I’m sure this is a silly question, but if I use pfsense as my home router (I do) but don’t host any web servers in my local network or open up any ports on my router for gaming, et al., then is adding a cert (like Let’s Encrypt) helpful in any way? From the videos I’ve seen on this, including Tom’s, usually the first step requires you to have a registered domain. But as a home user, I don’t have one or need one. And registering a domain name would require having some DNS records point back to my public IP (which sounds like a bad idea if I am not hosting any web services). So I’m kinda wondering, is getting a TLS/SSL cert for my router (I suppose the same question can be made for my Synology NAS too) recommended in this use case?
I’m also planning to setup a site-to-site VPN to a family member’s house in the near future to remotely replicate our NAS devices. Does this use case change your answer to the above at all? I know the traffic would be end-to-end encrypted between our two sites via public/private keys with IPSEC or OpenVPN in that case.
Thanks in advance for any guidance here. I’m always trying to ensure I’m keeping my network as secure as possible and also enjoy learning a lot as I go along.
Given the set of circumstances you describe, I don’t think you do need an LE certificate. The only real value in your situation is that every time you log in to the interface you likely have to bypass the “Your connection is not secure” warning.
When you set up the OpenVPN site-to-site VPN, you will create local certificate pairs, so you wouldn’t be using the LE cert(s) for that purpose.
In my case I use them primarily for all of the pfSense firewalls I administer remotely. I have DNS A records for each along with LE certs for their respective domains, and access to the U/I through non-standard ports available only to trusted IPs, but I really only do that to save me the step of bypassing the not-trusted dialog. As often as I access these devices, that really does save me at least an hour every month. Your use case is drastically different from mine.
FYI, you don’t necessarily need to have the DNS A records pointing at your external IP. They can point anywhere. You just need for LE to be able to prove that you control the domain, not that they can actually connect to it. This is one of the reasons I use Cloudflare. Their API allows you to just let the local LE agent interact with Cloudflare and prove that the domain is actually under my control.
Thanks Jonathan. That’s how I was looking at it, too. Was hoping I wasn’t missing something.