Hi there. Been following the YT channel for some time and enjoy the videos.
I’ve had a PfSense router for some time. I chose it for the simplicity of having a HW device that holds my network stuff and in the worst case I can physically unplug and secure my network without a concern something is still connected.
I am old style networkinging guy, I know the basics from my system management time in the 1900s and went into non technical management then. I still play and set up containers and VMs but networking is my Achilles heel. I’ve not sacrificed enough small furry animals to dark gods.
I purchased a NordVPN account and set the router up so everything was routed through the firewall. Nord give instructions but I needed to call the HelpDesk to get it working. Fast forward a few years.
I upgraded the system and everything went to hell because I was stupid. Too many things at once and not reading the docs. So I rebuilt the firewall and all the little niggles started. YT knows it is a VPN and makes me login for example.
So what I want to know is how do I set up Nord as an Interface and choose how to route via that for only the apps I want? How can I route some domains through it while others go out normally? Is there some YT videos or web pages where I can learn about this? ATM I’m using two laptops, my normal one and one for watching YouTubes.
Any pointers or advice would be appreciated. Happy to learn. Large order of small furry animals on order.
The first question is what exactly is it you think NordVPN is doing for you?
All it does is put your privacy in the hands of another entity, potentially off shore, who may be subject to subpoenas just like any other service provider. What it really does it slow down your connection because of the additional encryption overhead and subject you to possible throttling by NordVPN.
I simply ignore all the internet and YouTube shills who promote so called “privacy” VPNs in exchange for a paid kickback.
I think it is hiding my data from my ISP which Plod can access with a simple phone call. At least with a foreign third party they have to fill out all the forms where they have to justify their prodnosing.
Although that is irrelevant for my question. I have a need for this and am looking for pointers on where to start looking. I must confess I thought there would be some articles out there on how to do it. When I worked in IT our networking guys seemed to think this sort of stuff was easy for them. Not for me though.
If you want to route based on the client application, you would do this either by using a VPN container and then making selected apps go through the network of this container, or you create a virtual router that connects to the VPN and put selected apps in VMs behind this virtual router. A third option and by far the easiest to implement would be using these selected apps on a separate physical machine that is running QubesOS or TAILS. In QubesOS you can set up a variety of egress network VMs/virtual routers and attach them to different VMs running apps. This way you can run different apps over different VPNs or TOR and even nest several VPNs / TOR.
If you want to route based on the target service IP, you could maybe have a default gateway that sends stuff out in plain and a VPN gateway to which you route traffic destined to selected services based on CIDR. I haven’t done this, so I cannot really hep with the implementation and I am not 100% if it can be done in pfSense. I’d think this solution is also quite error-prone and not what you want to use if you take opsec seriously.
The easiest way is to setup vlans, have the gateway for one of the vlans exit via the VPN. Anything on that vlan goes out the VPN, activate the killswitch and if the VPN goes down then the traffic will stop.
@neogrid I tried that. Setting up the VLAN was easy but I couldn’t get the routing to work. Also a Kill Switch. I like the sound of that. Any documentation/YT vids you can point me to to set that up?
That would also be the solution to routing visitors phones/tablets/computers. At the moment I just lock them out of the servers by IP. A VLAN makes that a lot easier.
