I can work out how to set it up with <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a>, although all my attempts so far have failed to connect.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have used Private Internet Access (PIA) Virtual Private Network (VPN) tunnels for a number of years now and was keen to find out what else I could do with them. I setup a couple of VPN tunnels using OpenVPN on my pfSense firewall, one to PIA&#8216;s London gateway and one to their Southampton gateway.&hellip;<\/p>\n","protected":false},"author":1,"featured_media":91,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[5,3],"class_list":["post-6","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised","tag-homelab","tag-networking"],"_links":{"self":[{"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/posts\/6","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/comments?post=6"}],"version-history":[{"count":2,"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/posts\/6\/revisions"}],"predecessor-version":[{"id":261,"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/posts\/6\/revisions\/261"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/media\/91"}],"wp:attachment":[{"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/media?parent=6"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/categories?post=6"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.hslracing.com\/myhome\/wp-json\/wp\/v2\/tags?post=6"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}