Since this is my first post, I’d like to start by thanking @LTS_Tom for all the educational material he has created and for his tireless work to increase our awareness about security.
Thanks to him I decided to take the leap and start using pfSense on my home network and incorporate many best practices he explains in his videos.
Keeping security in mind, I was thinking what would be the “safest” way to access my home network remotely.
So that’s what I have in mind:
Instead of opening a port on pfSense to get access to the LAN via OpenVPN I thought it would be safer to use an external VPS (e.g. Linode, Vultr, etc) as an OpenVPN server (“jump server”) and setup the pfSense as a client.
Remote clients would then connect to the VPS to gain access to my home LAN behind pfSense (e.g. Linux VM’s via ssh, Windows shares, etc).
Another benefit besides keeping all ports closed on pfSense is that the home network WAN IP address is dynamic therefore accessing the VPS with a fix IP could potentially simplify the setup of the remote clients.
I would appreciate your thoughts on this setup and whether it would improve security somehow compared to setting up the OpenVPN server directly on pfSense.
If it makes sense, could you point me to resources on how to implement it?
I’ve googled around but could only find examples of LAN-LAN or remote clients to LAN. I tried to put both together but couldn’t get my head around the possible static routes that the server would need to push to the clients to allow the communication between both ends.