Which VPN to use?

[defaultuserfoo]

What is a "mobile app"?  Don't they have a cli built in or at least a WEB GUI?

Even if they do, I don't want to configure more than 3--5 APs individually.  More than 2 is already bad enough ...

Android or IOS apps.
Actually not sure if they have an IOS app but I use the Android app and it's very simple to setup AP's.

You want to use a phone to configure access points?  Seriously?  Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?

[Vilhonator]

VLANs are generally used by schools and corporates to separate networks (1 example would be 1 VLAN to manage your network including having SSH and Webgui access to switch and firewall, 2nd which has access to only internet and 3rd which has access to intranet stuff like IP phones and internet)

You certainly can setup VLAN for VPN, but unless you have speciffic requirement (for example you would have to allow internet and / or intranet access, but blog web and SSH access to firewall etc.), it's pretty pointless.

If you are trying to achieve something on home network and instructions won't make any sense to you, then just leave it there, read more documents about things in question, so that you have general knowledge of things and try again.

VPN doesn't require much knowledge, but VLANs require NIC that supports 802.1q Tagging (IEE 802.1q) and switches with VLAN tagg support and quite a bit knowledge to get them up and runnign well.

I don't think you understand vlan's very well. You do realize they are just Virtual LAN's, right??
If you have a switch on any network, you're using a vlan. Not just schools and corporations, any network with a switch. Now you can segment a switch with multiple vlans and this is the equivalent of adding another switch, it becomes 2 broadcast domains instead of 1. Doesn't really take a lot of knowledge compared to VPN's.

No. Switches don't add domains and you would need one anyway to properly setup a VLAN.

Way how VLANs work, is that you use some form of detection (802.1q tagging being most common). Opnsense only supports tagged VLANs, meaning you can assign multiple VLANs on single physical interface port.

Proper switch supports both, tagged and untagged VLANs (untagged means you can sign 1 vlan per physical port).

Let's say you have to setup 3 VLANs for school classrooms (1 each) which have 10 computers each and have gateway with just 2 ports of which 1 is connected to firewall like opnsense. You will need at least 3 16 port switches to accomplish this. Way I would do this, is assign VLANs to gateway and setup DHCP for each, then put ports 0-2 on switches to trunk mode for VLANs and assign ports 3-14 for respective VLANs and setup ports 13-15 for spanning tree protocol, impliment ports 0-2 and 13-15 to accept only specific MAC address and configure QoS, blacklists and rest on opnsense.

That way all VLANs have internet access and receive their IPs from gateway and each switch handles internal network stuff and so on.

I have my work computer, PS4, TrueNAS and Personal computer all connected to different VLANs.

I use 2 Cisco SG-300 - 16 switches and only way I can access my TrueNAS, switches or Opnsense via SSH or Webgui, is physically connecting my computer to Opnsense.

TrueNAS shares work on all VLANs except where my work computer is connected to, but none of the VLANs have access to eachother or firewall, TrueNAS and switches remote management, which is how it should be done, if security is your concern.

You don't need VPN for anything else other than connecting to a network, which is restricted (for example connecting to your work network from home or watching movies on Netflix, which aren't available in your country).

[Vilhonator]

There are 3 modes VLANs have and 1 is available mostly on switches.

1. Trunk mode, which is used to connect switch to another switch or gateway port with tagged VLANs, traffic for each VLAN goes thru that and switch will route it to correct VLAN.

2. Tagged mode, means your computers NIC must support VLAN tagging, otherwise it won't connect to any network.

3. Untagged mode. Any computer, AP, router or gateway can be connected to this, it is used to connect devices which don't have VLAN tagg support to specific VLAN, which is why you can sign only single VLAN as untagged on that port.

Switches might add your domain name to different VLANs, because that happens to any device you connect to a network with certain domains. You might get confused because of it, due to fact that most consumer routers and modems don't have DNS nor even let you assign a domain to them, but that's pretty common for enterprise level network devices.

[meyergru]

What do you mean by having to register the Unifi devices mandatorily? I used those devices for years and never had to do anything like that.

I have been reading that you can not deploy their so-called dream machine without creating an account with them and registering it with them.  Apparently you can turn off the connection to that account later on but should you ever want to sell your hardware, the next buyer won't be able to use it because of that account.

And how else would you configure their access points?

The dream machine is, like their edgemax line, another point. As Tom Lawrence pointed out it his videos, the former really have a vendor lock-in and limited capabilities in trade for useability, the latter are an abandoned product line. Their access points, however, can be configured with a Unifi controller, which is available per Dream Machine, an appliance and also as free self-hosted software implementations for Linux, Windows, Android, iOS, virtual machines, docker images and are also as hosted solutions like Hostify.
 
As to the other point: There are good reasons to segment a network into different broadcast domains. A VPN  almost always serves a need to protect traffic that intermediately passes over the internet. I would not expect it to provide more than routing. More often than not, you will also want to limit traffic to certain machines and/or services between the coupled networks, for example when you VPN to a friend's network. This is even more true for businesses, where you segment departments via VPN even when they are in the same location with no need for a VPN.

P.S.: Reading manuals often helps. I found the relevant section in the HP manual by just googling.

[Demusman]

You want to use a phone to configure access points?  Seriously?  Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?

Why would they deliver a phone when you buy an AP???
You already have a phone, don't you?

It's very easy to configure them with the app. As far as seeing your phone screen... really?

[Demusman]

No. Switches don't add domains and you would need one anyway to properly setup a VLAN.

Yes, a switch absolutely is a broadcast domain. You really need to do more research on all of this. Basic networking.

[Vilhonator]

What do you mean by having to register the Unifi devices mandatorily? I used those devices for years and never had to do anything like that.

I have been reading that you can not deploy their so-called dream machine without creating an account with them and registering it with them.  Apparently you can turn off the connection to that account later on but should you ever want to sell your hardware, the next buyer won't be able to use it because of that account.

And how else would you configure their access points?

The dream machine is, like their edgemax line, another point. As Tom Lawrence pointed out it his videos, the former really have a vendor lock-in and limited capabilities in trade for useability, the latter are an abandoned product line. Their access points, however, can be configured with a Unifi controller, which is available per Dream Machine, an appliance and also as free self-hosted software implementations for Linux, Windows, Android, iOS, virtual machines, docker images and are also as hosted solutions like Hostify.
 
As to the other point: There are good reasons to segment a network into different broadcast domains. A VPN  almost always serves a need to protect traffic that intermediately passes over the internet. I would not expect it to provide more than routing. More often than not, you will also want to limit traffic to certain machines and/or services between the coupled networks, for example when you VPN to a friend's network. This is even more true for businesses, where you segment departments via VPN even when they are in the same location with no need for a VPN.

P.S.: Reading manuals often helps. I found the relevant section in the HP manual by just googling.

Well when it comes to security, all that VPN does, is using same SSL encryption as HTTPS does, it won't protect you against malware, viruses, snooping or anything really (just check github, there are some scripts available which even decrypt some VPN connections).

VPN won't protect your data anymore than HTTPS does, difference is that it also encrypts HTTP connections (and nowadays 90% of internet is encrypted, heck you might not be able to even connect to any HTTP website, without your browser warning about it)

If you want truly secure connections, create proxy network, only downside of proxies that I can think of, is having to add things like windows update, game and website servers to whitelist, which is a lot of work.

[defaultuserfoo]

You want to use a phone to configure access points?  Seriously?  Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?

Why would they deliver a phone when you buy an AP???
You already have a phone, don't you?

I have a Polycom 1500D on my desk.  I much doubt their software works on that --- and even it did, why would I compromise my phone?  It has a tiny screen, barely large enough to be somewhat useful even, but I have it not for the screen but because I like the design, and the only reason I bought it is that Polycom phones have excellent voice quality.

It's very easy to configure them with the app. As far as seeing your phone screen... really?

Yes, really.  Have you ever seen the screens phones have?  They are ridiculously tiny and you can't see anything on them.

[Vilhonator]

You want to use a phone to configure access points?  Seriously?  Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?

Why would they deliver a phone when you buy an AP???
You already have a phone, don't you?

I have a Polycom 1500D on my desk.  I much doubt their software works on that --- and even it did, why would I compromise my phone?  It has a tiny screen, barely large enough to be somewhat useful even, but I have it not for the screen but because I like the design.

It's very easy to configure them with the app. As far as seeing your phone screen... really?

Yes, really.  Have you ever seen the screens phones have?  They are ridiculously tiny and you can't see anything on them.

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

[Vilhonator]

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

Ah just saw what phone is question. You can still purchase cheap tablet to use the app.
Also you might be able to run the app on windows 11

https://www.androidauthority.com/android-apps-on-windows-11-3048569/

[defaultuserfoo]

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

It does have an USB port, but monitors don't connect to USB ports.  Even if you could find a monitor that does, you wouldn't get an image.

[defaultuserfoo]

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

Ah just saw what phone is question. You can still purchase cheap tablet to use the app.
Also you might be able to run the app on windows 11

https://www.androidauthority.com/android-apps-on-windows-11-3048569/

Cheap tablets suck, and their screens are also tiny and tend to be of bad quality.  On top of that, they are all about Google here and Google there and don't really work without.  But I have no business with Google and sure don't need them to spy on me, to steal my data and to control me.  Apple isn't any better.  99.999% of all software for Android or IOs doesn't work anyway.  It's funny because it's like what we had like 30 years ago.  People really do like bad soft- and hardware, and I'll never understand why anyone puts up with that.  Now it's even worse because you can't even connect a decent keyboard and a trackball to your device, and the GUI is horrible.

I don't have Windoze, either.  Why would I?  It has always been a security risk, and now it's spying and trying to control you with no way out of that.

Anyway, it doesn't matter.  Ubiquity has made reasonably priced hardware and their customers had to pay for that with bad support and their documentation being a bad joke at best.  They probably still do that (or at least want to), but they have taken a path that has taken them out of consideration.

[Vilhonator]

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

Ah just saw what phone is question. You can still purchase cheap tablet to use the app.
Also you might be able to run the app on windows 11

https://www.androidauthority.com/android-apps-on-windows-11-3048569/

Cheap tablets suck, and their screens are also tiny and tend to be of bad quality.  On top of that, they are all about Google here and Google there and don't really work without.  But I have no business with Google and sure don't need them to spy on me, to steal my data and to control me.  Apple isn't any better.  99.999% of all software for Android or IOs doesn't work anyway.  It's funny because it's like what we had like 30 years ago.  People really do like bad soft- and hardware, and I'll never understand why anyone puts up with that.  Now it's even worse because you can't even connect a decent keyboard and a trackball to your device, and the GUI is horrible.

I don't have Windoze, either.  Why would I?  It has always been a security risk, and now it's spying and trying to control you with no way out of that.

Anyway, it doesn't matter.  Ubiquity has made reasonably priced hardware and their customers had to pay for that with bad support and their documentation being a bad joke at best.  They probably still do that (or at least want to), but they have taken a path that has taken them out of consideration.

Well all I can recommend for Ubiqity is running the controller on some machine laying in the corner. Another option is to use plain wireless router in AP mode like Asus RT-AC1900U and use repeaters to extend the signal if needed.

To my knowledge, AP is just device which allows wireless access to network and you need to connect it to a wireless network which allready is password protected, uses RADIUS or Voucher (https://docs.opnsense.org/manual/captiveportal.html) or use app of some sort to secure it with password. Otherwise it's just plain wireless repeater without password protection.

[Vilhonator]

But I do have to agree with Ubiqity (used their devices at one of my jobs) and without building your network purely using their products and installing controller to a off site server, their products are just fancy looking toys.

Cisco is usually my choice when it comes to APs and switches pretty much for that reason (though Meraki series is just plain madness).

My personal favourite though, are Buffalo wireless routers <3 LOVED them, but sadly they aren't available in my country if the companny still even makes routers.

[Vilhonator]

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

It does have an USB port, but monitors don't connect to USB ports.  Even if you could find a monitor that does, you wouldn't get an image.

I know that.

To display phone screen on your PC, you would have to use docking station and phone which supports displaying screen via USB (also docking station has to have display port, HDMI port or VGA/DVI port.)
Now you might not be able to use your keyboard and mouse, but you can display your phone screen that way. This is same method how laptop docking stations work (except instead of USB, they connect to thunderbolt port on the Laptop)

2nd way you might be able to display phone screen, is using bluetooth and right software.

3rd way to share your phone display to PC, is using software that came with it and connect the phone to USB port on the PC (mine does that, though I do have a smart phone and don't know what is the case with IP phones or desk phones).