I hear a lot of talk in the pfSense community about running a VPN from the pfSense instance, including whether to invest in hardware more suited for that as opposed to just any old SBC or basic computer (namely, whether the processor has hardware encryption). Does it actually provide that much more protection for your devices to connect to the VPN at the router level as opposed to the device level to make it worth the extra hardware requirements? What benefits does it give privacy wise, and how do you juggle switching from on-device VPN when you’re not connected to your main network and using the router’s VPN when you are?
I’m assuming you mean configuring a VPN client like Nord or PIA to run off your pfsense box, not using open VPN or wireguard to VPN to your network.
I’d say there are basically no benefits privacy-wise, unless you count a mobile device with a local VPN client being able to use the VPN outside your house.
Edit: I guess another note for privacy would be being able to easily switch what server you’re connected to with a local client.
For me it’s a mixture of peace of mind and performance. Any big VPN provider will have a kill switch in case your connection drops so data isn’t leaked, but can you trust that? Who knows what buggy client they have, whereas configuring a subnet to be forced out to the VPN connection through pfsense I feel I can trust more. I know with my firewall rules that things are going where they should, I don’t have to trust something else.
This might be a niche case, but I’ve found Nord seems to perform better on pfsense then on most other PCs when a local client is installed, and my pfsense is a 10 year old Dell.
Another consideration when talking performance would be low powered PCs. An older NUC I have struggled to work well with the VPN client always on, but offloading that to pfsense has it performing much better.
Operationally, you can use your workstation’s cycles for doing work and offload the VPN crypto to your network appliance. If you have multiple workstation machines on your network, it’s more efficient just having one network appliance doing crypto than every machine doing crypto for VPN. Also, if your workstation is older or resource limited, this is even more beneficial.
In terms of connecting to VPN while mobile, VPN desktop applications often have a “do not connect while on x-network” setting. You would set this to your home network if you had VPN in operation on your network appliance.
I don’t think VPNs offer any protection or privacy. Is either you trust your isp or the VPN provider. For me, I don’t torrent, so I trust isp more than vpn
From a security perspective, perks of dedicated hardware:
- a VPN software RCE exploit won’t give the attacker free access to your firewall
- compromise of VPN doesn’t mean compromise of other credentials on the firewall (for those who use the CA functionality etc)
- freeBSD cannot create a port mirror of the type of VPN tunnel Android devices support. So if you have Android clients and you want to watch their internet traffic (that went over the VPN) with an IDS that is standalone, you need a standalone VPN appliance too (I don’t know if Suricata within pfSense can monitor a VPN line’s internet egress)
- firewall rules are marginally easier to reason about, IMHO, replying in lower risk of misconfiguration
- slightly more freedom with features and controls, it’s easier to write custom scripts and monitoring around the VPN on a standalone Linux box
- I don’t know how up to date the VPN packages are kept on pfSense, on your own machine it’s easier to ensure you always have the absolute latest patches installed
From a crypto perspective, there’s zero difference unless the top crypto is too much overhead for your pfSense device (unlikely unless you have many clients). You’ll notice all the above “perks” (except #1) are operational related/situational. If you don’t have an IDS, don’t have any sensitive data on the firewall, don’t need anything fancy, then just host it on the fw and call it a day.
Realistically a VPN alone, with no other mitigations, will not offer you very much with regard to privacy. Modern websites are mostly agnostic with regard to your IP address, and instead do various forms for device-based tracking. ie, cookies, device fingerprinting, canvas data, etc.
The idea is that your browser ends up getting profiled, and so when you visit sites you’re already identifiable. ie, the same trackers either exist across websites, or your profile data is shared, or both. Suddenly obtaining a new IP address will not really do much (or really anything) to prevent tracking.
In the use case for many people people, just turning on a VPN and using the same browser will actually do nothing to enhance your privacy in most cases.
Depends on the application.
If you’re using a VPN to geoblock/hide from torrents, etc, then you’re probably best off using VPN on device.
If you’re setting VPNs up to connect different networks (two offices together) then firewall VPN is the way to go.
Far harder to bypass or disable accidentaly
Network wide VPN coverage on any device.
I think the answer to this question varies on use-case.
For example, a business with 2 physical office, that wanted a VPN between the two. You would have a pfSense Router at each site and create a Site-to-Site VPN between them.
In a home setting, there are lots of devices that will never get VPN capability built into the device, like Smart TVs etc. You might want to connect to a VPN Service online and route all traffic from specific devices in your home to route over the VPN Service only.
You only need to “worry” about the hardware pfSense is running on if your pushing a fair amount of traffic over VPN. For a home use case I wouldn’t expect you to need anything more than a standard pfSense capable router x86. However in a business with a 1GB Symmetrical WAN Connection, this would be vastly different.
So I don’t think this is to do with privacy, rather more the use-case
VPN client on Windows for instance comes with alot of blot ware never mind the fact that the Windows OS will bypass any VPN you have to reveal your real IP address! Having it setup on you firewall gives you much more flexibility and security if done correctly.
However in a business with a 1GB Symmetrical WAN Connection, this would be vastly different.
To be fair, 1 or more gbps direct fiber home connections are becoming increasingly common.