Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller kzfaq.info/get/bejne/Y5-Xi7NnxsfFqas.html How to Setup The Tailscale VPN and Routing on pfsense kzfaq.info/get/bejne/hpOhYJuDm52zgI0.html Tutorial: pfsense Wireguard For Remote Access kzfaq.info/get/bejne/btCBaLh2xJ3clKc.html Basic Site-to-Site VPN Using WireGuard and pfSense kzfaq.info/get/bejne/aNWVatWFsqzRoZc.html ⏱ Timestamps ⏱ 00:00 ▶ Which VPN for pfsense 01:21 ▶ Tailscale Device VPN 03:16 ▶ Tailscale Site to Site VPN 04:09 ▶ Wireguard Device VPN 05:24 ▶ Wireguard site to site VPN 06:26 ▶ pfsense OpenVPN 08:07 ▶ OpenVPN Shared Key Deprecation 08:28 ▶ IPSEC VPN

Great vid. Many different options will work as long as your up to some config tinkering. I use the OpenVPN option with PIA client configs. Technically, my pfSense (PROXMOX VM) clients are double NATed becuase they sit behind an additional Ubiquiti edge router. Multiple PIA VPN tunnels to different endpoints stay up 24/7 with little problem other than the ocassional service restart. Traffic is routed to the VPN tunnels using pfSense firewall rules to send specific VLAN traffic to virtual gateways (VPN interfaces). Return traffic is routed from the edge router via static routes for the VLAN IP ranges back to the pfSense WAN interface. Good luck tinkering if you are reading this and go down the rabbit hole.

Great to see you around GrrCon! Thanks for doing another great video!

Yes! I just setup Tailscale. Perfect timing. Thank you, your videos are great!

Literally thought about replacing OpenVPN with Wireguard for my S2S VPN between my pfSense boxes this exact morning! Once again, the perfect timing :D

I had some trouble with configuring / starting out with WG in pfsense recently, I'm quite interested in testing it out though. I'll have to take another look - great video

Perfect, thank you for explaining these side by side!

Good stuff here Tom. Thanks for the video !

LOVED this video! Thank you for this video!

Love the little homage to "The IT Crowd" !

just installed openvpn in pfsense proxmox vm I really like I could export profile to PC and mobile. Configuration is very easy and everything works as intended

BROTHER, YOU ARE THE BEST!!! You oooh really helped me!! THANK YOU VERY MUCH!

very helpful explanation, thanks for the video

For Wireguard without public Ip, I've set up wirguard server on Digital Ocean cheap droplet, work like a charm

Not quite perfect timing for me, I've just spent yesterday setting up Tailscale. However, I have to say it is SO IMPRESSIVE. No open ports, and close to zero config needed.

Thanks for the information on these solutions. I am going to go with OPENVPN btw!

incredibly helpfull. Thank you!

Do you have a best practice to configure multiple VPN-servers (WireGuard protocol) in your PfSense+ setup? So for example when VPN-server 1 (US) is down you can (automatically) switch to VPN-server 2 (UK)? Do you add multiple peers to the tunnel?

I tried and it is installed thank u very much anda

Personally, I use openvpn and tailscale at the same time, and I have to say I love mesh VPNs and the fact that I don't have to open any ports for it to work

I have to deal with a lot of enterprise stuff... IPSEC and older with monsters of static routing tabels. Right now I try to replace them with a 3 Servers (in different Datacenters with different ISPs and Upstreams) where every Network (connects to all) and client (to one random) server. Networks speak BGP over every of the 3 connections. The 3 Servers each have sessions to another and the client pool is just nat'ed so I don't have to take care about routing for them. The servers are arch, wg, systemd-networkd, with rsynced client config.

If site 2 site open VPN shared key goes depreciated, what would be the alternative open VPN mode? Authorize with certificate?

Hey! Can you cover some options for lan-wide ad blocking? I really want to get rid of youtube ads and trackers but i cant download adblock to my Apple TV

Thanks for the run through. I am so old, I am still using IPSEC so I must look into the others you discussed.

A regular tailscale node can be configured to use another exit node, if that other node was approved to act as an exit node for the tailscale network. Is there a way to configure the pfSense tailscale node to use an existing exit node? I could not figure this out...

I use Tailscale to create a secure connection from family members to my Unifi Controller, I don't have to open up ports that way , and I only need 1 controller. I also have a dedicated VLAN for the Unifi / network hardware.

great job

I kind of like using L2TP for user VPN. The nice thing with it, it embeds the users credential for SMB. So if a user connects to a remote site and tries to use SMB to access one of the remote server is tries to authenticate using the VPN L2TP credentials first. OpenVPN doesn't do that. OpenVPN always work though. Windows has a tendency to always break L2TP every so often and it can be very much a pain to figure out how to fix it.

I've been using OpenVPN on pfSense with users authenticating FreeIPA (which is based on OpenLDAP) for the past 6 years

I hope there's a wireguard client config generator added to pfsense. It didn't take me that long to make the configs for my phone and laptop but I had to use the wireguard program on my desktop to generate the public/private keys which was a bit of a faff.

Does someone know a good industrial router that support pfsense with 24v input power supply ?

Your videos are the best, I would like to know if you could try or talk a little about the VPN that is also worked by Wireguard called Netmaker. Greetings from Peru.

Badass shirt 😎👍🏼

Comes down to using third party or not, be it a third party VPN provider or (tailscale servers). Being a MT user, its do I use zerotier or wireguard. I wonder which you prefer tailscale or zerotier?

I want to use an in-house software for the use of employees, do you think it meets my needs? Employees can connect from outside the company and use the software installed on the company's server

Can you do a video and share your thoughts on Twingate? It’s been a great option for me and I am curious your thoughts. Thanks!

I need to set up a Hub-and-spoke WAN topology for myself and two other parties - what do you think would be easiest for this? I also don't want one of the spoke sites to be able to reach back to me, but I assume that requires some firewall configuration?

Possibly an oddball question, wireguard on unraid vs on pfsense/opnsense? Which woukd be the preferred way to run it? Any "gotchas" to look out for one way or the other?

I just won't use packages in pfSense so I only use OpenVPN at the moment.

Does the 1100 support IDS/IPS? I plan to use one of these devices in a very low bandwidth scenario. Probably less than one megabyte/sec.

Very sad that you didn't bring up Zerotier as a VPN as well. I love this information though, and it brings up some very good points and issues with hosting a home VPN.

Where can we get the shirt?

I've been using openconnect and anyconnect (Cisco) for ages now.

Would wireguard for site to site and OpenVPN for client auth in one of the sites work?

I recently tried site-to-site ipsec on two pc Intel i3 with 8gb of ram each. The performance was horrible and I had to drop encryption to the most basic to get it just to work. Any idea??? Is it possible to do a tutorial on setting up site-to -site ipsec on physical machines?

I love Tailscale but they have some serious issues. I have iOS and the client eats data for now good reason. It’s been reported quite a bit on their own forums. It ate 3GB of my cell plan for no good reason.

Do you have a video on how to implement OpenVPN with LDAP? If we have 50+ users on our AD, do I have to create user accounts on pfsense, or will users be pulled from AD once LDAP is configured?

I love Wireguard

can we use restricted region video using mesh vpan, such as tailscale twingate?

Hey Lawrence, I'm having an issue with Wireguard on PfSense compared to using the VPN apps in Windows. The speed is considerably slower ( tested 2 different connections). Difference of 120/150 compared to almost full 500 down using the app. I'm using a Celeron N3160 with Realtek NICS (yeah I know whatever). Any ideas?

No mention of Zerotier? I use it widely for secure linking. Never got it's site 2 site working though, so there is that...

So Talescale kinda similar to Zerotier?

Hi, do you have video how to setup openVPN in Pfsense with Google LDAP authentication? thanks! greate content and very informative. thank you

Same here

How do I use IPVanish with pfsense

In my experience tailscale and openvpn is significantly slower than wireguard or ipsec.

OpenVPN isn't even just password. Don't know about pfSense, but with OPNsense you can make 3-factor authentication - password, one-time password (TOTP) (adding static-challenge "OTP" 1 into config will separate password and code) and personal certificate with strict matching.

Why can my Android devices still talk to my smart TV on the local network, even though all the traffic is supposedly configured to go through the VPN?

Why? Pfsense hotspot in each order

Hamachi burned before so will stick to building my own thing with WireGuard

for privacy... own VPN on own VPS with own CA, no log, all devices connected, access to home nas from internet

I'm currently labbing in Azure, confguring S2S VPN (ipsec). And then this video just appeared - lol.

Just finished a CompTIA Net+, Sec+, and CCNA courses through the VA at an IT school for Veterans. Have applied to over 115 jobs in the past 2 months. Can't get a job anywhere. Everyone wants you to have a PHD for an entry level IT job. It's depressing and discouraging out here! So desperate for someone in IT somewhere to give me a chance to get started. Can't get a job without experience, can't get experience without a job. Yay.

VPNs should also prevent screen recording, screen shots, have camera control, location control, and blocking the microphone. I've yet to see any VPNs doing this.

WG and Talscale FTW!

Wireguard is the way. I used openvpn for years but it just clunky and has a large overhead. Plus I really don't need user tracking. Wireguard was also easy to tunnel only certain network traffic rather than forcing all traffic through the vpn. Very impressed currently and once I figured out my config files for clients It's easy to deploy.

Hi can you look at Fortigate?and have speed tests done to see which vpn is faster in accessing home server

Jesus. Have a question about Pfsense and/or Netgate and you've answered it. Lol.

imo, wireguard has had the highest performance on every setup ive made.

"Tailscale is reasonably fast even though it's written in Go" I've got to assume you meant to say *because* it's written in Go.

wireguard is not production ready as it is under "active development". Why someone would recommend makes no sense to me.

Regarding OpenVPN Site to Site: While it is true that its shared key mode is being deprecated (on pfSense is called Peer to Peer (Shared Key)), you don't mention that you can configure OpenVPN site to site using certificates Peer to Peer (SSL/TLS). There is actually a warning right in the pfSense webpage that tells you this for a long time now: WARNING: OpenVPN has deprecated shared key mode as it does not meet current security standards. Shared key mode will be removed from future versions. Convert any existing shared key VPNs to TLS and do not configure any new shared key OpenVPN instances. Why don't you mention this? Instead you just recommend, "switch to one of the other ones... wireguard..."?!? While it takes literally seconds (well maybe minutes) to create an OpenVPN server using shared key mode, it does take quite a bit more thought and planning to use TLS because you instead have to create a CA, along with the certs and export/import the CA and certs on the clients. With OpenVPN it is also easy to configure site to multi-site, which works very well because OpenVPN adds all the routes for you - this which would be much more challenging to setup in WG. You can also have remote site/networks that are each behind NAT/CGNAT able to talk to each other through the OpenVPN Server which has a static IP. Just have to make sure you are aware of client overrides for different sites and use correct certs and sub-nets, which all can be a bit confusing at first. Access control can also be done using pfSense firewall rules of course. The only issue I can think of is expiring certs, so just make the CA and site client certs are 10 years which is a very long time... and if you still want to make a server cert using the recommended "no more than 398 days" (currently not enforced on pfsense client but who knows if it will be in future), then just remember to login the server and click the renew icon every year or so. If you have a site to site running longer than 10 years on same hardware, it is probably an excuse to upgrade! WG is faster than OpenVPN, I will give it that. I am concerned of the implementation in WG moving forward with announcement of new FreeBSD coming eventually, and if the configuration is going to change?...seems like a WIP and hesitant to deploy in production right now - would not want to do a software update in a year or two and have remote site break because of way WG is implemented changes in pfSense... same reason I would not use Tailscale. Of course same thing could happen with OpenVPN but it does seem more mature and stable. Tailscale site to site is easy to setup, but you need to purchase a paid tailscale because of limitation of the free account only having one subnet router. You need at least two for a true bi-directional site to site VPN to be "equivalent" of OpenVPN, WG, IPSec S2S. Sure you could maybe get a way with two and they won't care because they don't hard lock... but wouldn't use this for a client if they decide to disable it. If you want a pfSense client to just access a remote pfSense server one direction then a free account will work, but for more sites and/or both directions it will cost $ and you do not point this out. Also, trying to figure out ACL tags in attempt to restrict access (pfsense firewall is useless with tailscale) negates the ease of setup. In my opinion, if there is no other way to connect two sites that are behing NAT, then this is a solution but in a multi-site if at least one site is a static then OpenVPN or WG could be a possibility. If you have at least one site that has static IP use OpenVPN or WG!

openvpn its free

....erm, zerotier !?

first

Just use a iphone no vpn needed

NETMAKER

hi