VPN on 1 LAN in PfSense

Hi all,

Here is a topic about using VPN at the router level for a specific use case to see if this approach makes sense (in Pfsense).

SG-3100, 2WANs in Failover no VPN on WAN. Goal: have the VPN on LAN2 only and behind it a swicth.

Rationale: most of my work requires me to go through normal ISP connection, but for various needs I need to geoconnect to a different country. I’d like to do away with the software VPN on the clients and keep it isolated on 1 switch so that when I need to connect to the second country I just plug in the ethernet cable, this without disturbing the other local country connections.
If that’s feasible, I think it is a desirable approach, here’s one of the reasons why.
There exist an app that allows to connect to all public TV canals of the second country. To get it to work while not physically there, VPN is required off-course. Since the folks building the app have added a new business plan, they now somehow detect the VPN connection and sell a “package” where they ignore the VPN when detected. Upon changing to a thord country in the VPN app and restarting once or twice the computer, I manage to get pass the app VPN filter. I tested the same app with its Linus version and got the same behaviour.
This raises security issues. This app must be listening to some cacheor be getting its information from somewhere, which I don’t like, especially since this is not a web browser. The main concern is that if they do this, others must be doing it too.
For those knowing it, the App is Molotov TV (europe).

So without having to subject my whole network to VPN routing, I’d like to have just one LAN routing through VPN (currrently PIA) to see if this makes a difference. This would be a good test for leaks.

Does it make sense? Is it feasable in PfSense on the SG-3100?

It’s easier to configure a VPN on it’s own vlan with a killswitch. Just connect to the vlan when you want access to the VPN and the other vlan for your ISP.

Sure, thanks. But I have mission critical hardware that needs to be accessed 24/7 and can’t afford disconnection while changing VPN status…