But what about a single computer or user? Like i want to give access to my home lab and compute power to a buddy of mine, but he doesnt want to, and doesnt need like a whole site to site VPN
How do i set up like single users who want to just connect via a mack book pro for example and toggle the connection?
Im thinking the same kind of thing would work for something like an Iphone which i would also likke to use for myself.
I tried to do some searching and saw some things for like wireguard but can i use that with ipsec, like two side by side configs or do i just use one VPN solution?
Again, please be kind as i get the jist of things and got that first setup working in a few hours but this is a bit new to me.
You can use OpenVPN and/or Wireguard besides IPsec.
There are two types of VPN solutions:
LAN to LAN (or Site to Site)
Dial-in
LAN to LAN allows you to connect two sites (eg two offices).
Dial-in VPN allows to connect individual devices to connect to a network. The purpose is to securely access the LAN via the internet.
Another purpose of dial-in VPN can be to route all the traffic via the internet connection. I use this on my Android phone on guest Wi-Fi networks. I don’t trust guest Wi-Fi networks, and that’s why I connect to my Wireguard VPN server at home. This allows me to use a guest Wi-Fi network securely.
Did you setup a LAN to LAN VPN connection between your EdgeRouter and pfSense firewall? You can add multiple internet connections to a pfSense firewall directly, and remove the EdgeRouter if you like. You can segment your network with VLAN’s - and route whatever LAN via fiber or coax. I did configure this for a client that has a camping. The camping guests use the coaxial internet connection (form the Guest LAN). When the coaxial internet connection stops working, the camping guests will fail over to the fiber internet connection and when the fiber internet connection stops working the office LAN will fail over to coax
Anyway: yes, you can use the VPN solutions side by side. OpenVPN has a feature where you can assign static IP addresses to the clients. This allows you to make a set of firewall rules per client. It’s called Client Specific Overrides.
You assign the VPN connection to a subnet on your local network. Shouldn’t it be easy to create a new VLan exclusively for that limited VPN connection and then write whatever firewall rules you want to limit access to the rest of the network? This would mean you would create a unique VPN connection for this one user. You would need another VPN connection (pointing to another VLAN) to handle all “full access” traffic.
I ask as a non-IT person…
EDIT - an even easier solution might be the “Client Specific Overrides” option that u/boukej shared in another post. That way you don’t have to create a unique VPN/VLAN for this user, but can still use firewall rules to limit access.
Score, super easy for single use type devices which is perfect for myself and my buddies who need quick access to my proxmox cluster for some lab testing.
Wouldn’t it just be easier to create a unique VPN connection for this limited user? You don’t have to create a user auth and provisioning system if you create a unique VPN for this situation (with appropriate firewall rules to limit access) and create a separate VPN connection for anyone that needs full access.
I realize at some point it makes more sense to create a user auth and provisioning system if you need to handle different levels of access for a lot of users. But for one user, it seems like there are easier solutions.