Since my YouFibre connection stabilised, I've been messing about with my network setup. Because, why not?
I had one pfSense installation at home, and one on a Ramnode VPS over in New York. Each were running their own OpenVPN servers for out-and-about mobile access, as well as a site-to-site OVPN link so that I could selectively route home LAN devices via the US.
I decided to give OPNsense a try. Again, because why not?
Setup of OPN at home was a breeze -- just like pfSense. The VPS install was a little tedious, as Ramnode provided quite an old ISO of OPN for installation, so there were many, many reboots for updates to bring it up to current.
VPN-wise, I no longer needed to host a home VPN server, since being behind CGNAT makes that impossible. And sadly the world still isn't IPv6 enough that running a v6-based VPN would be worthwhile.
Still, I thought, why not give WireGuard a try?
A fair bit of reading, beard-scratching, and clicking later, and I had a WireGuard peer running at home and in the USA, with routing between the two. And then I configured the USA side to allow access from my laptop and iPhone when home or away too.
So technically, I can connect to the US end of my network, and reach back into my home LAN. Might be handy one day!
Now, I don't know if perhaps I had OpenVPN configured poorly, but I'm finding WireGuard much faster. On my old 40/12 VDSL, I'd only get about 25Mbit download at home when routed via the VPN. Right now, over WG to the VPS, I'm seeing 70Mbit, which is an appreciable improvement.
It's also quite easy to tell WG to disable IPv6 on clients, so there's no v6 leakage outside of the VPN should the client happen to be contacting somewhere that's v6-capable.
Some OPNsense vs. pfSense thoughts... I know there's politics involved, but I'll look at it purely through an end-user's eyes. OPN has some subjective advantages -- I quite like the UI, although I'm not convinced that spreading logging across the menus instead of having it all in one place is such a good idea. There are a few quality-of-life improvements, but nothing dramatic.
More frequent updates seem like a good idea on paper, but I'll pass judgement on that after I've been through a few. Performance-wise, I see no difference vs. pfSense.
So, yeah -- happy with what I've got. I'm gonna try forcing the Nintendo Switch via the VPS and do whatever fiddling's needed on the VPS side to make it work. Even on a normal, non-CGNATted connection, the Switch needs a static outbound NAT port to work. Ah, Ninty, you suck at IP. I'll see what performance is like, although I don't hold much hope.
Shame, because I'd basically have to throw £5 at YouFibre just for the privilege of playing some Mario Kart online. Which, admittedly, I do love. But still... I knew what I was getting into!