Understanding VPNs in OPNsense

[Inxsible]

Having moved over to OPNsense, I am now providing OPNsense boxes to my family half way across the world. There would be a total of 3 sites --

• Mine
• my parents' house
• my sister's house

I was thinking of setting up VPN access such that it would allow them to connect to a bunch of my servers like nextcloud, bitwarden etc and they can use these services that I host on my local network. It would also allow me to remotely login to their networks in case I need to "fix" something on their networks

• I already have Road-warrior VPN server set up for when I want to access my network from the road, I could create user names for my family members to be able to log into my VPN server. Similarly I  could set up a VPN server on their opnsense and do the same. Would that work or would a Site-to-Site VPN be better than the Road-warrior style solution for this?


• Secondly, because this is all home networks, there's no question of static IPs. How would this work with dynamic IPs. Would all 3 sites need to have separate DynDNS accounts so that any changes in the WAN IP wouldn't require someone to manually go in and change the IP addresses in the VPN server and client settings?


• Thirdly, I have a 100 down / 5 up cable connection. Once they connect to my VPN Server -- whether Road-Warrior style or Site-To-Site -- would they be using my bandwidth for anything that they do on their end -- even internet browsing?  If so, would a Site-to-Site VPN be an "always-on" solution or can it be connected/disconnected by clicking a button(family is not into IT at all)?


• Finally, for the given use case, would it be better to use OpenVPN or IPSec for Site-to-Site VPN setup?

I know these questions are basic but I can't find definitive answers or maybe my google-fu is weak today.

Thanks for your time.

[bartjsmit]

I already have Road-warrior VPN server set up for when I want to access my network from the road, I could create user names for my family members to be able to log into my VPN server. Similarly I  could set up a VPN server on their opnsense and do the same. Would that work or would a Site-to-Site VPN be better than the Road-warrior style solution for this? [/li][/list]

Site-to-site is easier if you have a lot of clients (i.e. devices) that are fixed to the site. E.g. if your family mainly connect from fixed desktop PC's. If everybody uses phones, laptops, tablets, etc. to connect, then a road warrior VPN gives them freedom to roam.

Secondly, because this is all home networks, there's no question of static IPs. How would this work with dynamic IPs. Would all 3 sites need to have separate DynDNS accounts so that any changes in the WAN IP wouldn't require someone to manually go in and change the IP addresses in the VPN server and client settings?

You only need to set one location with dynamic DNS (yours most obviously) as the VPN hub. All other endpoints can be VPN clients. If you only have one public IP address, you need to set different port numbers for the OpenVPN servers.

Thirdly, I have a 100 down / 5 up cable connection. Once they connect to my VPN Server -- whether Road-Warrior style or Site-To-Site -- would they be using my bandwidth for anything that they do on their end -- even internet browsing?

You don't need to redirect their default gateway to the VPN tunnel. You can push out a route to your subnet(s) to the VPN client and they will only send traffic for those subnets over the VPN.

If so, would a Site-to-Site VPN be an "always-on" solution or can it be connected/disconnected by clicking a button(family is not into IT at all)?

Road warrior OpenVPN allows for single click connections with the Android and Windows clients. iOS and most Linux need integration with their VPN clients. Mac has a good, free client in Tunnelblick. Unless you want to send devices by post back and forth, expect to spend a fair bit of time on video calls to configure the clients.

Site-to-site is easier, provided you have access to the remote OPNsense interface. More video calls ;)

• Finally, for the given use case, would it be better to use OpenVPN or IPSec for Site-to-Site VPN setup?
  

OpenVPN is much easier to set up, whereas IPSec benefits from being included in many OS as standard. YMMV

Take a good look at the LAN subnet ranges. This may prove impossible if everybody has 192.168.0.0/24 set on their routers  ???

Bart...

[Inxsible]

Thanks Bart for the detailed response.

Site-to-site is easier if you have a lot of clients (i.e. devices) that are fixed to the site. E.g. if your family mainly connect from fixed desktop PC's. If everybody uses phones, laptops, tablets, etc. to connect, then a road warrior VPN gives them freedom to roam.

That's great. One more aim is to set up a backup TrueNAS server at either or both houses with replication. I guess Site-to-Site would be better the more I read and understand it.

You only need to set one location with dynamic DNS (yours most obviously) as the VPN hub. All other endpoints can be VPN clients. If you only have one public IP address, you need to set different port numbers for the OpenVPN servers.

Great. I will use different ports for each site to connect via.

You don't need to redirect their default gateway to the VPN tunnel. You can push out a route to your subnet(s) to the VPN client and they will only send traffic for those subnets over the VPN.

Of course... I should have thought about that. Late night when I posted.. so brain wasn't fully functional.

If so, would a Site-to-Site VPN be an "always-on" solution or can it be connected/disconnected by clicking a button(family is not into IT at all)?

Site-to-site is easier, provided you have access to the remote OPNsense interface. More video calls ;)

Not quite clear on this. If the VPN is not connected, I wouldn't have access to my family's opnsense interface. So they would have to initiate the VPN connection. Are you suggesting that I just do an "always-on" Site-to-Site such that they can access my services whenever they want without intervention? Does it even make sense to use the connect/disconnect model, given that they would be using their bandwidth for all other stuff except when they are using the services that I host?

• Finally, for the given use case, would it be better to use OpenVPN or IPSec for Site-to-Site VPN setup?
  

OpenVPN is much easier to set up, whereas IPSec benefits from being included in many OS as standard. YMMV

Take a good look at the LAN subnet ranges. This may prove impossible if everybody has 192.168.0.0/24 set on their routers  ???

Bart...

inclusion in the OS is not huge criteria because I want them to be able to access my network only when they are on their local network -- not when they are on the road (too technical for them to comprehend). So if the routes are pushed through such that their Opnsense instance can communicate to mine then all the devices behind that instance should be able to connect too.

As for the LAN subnet ranges, I will be replacing their ISP provided routers with opnsense -- so I can control what IP ranges they will be on after deployment. I have already set up their opnsense with a different subnet.... the last piece of the puzzle is this VPN setup before deployment.


Thanks again.[/list]

[bartjsmit]

Not quite clear on this. If the VPN is not connected, I wouldn't have access to my family's opnsense interface. So they would have to initiate the VPN connection. Are you suggesting that I just do an "always-on" Site-to-Site such that they can access my services whenever they want without intervention? Does it even make sense to use the connect/disconnect model, given that they would be using their bandwidth for all other stuff except when they are using the services that I host?

Site-to-site VPN is typically always on if there is no running charge for idle use. A bit like the difference between ISDN connections and leased lines that preceded them (sorry for showing my age).

If you can configure the VPN before you send your family their OPNsense devices, then it will go live once they connect them to their ISP.

If the VPN is to be retrofitted or if there is an connection issue, your best bet is to go on a Zoom call (other platforms are available) and get them to share their screen and grant you control. Youtube is your friend: https://www.youtube.com/results?search_query=zoom+share+screen+give+control Once you have control, open a browser and connect to OPNsense from the LAN side and setup/debug the VPN through the web interface.

Bart...

[Inxsible]

Right, the devices are with me and I will configure them before I deploy.

Just confirmed that my parent's ISP uses CGNAT for IPv4-- so that's a roadblock for Site-to-Site VPN. Will have to see what can be done for it.

• Change ISP -- but usually the choice is very limited
• Ask ISP for a public IPv6 address (apparently free as per online forums) -- problem would then be translation from my IPv4 as I use IPv4 exclusively
• VPS maybe and then have the 3 sites connect to the VPS as the VPN server possibly

Need to read up and understand a lot more, I guess.

[bartjsmit]

Not sure clients behind CGNAT is a showstopper: https://itectec.com/superuser/site-to-site-vpn-with-cgnat/

[Inxsible]

Not sure clients behind CGNAT is a showstopper: https://itectec.com/superuser/site-to-site-vpn-with-cgnat/

I read that same thing over on StackExchange. I am just trying to see what options are available to me so that I can choose one which is the least hassle.

Would ZeroTier work for me in this case?  Maybe even forego VPN completely and just use ZeroTier networks to connect the 3 sites together? I see that a plugin for zerotier is available in Opnsense as well...

How is Zerotier different than VPN -- does all the traffic go via ZeroTier servers if I were to sign up for a free account? More impontantly is this traffic encrypted and does it follow Zero Trust?

I am learning so much new stuff about different types of networking terminologies and technologies, that my head is swimming. Seems like I go into the rabbit hole of reading up on a million things but still nowhere closer to the actual goal of "being able to access the LAN networks of the 3 sites seamlessly"

[bartjsmit]

I haven't looked into Zerotier, mostly because I'm wary of outsourcing security. OpenVPN has its own CA, so  gives control over who gets to connect.

It's a matter of where you draw the line between inside and outside your network, I guess.

Bart...

[Inxsible]

I haven't looked into Zerotier, mostly because I'm wary of outsourcing security. OpenVPN has its own CA, so  gives control over who gets to connect.

It's a matter of where you draw the line between inside and outside your network, I guess.

Bart...

That was one of the first things I thought about as well. The data goes through the ZeroTier relays which seems like a possible point of insecurity.

I am currently following up with my parents to figure out if changing ISP is a possibility (unlikely) or I will try to contact their ISP and find out if they can provide a static IPv6 address. I will then have to look into IPv4 <--> IPv6 translations and how that would be possible. Failing that, I might have to consider moving to IPv6 as my ISP provides me with an IPv4 & an IPv6 WAN address

[bartjsmit]

I run both IPv4 and IPv6 through my OpenVPN tunnels but I've only ever used IPv4 for the 'outside' IP addresses. The wiki says you can tunnel over IPv6: https://community.openvpn.net/openvpn/wiki/IPv6

I would have a go with CGNAT first. Maybe set up a phone or a Raspberry Pi with your Road Warrior VPN and their WiFi details pre-configured and pop it in the post?

Bart...