My dream home setup

[jds]

I am very new to networking, but decided to jump in anyway.  I bought a minipc with an intel i3 cpu, a 208GB SSD hard drive, 8GB memory, and more NICs than I need. It is now setup close to my ideal, but that will change, of course, since OPNsense keeps getting better, and my hardware is overkill.

My ideal:

1) Route all traffic through my OpenVPN client.  I could use two setups, but PIA is fast enough for all my needs.  If I were doing gaming, maybe have a subnet to avoid the VPN.

2) Have an OpenVPN server, so I can log in from anywhere using my phone, laptop, or tablet and access my whole home network.  This means I can look at my security cams, get anything from my media server, or access home automation.

3) BLOCK ADS!  I use two different piholes on two different raspberry pi zero w cards.  The two cards are so cheap ($5 each) and use so little power, that I have a backup when necessary.  I suppose that I could use aliases or something on opnsense to achieve almost
the same thing, but pihole is just beautiful.   Maybe some day I will run pihole as a container on my firewall/router box, or maybe someone will make a plugin to do that.  That would be phenomenal.

4) What I have not yet got to work: when I VPN in to my home network, say on my phone, I would like all my traffic to go out through
the router.  Then I would have VPN for all my traffic and ad blocking!  Did I mention how much I like ad blocking?

As you can see, my aspirations are modest.   What is your dream setup?

[jjanzz]

That is quite a sweet setup you've dreamed up there!

What I still want to achieve is an FTTx uplink, an internal 10Gbit network, a HA-setup, a UPS unit serving the entire network and a more 'professional' wireless network. I have been eyeballing UniFi for some time, but their privacy policy and terms of service is ugly. Aruba APs might be my best fit.

The major thing holding me back from realizing this dream is that my partner and I are looking to relocate, for bigger space - and FTTx is becoming more essential for us every day. Where we live now, only eurodocsis and vdsl are available.  As soon as we found a new home, I am going to start this project, so I can implement all this sweetness before moving over.

As to your ideal situation, jds:

• Routing all traffic through a single VPN provider - that doesn't add that much to privacy. In my humble opinion, that merely moves the need for trust from provider A to provider B. A more opsec-friendly scenario would be to segment the traffic, only route some traffic through the VPN. In case of compromise, they only have access to a part of your traffic. That said, PIA is battle-tested - but might be more of a target than your native ISP.
• OPNsense allows to easily setup a VPN server, with merely a few clicks. You should try it - the webinterface even has a comprehensive wizard to do all the tech work for you!
• Personally - but I might be a tidbit drastic - I wouldn't run a container-host or an hypervisor on my firewall. In my eyes, a firewall should to what it is meant for: firewalling. Running additional services come with their own attack vector. Fun thing, if you combine FTLDNS (PiHole's fork of the dnsmasq resolver) with Unbound, you can achieve a complete onsite DNS infra. OPNsense ships with Unbound, so rather than running PiHole and Unbound on the same box, you can configure PiHole to use Unbound on your OPNsense machine.
• Your 'adblocking network on the go' is really easy to achieve, see point [2] and use the address of your PiHoles as the DNS servers

[jds]

I like your thinking!

I had some difficulty with a setup that involved both vpn client and vpn server. The official tutorial from opnsense for the vpn server was quite different from what the wizard did, and that caused some confusion. There was no documentation on the client side, but PIA was helpful with the details missing on the pfsense documentation. Maybe the wizard would have eventually worked.

I like your point about unbound + pihole. I will.definitely try to set that up.

You are also right about moving trust from A to B. However, I was certain I could not trust A. Also, some of my machinnes can hop to another tunnel, to mix up the traffic more.

I have also struggled with a good wireless setup. Mine is currently cobbled together from decent commercial routers that have been tweaked to just pass though, a couple with dd-wrt. The radios are good, and most of the processing has been moved to my firewall, so it works, but... I even tried a more expensive mesh setup, but it did not give me the control I needed, and was not much speed improvement anyway, so returned it. I would like to hear of a good, not-too-expensive alternative, so will be interested to hear if you pull the trigger on the Arubas.

We actually have access to fiber but, am waiting on that. It will get cheaper eventually, and it is always nice to have a significant improvement to look forward to.

[jjanzz]

I had some difficulty with a setup that involved both vpn client and vpn server. The official tutorial from opnsense for the vpn server was quite different from what the wizard did, and that caused some confusion. There was no documentation on the client side, but PIA was helpful with the details missing on the pfsense documentation. Maybe the wizard would have eventually worked.

Have to be entirely honest here, I haven't tried the VPN client myself on OPNsense. The only VPN servers I trust are the ones I completely manage - not those of an external party. Not even the ones that seem trustworthy due to a good track record (PIA, AirVPN, Cryptostorm).  I run two VPN servers right now, at home and on the infra in a datacenter. The latter one is merely a fallback - if there are connectivity issues. 4G is a proper fallback, but has a shared IPv4 and isn't static.

I like your point about unbound + pihole. I will.definitely try to set that up.

If you need help with that, feel free to ping me! One additional tip: are you familiar with Wally3K's blocklist collection?

You are also right about moving trust from A to B. However, I was certain I could not trust A. Also, some of my machinnes can hop to another tunnel, to mix up the traffic more.

The best use-case depends on your goals. If anonimity is your goal, mixing it up is a pretty great idea - and perhaps using TOR over a VPN even better. If it is merely that you don't trust your ISP or to circumvent censorship, it doesn't matter that much. On a decent phone, some applications use certificate pinning. Even if there is a MitM attack going on - it won't be effective as this causes a fingerprint mismatch. Quite a while ago, this technique was also developed for websites/webservers (HPKP, HTTP Public Key Pinning) - though it was killed with Chrom{ium,e} dropping support. Too easy to screw it up, rendering websites totally inaccessible. And Let's Encrypt proved to be quite difficult with the validity set at three months.

I have also struggled with a good wireless setup. Mine is currently cobbled together from decent commercial routers that have been tweaked to just pass though, a couple with dd-wrt. The radios are good, and most of the processing has been moved to my firewall, so it works, but... I even tried a more expensive mesh setup, but it did not give me the control I needed, and was not much speed improvement anyway, so returned it. I would like to hear of a good, not-too-expensive alternative, so will be interested to hear if you pull the trigger on the Arubas.

Right now, I have one poor mans AP - as there isn't that much space to cover. Just one TP-Link Archer C7 flashed with OpenWRT in a wireless switch setup. But as soon as I need more APs, this isn't going to cut it.

If you want proper wireless communication with a limited budget, UniFi is the number one brand. There is a massive difference between 'enterprise grade' (yikes, I hate that phrasing) devices and 'consumer grade'. The biggest difference being wireless hand-off. Basically put, that are multiple APs creating one big network - whereas a couple of 'consumer grade' devices with the same SSID and WPA2 passphrase are individual networks.

I have pinged my mate with whom I had the discussion about privacy policies and T&Ds - as long as you use the UniFi APs and run your own controller (meaning, not using the cloud controller -or- USG), your privacy is safe. With the UniFi APs rated at less than 100 bucks - they are ideal.

We actually have access to fiber but, am waiting on that. It will get cheaper eventually, and it is always nice to have a significant improvement to look forward to.

If I may be so free to ask: where do you live? I live in the Netherlands, a 100/100Mbit line costs about 50 euro/month. In the areas where a GBit uplink is available, a subscription can be obtained for ~75 euro's (or less).

[jds]

So, I setup Unbound DNS, which seemed pretty straightforward, since I already had all the machines point to my pihole,
which pointed back to the router for DNS.  It seems to be working, but how can you be sure?  The logs look reasonable. 
I did add the Wally3K block lists---thanks for the tip!

On the other hand, I have not yet been able to get my outside clients that are logged into the opnsense OpenVPN server to
go out through my OpenVPN client, and use the pihole DNS.

I forgot to mention that  I have a CyberPower UPS that my router/firewall, piholes and WiFi are plugged into.  I ran a USB cable from
the UPS to the router/firewall mini-pc, and installed the NUT plugin, then setup the firewall to use minimal power when on battery.  That way, I should have several hours of internet during a power outage.

Re: fiber.  I live in a big city in the US.  Because you asked, I just checked the price again.  They have an introductory price for $60/month. Who knows what you can get after one year, but that is really pretty good.  However, my limit right now is the VPN.
So, it would be worthwhile, only if I set up a zone to split VPN and no VPN.

[jds]

Thanks for the tip about UniFi.  They do look like a good choice---magic 8 ball says that they are in my future.
What do you think about the merits of setting up DNS-over-https, with something like cloudflare on the firewall/router.
I take the philosophy that it is impossible to make my bicycle, house, or internet completely secure, but it is best
to stay at least one standard devlation above the norm in the paranoia distribution.  Since it is not clear where the
norm really is, I aim for two standard deviations, roughly.