I would like to use opnsense as a proxy for mobile connections (done)

[senser]

Hello, I would like to connect to my home router (opnsense with internet connection) from my mobile device (LTE) so that the home router acts like a proxy for accessing the internet (dns and other requests from the mobile device should be done by opnsense). Is that possible? If so, what would be the basic setup? Thank you!

tldr; from my mobile I want to connect to the internet via opnsense (mobiles only „direct connection“ is a secure tunnel to opnsense). DNS requests from the mobile divice must be handled by opnsense (where unbound is running).

[Patrick M. Hausen]

That would be a VPN. You can use e.g. OpenVPN server on your OPNsense and the OpenVPN client on your mobile device.

[CJ]

Keep in mind that depending on how you configure the VPN you'll have varying experiences.

If you split tunnel then all the VPN will do is give you access to what's behind the OPNSense, ie your home network.

If you full tunnel, then all traffic will be directed through the VPN.  Which means that your speeds will be limited both by the processing overhead of the VPN and the bandwidth limits of your home internet connection.  Your latency will also see some increase.

[senser]

Alright, I was unsure if it will work. But with your confirmation I went ahead and installed os-wireguard, used the guide here https://docs.opnsense.org/manual/how-tos/wireguard-client.html to set it up and installed the wireguard app for iOS. The VPN will enable on-demand only for mobile networks. It works like a charm. All traffic is routed through the tunnel.

@CJRoss: I wanted to feel a little more secure on the go. Eg I wanted to benefit from my dns setup running in opnsense (unbound blackhole adblocker functionality and secure dns). My phone is fast enough to handle the processing overhead. I wonder if it will have a noticeable effect on battery life…or data usage. It should save a lot of unnecessary ad/tracker connections. Time will tell.

Now the world can connect to my wireguard port though. Are there ASN for ISP peer address ranges ? If so, I could at least limit access to peers of my mobile service provider…or should I use any of the more fancy filter options for that wireguard firewall rule on wan?

[CJ]

Alright, I was unsure if it will work. But with your confirmation I went ahead and installed os-wireguard, used the guide here https://docs.opnsense.org/manual/how-tos/wireguard-client.html to set it up and installed the wireguard app for iOS. The VPN will enable on-demand only for mobile networks. It works like a charm. All traffic is routed through the tunnel.

Glad it's working for you.

@CJRoss: I wanted to feel a little more secure on the go. Eg I wanted to benefit from my dns setup running in opnsense (unbound blackhole adblocker functionality and secure dns). My phone is fast enough to handle the processing overhead. I wonder if it will have a noticeable effect on battery life…or data usage. It should save a lot of unnecessary ad/tracker connections. Time will tell.

Even with a fast phone you'll see a difference.  I get different results when testing on my wifi with and without the VPN enabled.  I haven't noticed a huge battery hit on mine.

In regards to data usage, remember that while your phone usage will be the same or possibly slightly less, your home connection usage will increase by double your phone's data usage.

Now the world can connect to my wireguard port though. Are there ASN for ISP peer address ranges ? If so, I could at least limit access to peers of my mobile service provider…or should I use any of the more fancy filter options for that wireguard firewall rule on wan?

WG is pretty secure, so I'm not sure I would bother with trying to figure out ISP ranges and attempting to block them.  If you're concerned, you can limit what the WG client has access to in order to reduce what could happen.  Just give it DNS and outbound only, for example.

[senser]

I have read the wireguard technical whitepaper now (after installing it). I am no longer worried about having that listening on my wan. Pretty good read!
So far i didn’t notice any lag or issues. Everything just works as if I am at home connected to my wifi. I am limited to my upload bandwidth at home (10mbit) for download’s, but that’s more than enough. I have also disabled 5G on my phone. Who needs 5G anyway?

[Jardewylks]

Using OPNsense as a proxy for mobile connections could be a great move. It’s a solid tool for managing and securing your network traffic. However, setting it up for mobile connections might be tricky if you're unfamiliar. I’d suggest considering rotating mobile proxies as a backup or alternative. They’re specifically designed for mobile connections and can offer much flexibility. With rotating mobile proxies, you get the added benefit of constantly changing IP addresses, which can be helpful depending on your goal.