Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[displaced]

Since my YouFibre connection stabilised, I've been messing about with my network setup.  Because, why not?

I had one pfSense installation at home, and one on a Ramnode VPS over in New York.  Each were running their own OpenVPN servers for out-and-about mobile access, as well as a site-to-site OVPN link so that I could selectively route home LAN devices via the US.

I decided to give OPNsense a try.  Again, because why not?

Setup of OPN at home was a breeze -- just like pfSense.  The VPS install was a little tedious, as Ramnode provided quite an old ISO of OPN for installation, so there were many, many reboots for updates to bring it up to current.

VPN-wise, I no longer needed to host a home VPN server, since being behind CGNAT makes that impossible.  And sadly the world still isn't IPv6 enough that running a v6-based VPN would be worthwhile.

Still, I thought, why not give WireGuard a try?

A fair bit of reading, beard-scratching, and clicking later, and I had a WireGuard peer running at home and in the USA, with routing between the two.  And then I configured the USA side to allow access from my laptop and iPhone when home or away too. 

So technically, I can connect to the US end of my network, and reach back into my home LAN.  Might be handy one day!

Now, I don't know if perhaps I had OpenVPN configured poorly, but I'm finding WireGuard much faster.  On my old 40/12 VDSL, I'd only get about 25Mbit download at home when routed via the VPN.  Right now, over WG to the VPS, I'm seeing 70Mbit, which is an appreciable improvement.

It's also quite easy to tell WG to disable IPv6 on clients, so there's no v6 leakage outside of the VPN should the client happen to be contacting somewhere that's v6-capable.

Some OPNsense vs. pfSense thoughts...  I know there's politics involved, but I'll look at it purely through an end-user's eyes.  OPN has some subjective advantages -- I quite like the UI, although I'm not convinced that spreading logging across the menus instead of having it all in one place is such a good idea. There are a few quality-of-life improvements, but nothing dramatic. 

More frequent updates seem like a good idea on paper, but I'll pass judgement on that after I've been through a few.  Performance-wise, I see no difference vs. pfSense.

So, yeah -- happy with what I've got.  I'm gonna try forcing the Nintendo Switch via the VPS and do whatever fiddling's needed on the VPS side to make it work.  Even on a normal, non-CGNATted connection, the Switch needs a static outbound NAT port to work.  Ah, Ninty, you suck at IP.  I'll see what performance is like, although I don't hold much hope. 

Shame, because I'd basically have to throw £5 at YouFibre just for the privilege of playing some Mario Kart online.  Which, admittedly, I do love.  But still... I knew what I was getting into!

[Ixel]

Nice.

I'm tempted to try out a Wireguard tunnel instead of using a GRE tunnel for my BGP setup. It could be interesting to see how well my Mikrotik CCR2004-16G-2S+ handles it. Wireguard performs considerably better than OpenVPN generally. My GRE tunnel goes to a virtual server hosted by Misaka.io where I have BGP sessions configured for my IPv4 /24 and IPv6 /48. It uses Datapacket/Datacamp/CDN77's network (AS60068).

Also I imagine you're aware of this but if not then beware that some websites and online services may block IP addresses which appear to be from a proxy, VPN or datacenter/hosting environment. When I was using my OVH server and block of IPv4 addresses from OVH as an 'eyeball network' I had some issues accessing certain websites because the IP address was identified as being from a datacenter or hosting environment. I haven't had this issue with my own IP addresses via BGP though.

[Alex Atkin UK]

I also have a US VPS but running AlmaLinux, also with Wireguard where I use Privoxy on Firefox to access it for geoblocked US sites.  I used to policy route but since AFAIK there is no easy way to re-route DNS (due to how many other sites it will pull in that wont be caught by the policy route) it was still problematic, Privoxy + FoxyProxy means all DNS when on a specific site goes via the US, getting around that.

I've found so far at least, the IONOS IP range my VPS is on is not flagged as a VPN/Proxy so it works perfectly.

I couldn't get Wireguard to work on CentOS 7 so my UK VPS is still OpenVPN.

I also have a Wireguard and an OpenVPN instance, both on AirVPN.  While when working well OpenVPN does about 500-600Mbit, Wireguard around 850Mbit, I've found Wireguard less reliable for some reason.  I can only assume its something on their end as it supposed to deal with packet loss better than OpenVPN.

As for OPNsense, what put me off is moving my long list of firewall rules over, plus the fact they use hardened BSD seems completely unnecessary unless you are running it on shared hosting.  All those mitigations seem to be about preventing rogue software, not something that is an issue on bare metal, it just becomes a waste of CPU cycles.  Plus I'm comfortable with the pfSense UI, why learn something new for no real benefit?