Which VPN on Netgate/PFsense can do this? (and it is relatively simple to configure on clients)

​

I have a NAS device in my office LAN that I would like to make available to colleagues who are working from home.

Between the NAS and Internet there is a Netgate 4100 box, with PFSense. As much as I saw, PFsense supports IPsec, OpenVPN, WireGuard and L2TP and each of those , I believe has some advantages and disadvantages.

My colleagues working from home are mostly using Windows laptops and Android phones, with just a few exceptions (Mac/iPhone). None of them is a power user in terms of computer knowledge, so VPN client configuration must be as much simple (and/or automated) as possible.

My biggest “fear” that they will connect to the office VPN in order to reach NAS, and keep that VPN connection active all the time, and start using our office Internet link also to surf the Internet, watch YouTube videos etc. And that is something I would like to avoid.

​

Basically, I do not mind if they are 24/7 connected to office VPN and accessing NAS or being idle, but I would mind if they start, for example, watching YouTube etc. trough a VPN.

Any thoughts on which VPN be most suitable for this scenario?

​

OpenVPN with a split tunnel.

Do you have a routable public ip address on your WAN interface?

On a client behind your pfsense go to https://www.whatsmyip.org/ then log into the pfsense and check the WAN IP address. Do they match or no?

Read these two links from top to bottom:

Whatever VPN you create, just make sure you have a firewall rule that only allows access to the NAS and nothing else.

Make sure you also setup a split tunnel solution so only the traffic to the internal network is utilizing the VPN

Me personally am a fan of wireguard. To me its the easiest solution to setup

Mobile IPsec is too complicate for you, OpenVPN may be

Wireguard with split tunnel settings (allowed IP range only).

• Windows client is always on so there’s literally no interaction from the client’s side.
• Android client is one switch away from getting connected

Not sure about the Mac client but something tells me it’s not too different

OpenVPN as a split-tunnel with client export package. Basically an one-click install and setup for the end users, and they just have to sign in with username and password (which can sync to on-prem AD if you have NPAS installed).

Split tunnel will also mean only traffic directed to your NAS (and other LAN resources) will go over the VPN. Everything else goes out clients’ home default gateways.

This is what i do with customers. I use Synology and no-ip, so things just work.

Like the above recipient said, in the plain English config, set their dns to not be forced across vpn (“split”, or “split brain” in google). The split is simply that traffic bound for your central LAN will go across the VPN, but other traffic will go via your default gateway, whatever that is, whether it is a laptop at Starbucks, or a home PC.

It sounds like you don’t have that many clients, so you should be able to just create one client in the OpenVPN wizard, and the VPN they will target will be a /24.

I use for authentication passwords as well as certificates in the client export part of pfSense. Some people prefer to give out individual keys. I do mine because it’s just easier and it’s not government work so it works great. It also gives my customer one client to download from a local server, and then I get to manage their usernames and passwords usually via a domain which is set up on the Synology as well. This way, their passwords do expire, and they have one user password combination to manage across not just the VPN but also the shares on the NAS.

I must have 20 or so customers set up this way using OpenVPN, including some whose offices needed to be connected, so those are set up as site to site, and they just work like a dream. You set them up, and you never have to touch them again.

There’s plenty of stuff out there on the internet to show you how to do everything, but I don’t know which Nas you are using. As long as it supports/creates Windows domains, like Synology does, tying your firewall to a VPN is a dream compared to trying to manage separate lists of users and passwords.

Here is a link to how easy it is to set domain authentication up on a Synology, which to PFsense is identical to a Windows server:

This isn’t the only place how to do this is documented. Lots of videos out there walk you through the process. I noticed with PF since menu options come and go depending on the version that you were on, and whether you are using the plus version. But don’t get hung up, just use common sense, as in the origin of the firewalls name, and it will work like a dream.

As always, back up your configurations. Don’t want to have to figure this out again.

Thanks for the suggestion, I will check this option.

Yes, I have routable fixed public IP address on our WAN interface.

Sure I can made a firewall rules on the “server” (Netgate box) side to reject all traffic that is no designated to, let’s say 10.55.55.55 (IP address of the NAS box) - but I presume that remote clients will then receive error message when they want to reach Gmail, YouTube etc. Right?

I want, on client PC/phones, only traffic designated to 10.55.55.0/24 (for example) routed trough a VPN and everything else not to go trough a VPN.

And to be easy to configure on client devices as much as possible.

Can you something similar to “split tunnel” in Wireguard?

Yes, you are right, I do not have many remote workers - approx. 20-25 of them.

My NAS is QNAP.

We do not have any Windows server in our premises. QNAP can “integrate” into MS AD, as much as I know.

Sure I can made a firewall rules on the “server” (Netgate box) side to reject all traffic that is no designated to, let’s say 10.55.55.55 (IP address of the NAS box) - but I presume that remote clients will then receive error message when they want to reach Gmail, YouTube etc. Right?

Sure I can made a firewall rules on the “server” (Netgate box) side to reject all traffic that is no designated to, let’s say 10.55.55.55 (IP address of the NAS box) - but I presume that remote clients will then receive error message when they want to reach Gmail, YouTube etc. Right?

That is exactly what the split tunnel setup will do

Yes

On each of the wireguard clients you would do

AllowedIPs = 10.55.55.0/24

A wireguard full tunnel would be

AllowedIPs = 0.0.0.0/0

Thank you! I will check wireguard then first, as it has reputation to be simple. Which is important as colleagues who will need to configure it are not so computer literate. So I will have to make a “step by step” guide, with screenshots etc.

Yes, it is my impression so far, after reading the Netgate documentation and watching couple of pfsense videos on YouTube.