If you were to setup L2TP with IPSec, yes.
Im sure i already know the answer to this but which is better openvpn or the L2TP with IPSec? Prob openvpn
Yes it’s possible and is documented https://docs.netgate.com/pfsense/en/latest/book/ipsec/mobile-ipsec-client-windows.html# .
But before you do that, I would suggest using the OpenVPN Connect client. It’s really nice and clean. I’ve been using it since beta with no issues and would definitely recommend it over the Windows client https://openvpn.net/client-connect-vpn-for-windows/
AFAIK L2TP/IPSec and IKEv2.
Can it work with username and password only without certs etc?
OpenVPN, for one simple reason- routing.
Let’s say your LAN is 192.168.120.x. Your VPN subnet might be 192.168.121.x. VPN clients with 192.168.121.x IPs need to know that they can/should send 192.168.120.x destined traffic over the VPN.
With L2TP, there are two ways to do this: 1. let the VPN be the default gateway, so the client sends ALL their Internet traffic over the VPN, or 2. on the client manually open an Administrator-level CMD or powershell prompt and use a ‘route add’ command like ‘route add 192.168.120.0/24 192.168.121.1’ (which must then be done each time you connect).
OpenVPN on the other had can push routes to the client. So in the OpenVPN server setup, there’s an option for ‘local subnets’ and you can put in a list of CIDR subnets (IE 192.168.120.0/24,192.168.123.0/24). It will then push a route to the clients so they route all traffic for those subnets down the VPN.
No certs needed?
Explain how, please…
You can even get it working with certs! Using IKEv2 IPSec works just fine if you edit the parameters using powershell, which you should be doing anyway since the default client for windows is borderline useless.
This works for any combination of security and password/cert you want. I’ve gotten it working with both MSCHAPv2 and EAP-TLS (password vs cert) and stronger crypto like AES-256, SHA384, and ECP384.
I’m really terribly sorry if this is an inappropriate or stupid question, but how would I learn about all the stuff? When I try to set up my own home network I get confused, especially with VPNs and VLANs, etc.
You can even get it working with certs!
I think the issue is that we don’t want certificates.
- it requires you to generate certificates
- it requires the user to install the certificates in their certificate store
This is what I did so I have both and its great but was a slight pain to config if you want higher ciphers. My dumb brain figured it out so you can too likely.
learn by doing. learn by playing. learn by trying, fucking it up, googling for ages to find a way to unfuck it, then unfucking it, and then fucking it all up again with the next thing you try.
This is not inappropriate or stupid. There is no such thing as a stupid question- only a person too stupid to ask the question, who will instead persist in a state of ignorance.
As others have suggested the best way is to learn by doing. A spare old PC running pfSense and a managed switch, something cheap like a Netgear GS108T or GS110TP are good choices.
To give you a few base concepts:
-
A subnet is a defined range of IP addresses that are local to a network. To send data to a local IP the data can simply be sent over the network. Outside the local subnet it has to go through a router (the default gateway). So you see in Windows IP settings it says like IP address 192.168.1.123 subnet mask 255.255.255.0- that means the subnet is only the first 3 octets of the IP address (192.168.1.0 - 192.168.1.255). The same thing can be expressed in CIDR notation, as 192.168.1.0/24. Google CIDR notation for more info on that.
-
A VLAN lets you have multiple virtual networks with one physical network. VLAN tech is an Ethernet tech- NOT an IP tech. It lets you have multiple networks completely separate from one another without having duplicate infrastructure. Common use is a VoIP network- company wants to keep VoIP and Internet traffic separated, so they have one VLAN for voice data and one for Internet data.
VLANs work by tagging. A packet going across an Ethernet wire can have a VLAN tag that says which VLAN it’s part of. Dumb switches will ignore this, but smart / managed switches can use it and break ports out as tagged or untagged.
Take the earlier example of a corporation. A single switch might feed a user’s computer and their VoIP phone. Let’s say at this company data is VLAN 10 and VoIP is VLAN 50.
The computer port is ‘untagged’ and assigned to VLAN 10, that is the switch expects data without VLAN tags (and it puts that data on VLAN 10), and any traffic from other ports on VLAN 10 it will strip off the tags and feed it to the computer.
The phone port is ‘untagged’ on VLAN 50, that is the switch gets untagged packets from the phone which it puts on VLAN 50, and any data it gets on VLAN 50 has its VLAN tag stripped off and sent to the phone port.
Then the switch would have a ‘trunk’ port- on that port traffic on both VLAN 10 and VLAN 50 is sent and received, but it all has VLAN tags.
In pfSense the main LAN interface is untagged. But you can add tagged interfaces- in interfaces-assign and then VLAN tab, create a VLAN assigned to an interface (IE igb0 VLAN 10), then in interfaces-assign you can make it an actual interface like OPT2 and give it an IP address.
The exercise I’d have you do- get an instance of pfSense running on an old PC and a powered switch. Create a VLAN interface and give it an IP address and DHCP server. Then configure the switch so it has a trunk port with both VLANs, and two other ports, each untagged on one vlan and the other…
While correct, generating certificates can be automated and should be considered over passwords if a single-factor is only available.
Plus, if this is an automated environment, certificates can be deployed using GPO or, in non-windows environments, puppet or ansible.
Taking the easy way out shouldn’t be the right way.
I guess I gotta figure out how to separate myself from my family’s network first and foremost…
This is fantastic! Thank you very much.
I will update once I have my Unraid server running pfsense, which adds an extra layer of complexity. lol
Plus, if this is an automated environment, certificates can be deployed using GPO or, in non-windows environments, puppet or ansible.
People using VPN are doing it from their home PCs:
- not joined to any domain
- not subject to a group policy
And, entirely possibly1, not have administrator access.
chainsaw usually works. you can apply it directly to the router, or if necessary - directly to the family.
People using VPN are doing it from their home PCs:
Not at any respectable company I’ve heard of. As an employee, you should still be provided a company-owned laptop (or desktop if desired) and work should not be allowed to be conducted on personal devices. These can come pre-shipped with the certs, or pull them on first-connect to the domain, which they should be preconfigured with.
If this is for a home PC to another personal network, then generating certificates is really not that bad since they only need to be done once a year or so, for a select few number of devices.