I’m looking into setting up a VPN server for my home lab so I can access my home lab securely from outside for RDP and other private workloads and I wonder if I should look into pfsense or open VPN or Windows Server based VPN solutions?
Opnsense - WireGuard
I run Wireguard on a UniFi UDM-Pro and then have a GL.iNet travel router with a client profile on it that auto connects when I’m traveling. It works great.
What you choose will depend on your current environment, your skills, etc. What do you have already? Are you able to connect to your ISP using their public IP, or do they shove you behind their own NAT’d gateway? How much “labbing” (babysitting) do you want to do?
Pfsense, Opnsense, UniFi Dream Machine Pro if you want something plug n play with low maintenance.
Or. Just install TailScale on both ends and be done with it. All the glorified responses are ridiculous overkill if you just want a secure, yet easy, way to dip into your home network.
Don’t like a cloud service? Run ZeroTier. Same thing (-ish) but now you have to open a port for it because it’s self hosted.
Don’t love any of that? WireGuard hosted at home. Modern, secure AF, fast AF.
Best is what works for you…
That said, my home firewall is pfSense Community Edition. I configured both IPsec and OpenVPN VPN servers on pfSense. I’m currently running IPsec because macOS and iOS both have native IPsec clients. Windows does as well I believe.
Other benefits of pfSense include the native Certificate Manager and the available acme package for acquiring and automatically renewing Let’s Encrypt certs along with Dynamic DNS that supports a long list of public DNS services and domain registrars. Cloudflare is my registrar and public DNS provider. Setting up DDNS with Cloudflare was simple.
There also is the openvpn-client-export package available for automatically creating and exporting OpenVPN client configurations for the OpenVPN server.
EDIT: It also is easy to enable/disable firewall rules for the VPN servers. I only enable mine when traveling.
I use TNSR with Wireguard on an Atom C3558 system. I can push over 2Gb/s of VPN traffic w/ QAT acceleration. It’s easy to set up and use if you’re handy with a CLI and familiar with VPNs but TNSR isn’t very forgiving for newbies.
pfsense just killed their home/lab option for pfsense+ so you can’t get crypto acceleration on supported platforms, but openVPN or IPsec work fine on most links < 1Gb if you’re okay with ~ 200 Mb/s of VPN throughput on typical hardware. I would expect OPNsense performs about the same but I haven’t tested it.
I like firewalla, super simple to setup and operate.
Firewalla. Very easy.
Cooudflared tunnels with zero trust guacamole
If it’s just to access your home network, cloudflared tunnels work really well.
For a firewall, I’m super happy with my Firewalla.
Just stay away from NordVPN.
crap, crap, crap.
I have a cisco router that has the openVPN service built in. The openVPN client is easy to setup and easy to use client for phones.
I lean towards Fortigates with SAML and 2FA but getting into PA to see what their NGFW and GP are about.
Licenses are cheap, but if you don’t need the extra features then I recommend just getting the Forticare Essentials or Premium support
No fuss but pay: teamviewer and similar
No fuss no pay and basic networking: zerotier
Minimal fuss, need static IP: ddwrt or openwrt on any compatible router. Use SSH to create a tunnel. Optionally expose your RDP port directly to WAN but eh hackers amirite. Instead use the tunnel to route 127.0.0.1:1234 to remote PC 192.168.1.27:3389. I use BitVise for this. I also have it set up to have an HTTP/SOCKS proxy to reroute my Firefox to my home network. I also have a reverse port forward set up so the home network can access ports on my PC.
More fuss, better router, need static IP: ddwrt or openwrt on better routers like a netgear R7000 or better. Setup VPN. May need routing setup to connect VPN to LAN.
Harder core solutions: look to any of the other responses regarding pfsense, opensense, zentyal, and similar.
I may consider FortiGate
Firewalla.com with WireGuard
I use bitdefender virus and firewall. Not free, Ipsy around $50 and get 15 machines and 2 years. It has a central dashboard with light but ok info on family members machines. It just blocked a hijack attempt on my mother in laws computer when see tried to go to amazon.com and she ended up on Amazonaws.something. saved her. Also like firewalla, but can’t afford yet.
Check out Cloudflare connectors or Twingate. The most secure VPN is the lack of one. If you don’t have to expose your public IP to incoming connections then don’t.