I’ve been running pfSense for several years now and have found the forums and information available to be extremely helpful in setup and troubleshooting.
I’m currently running pfSense 2.7.2 on a crypto enabled machine, and would like to add another layer to my home network defensive strategy.
The biggest hesitation i have with going full steam ahead with an OpenVPN approach is I sometimes will have a work computer connected (ethernet) to my network. Would it be best to create 2 VLANs on pfSense, one for “work” and the other for “home” network routing through OpenVPN (surfshark as I have the service).
Besides preventing DNS leakage are there any other main benefits that help offset the decrease in throughput/ download speeds?
Does your work computer connect to the office over its own VPN?
Your surfshark provider doesn’t provide any security.
Though in your situation, I would have a vlan for work with a gateway via your ISP, just comply with whatever your company says to do, segregate that work vlan from your network is probably best.
I ended up creating vlans for Work, IoT devices (smart lights, smart plugs, the like), and a final “Home” one for my Computer/phone.
I was mostly looking at the VPN for privacy over security (handled by my pfsense machine). Doing more digging, it looks like a VPN on the firewall was more hassle then just having the VPN on a device by device basis. It looks like using a more private/secure DNS provider, enabling DoT and DoH provided more data encryption/privacy with less throughput impact.
Appreciate that clarification. If I understand then the VPN provides the most privacy, DoT, then DoH? With the latter more providing encryption of the data going through the DNS, where as the VPN is encapsulating all data being transmitted?
Is it better to enable the VPN on say specific devices (phone, computer, laptop), or if those devices are on a VLAN, enabling the VPN for all those devices, with the understanding throughput will be less, with the tradeoff of more privacy?
I wouldn’t say that there is a difference regarding privacy between DoT or DoH. Just different ways to implement encrypted DNS.
Having VPN on each device is more effort and not worth it if they are stationary. For a mobile device you want the VPN on device.
For your home network you can have 2 different VLANs, one that goes out unencrypted to the Internet and uses encrypted DNS, and one that does out via VPN.
You can then place the devices appropriately in the network with or without VPN.
For what it’s worth, I’ve setup my paid for VPNs in a gateway group, that is it can be configured so that the connection uses the fastest server, or for redundancy. You might want to adopt a similar setup, speeds are variable as you have no control on how many connections there are on their end.
Though what I’ve found is that quite a few services “detect” I’m on a VPN and won’t let me log in, such as banking, some payment systems and gmail pop servers, so you’ll probably find that you need at least one route out via the ISP.