FreeNAS could run OpenVPN in a jail.
(There are a few tutorials on this forum).
I prefer to run it on my router, (but not all will support that).
You can run your own OpenVPN server and then connect to that when you're outside of your home.
You can also use OpenVPN as a client to connect to many paid VPN services.
You can run your own OpenVPN server and then connect to that when you're outside of your home.
You can also use OpenVPN as a client to connect to many paid VPN services.
I'm running OpenVPN server on my router.• Are you running openVPN or something different on your router?
• Are you running a VPN client on your router or a VPN server?
That is possible, you could run the client on your router and connect to a remote VPN server somewhere to hide your data from your ISP. I'm running the server on my router so I can connect to my home network when I'm away.• If I run openVPN (as your are) from my router, does that mean that
all connections through that router MUST go through the VPN
(guaranteeing slowdown for roommates' connections)?
That's absolutely possible, though I'm not doing it and I don't have any experience with it. You would need to run something like pfSense so you could direct traffic to different paths. Another option is to run the client closer to the data that you want to protect. Say on your laptop so that traffic is routed over the VPN, but your roommates' data is not.• Is it possible to send some connections through the router
via VPN and for others to bypass the VPN completely in the cases of:
- router installed with client VPN
- router installed with server VPN
- freeNAS installed with server VPN
(I have roommates who don't care about a VPN and won't want the slowdown.)
For me, I'm already on my home network so I don't use the VPN. I'm not currently running any VPN clients on my home network.What about when you're inside of your home?
That's going to be all about what paths you have setup and whether the devices are reachable. If those two devices are reachable you could absolutely set up a rule that forces the two to communicate via the VPN. Usually you would allow LAN traffic to stick within the LAN. I think my router server is set up to force all client device traffic over the VPN and also tells clients how to reach the LAN devices so I can use it to access my home network and also protect my traffic when I'm away.• If 2 devices are connected on a local network and
are each also connected to the same VPN
(via client installations at the device level),
will they bypass the VPN connection in favor of
the faster/more open local connection?
I assume two LAN connected devices
communicate freely with each other via LAN,
even if they are both connected to the same VPN, and
even if one of the two is acting as the VPN server.
If I'm reading you correctly, the LAN traffic would most likely not even know about the VPN. They'd communicate directly. Even if you forced all traffic to hit the router I can't think of a network configuration that would force the traffic out to the VPN and back in.• If 2 devices are connected on a local network and
are each also connected to the same VPN
(via a client or server installation at the router level),
will they bypass the VPN connection in favor of
the faster/more open local connection?
I assume two LAN connected devices
communicate freely with each other via LAN,
even if they are both connected to the same router
which is connected to or hosting a VPN.
Sounds like you've got it. The only cons I can think of are the speed hit that you might encounter and the effort required to set it up. Some routers will handle this for you.• If I understand correctly:
openVPN (freeNAS is self-server): free.
openVPN (freeNAS is client to paid server): anonymous from ISP as well.
Are there any other pros or cons to be aware of?
I wouldn't expect there to be any issues. Certainly additional traffic needs to be encrypted, decrypted, routed, etc. but I wouldn't anticipate a noticeable impact.• Does running openVPN as a self-service VPN server on
a freeNAS server intended for home use (thus minimal simultaneous users)
tend to be processing intensive?
[Would processing increase significantly with additional simultaneous users?]
There are some similarities, where both can be used to hide traffic content, but Tor is more about hiding traffic, where a VPN is more about accessing networks. Paid VPNs get closer to hiding traffic by routing multiple users through the same hardware.• Somewhat unrelated: Does "tor" effectively function by amassing
many home servers into one big crowdsourced vpn?
If those two devices are reachable
you could absolutely set up a rule that
forces the two to communicate via the VPN.
I wouldn't expect there to be any issues. Certainly additional traffic needs to be encrypted, decrypted, routed, etc. but I wouldn't anticipate a noticeable impact.
There are some similarities, where both can be used to hide traffic content,
but Tor is more about hiding traffic, where a VPN is more about accessing networks.
Paid VPNs get closer to hiding traffic by routing multiple users through the same hardware.
It'd depend on your network (possibly handled by OpenVPN itself), but I can't see why you'd ever want this when the two could just talk directly over the LAN.Is setting up such a rule handled by openVPN, pfSense, or something else entirely?
I'm not actually using pfSense. Just the router, whatever it uses for a firewall, and OpenVPN.Are encryption and decryption handled automatically by openVPN,
or do I need an additional tool in the process to handle this?
(I assume the routing is handled by pfSense for you,
or in my case, what I believe to be IPFW.)
Seems reasonable. Security involves tradeoffs.If I understand correctly:
....
So, increased security comes with slowdown and perhaps financial fees; thus:
• Never use insecure connection.
• Beyond this, keep security to the minimum necessary level.
Sounds goodBased on the general answers which you are providing,
I believe I am more able to narrow down
...
the general setup I should use is as follows:
• I must avoid installing openVPN on my router; therefore,
I should install openVPN on my freeNAS server (in a jail) as follows:
- If just protecting personal files (assuming that they are intrinsically worthless),
I should install openVPN as a server and thus host my own VPN for free.
- If using a peer to peer plugin (such as Transmission),
I should install openVPN as a client and link it to a paid VPN service (such as PIA).
I don't think you'll need it. In the case of Transmission there are tutorials on how to install OpenVPN inside the jail to cover all traffic from that jail.• Since I am precluded from installing pfSense on my router,
in areas where you mentioned the use of pfSense,
I should look into installing freeNAS/freeBSD's IPFW as
an alternative to pfSense to
control the flow connections to and from the server.
Yep, there are plenty of GUI OpenVPN clients that make PC usage simple enough.• I should also install openVPN onto any clients
which will interface with freeNAS outside of the local network
(laptop accessing files, backup replication server, etcetera).
Plex can be set to only use encrypted connections.In the case of Plex, is a VPN needed when choosing to use remote use,
or does Plex pass data through its own VPN, simplifying the process for the user?
I ask because I can't imagine it would be convenient to
install client openVPN on a Roku such that it could talk to the Plex media server.
Still, if installing openVPN (for a self or a paid VPN) on
a freeNAS server which is also a Plex media server enabled for remote use,
would IPFW be necessary to configure
the local network streams versus the remote Plex streams versus the VPN streams?
It'd depend on your network (possibly handled by OpenVPN itself), but I can't see why you'd ever want this when the two could just talk directly over the LAN.
You probably don't want anything with Google's name on it on your network.
A Google [...] router can only be configured by someone with a Google account. This means that Google not only knows who you are, but also where you are (based on both the public IP address of the router and nearby Wi-Fi networks). For the most privacy, create a new Google account that is used solely for administering the router and nothing else. Still, you have to assume that Google can get into the router at any time, so these devices are not for anyone who cares about their privacy.
As you would expect, the routers default to using Google's DNS servers which gives them an audit trail of every visited website. You can, however, change the DNS servers and I suggest doing so on the theory that Google knows enough about us already.
1.1.1.1
and secondary 1.0.0.1
208.67.222.222
and secondary 208.67.222.220
A number of us like pfSense for a router, as you've no doubt already seen.
You can run the controller software to run the whole network in a jail on your FreeNAS box.
Cloudflare is said to be pretty good. My preference (and practice) is to run my own DNS resolver on my pfSense router (or before that, on my Koozali SME server which served as my router). That way, I'm resolving to the authoritative nameservers directly rather than relying on someone else's cache, and there's no other single point that could tell a curious party what names I've tried to resolve.Do you recommend any specific alternative DNS servers?
No, the Unifi gear will run just fine without the controller in most cases. You need the controller running to set up new gear (WAPs/switches/router/etc.), but once it's configured you can take down the controller.In such a case, if the server goes down, does this fail all internet?
Plex can be set to only use encrypted connections.
Cloudflare is said to be pretty good.
Because encryption was added not too long ago and some users might have a mix of servers or devices that do or do not support encryption.I assume that Plex encrypts connections automatically
(without added effort needed from the user); so,
why isn't [Encryption: Required] the default setting?
I don't see why you'd need the client in your jails if they're connecting to a server that is on the same network.• Create a jail and install the openVPN server on it.
• Install openVPN client on all plugin jails and connect them to that server.
• Install openVPN client on any PCs which will remotely access the server.
Nope, you'd connect to the VPN and then mount the same share that you'd connect to when on your network locally.What about remote file access?
If I want to access files remotely, is the correct method to
create a jail and then, for all directories I'd want to access,
mount the associated top-level directory to the jail?
You'd connect to the VPN and then SSH. This is the preferred method. Here you're only exposing the VPN to the outside world. Otherwise you'd need to expose SMB, SSH, etc. each with their own vulnerabilities.Sounds fairly straightforward actually - but what about when
true root access is desired, for remote server management?
Is this a security concern and thus not recommended?
You connect to the VPN and then open the FreeNAS web page.What about connecting to the freeNAS GUI itself remotely?
I believe when I tried
installing the openVPN client files to freeNAS main (and not a jail)
via the command shell,
freeNAS blocked installation of openVPN.
(I believe this was by design.)
What is the correct method?