Remote Administration - What's easiest safest route? No pun intended

Hi Folks!

I’m looking into remotely administering my pfsense router off-site as well as a free safe way to von into my network to access resources such as RDP into a Windows box.

What configuration is the safest way to go?

Thanks for your time!

Any VPN technology built into pfSense will do. OpenVPN, IPSec, or Wireguard are all great options depending on your needs. OpenVPN is probably the easiest to setup right off the bat for the inexperienced.

Our documentation site at docs.netgate.com is a great resource for configuration examples.

OpenVPN server on your Pfsense router with firewall rules to access your network.

I setup a wireguard remote access vpn. Once setup its secure and you have access to all resources.

I use the WireGuard VPN feature to remotely configure my Pfsense and connect to other things that would normally be port forwarded.

I use Tailscale, both at the office and at home.

Take today for example. We had an employee who gave their two week notice, worked it out, and completed their shift last night at 0000. The ex-employee no longer needs door and network access, so I connected to work through Tailscale using RDP and deleted her door and network access. While I was in the corporate network, I connected to my workstation to update the spreadsheet, instead of running a door access report.

Tailscale works for me!

I just setup pfsense on my brothers home and tested a few remote options like tailscale and wireguard . Then settled with a wireguard site-to-site setup.

It’s also useful to have a pikvm setup and connected to your pfsense as backup Incase you need to reinstall pfsense or something went wrong and your wireguard/tailscale won’t work.

If you go the OpenVPN route, you’ll probably want this package to make it simple to export a client configuration for whatever machine you are connecting from: OpenVPN Client Export Package | pfSense Documentation

On top of using OpenVPN or Wireguard, I’d also recommend using pfBlockerNG GEOIP to limit WAN access to the country you live in.

Of course, if you go on vacation outside of your default geographcal area, you’ll need to temporarily open up access from the place you’ll be if you want access while you’re gone.

We use pfmonitor for basic management. Little clunky but for 3 bucks a month managing about 40 pfsense is reasonably cheap.

Another option besides OpenVPN is Wireguard. If you have a spare box or VM you can spin up inside in the network, you can run Wireguard (PiVPN) and use that for remotely logging.

From one device you can set up a dynamic DNS hostname and allow that hostname.

Maybe use a zero trust solution like Tailscale or Twingate. Both are free for personal use and you don’t need to open any ports on your router.

I use cloud flare zero trust tunnel installed on a server in my lan and route my pfsense ip internally and have https cert by cloud flare. And always use a robust user and password.

i use wireguard, it works really great!

Is OpenVPN free?

If I’m reading their website correctly, it says there’s a free tier that limits to 2 connections?

This is the way. Also zero visibility you have a port open for access as it’s over UDP and doesn’t respond unless you have all the keys and setup correct.

Also to gain the benefits of pfblocker-ng when you’re on it. Ads? What ads?

Oh that’s interesting! I’ve not heard of tailscale but will be looking into it.

I assume it’s free as well?

Almost sounds like a TeamViewer where you can connect to devices in an easy way.

Trusting a third party keyserver to do things any VPN solution ever can do… Blows my mind.