Maverick38344

Just a quick thought. If you currently have residential routers that support DD-WRT, you can use them instead of PFSense. Wireguard is pretty light weight and isn't normally all that taxing. I chose Linux (Debian or Ubuntu, mostly due to package availability and update frequency.) That said, these routers won't give you the same performance as PFSense, but they are cheaper than x86 hardware. However, x86 is a good choice and my closet has a 6" deep wiring cabinet in it and I found the H2+ to be a great option to tuck inside. Device: https://www.hardkernel.com/shop/odroid-h2plus/ Case: https://www.hardkernel.com/shop/odroid-h2-case-type-2/ EDIT: Nevermind, the 2.5gigabit NICs are not supported by PFSense at this time. The RTL8125B driver isn't included in the PFSense releases yet. You would have to use Linux instead. Alternative to ODroid H2+ for PFSense: Fully Supported The Odyssey X86J4105: https://www.seeedstudio.com/ODYSSEY-X86J4105800-p-4445.html --- Comes with 8GB of Ram PFSense install:https://wiki.seeedstudio.com/ODYSSEY-X86J4105-pfSense/

PFSense isn't a bad idea. However I would rely on something different than IPsec. Configuring IPsec for any additional clients isn't straightforward for additional clients that may want to connect to the session (mobile, laptop, etc.. for example). Additionally, the security of IPsec has come into question in recent years regarding key exchange with multiple vulnerabilities discovered in IKEv1 and IKEv2. IPsec also focuses on a single pre-configured encryption method, which makes it easier to target. This said, Wireguard uses the Noise Protocol for choosing an encryption method and uses public key authentication which is accepted as a more secure form of authentication, in addition a secondary symmetric key can be used as a form of secondary authentication. Wireguard is also much more efficient, which results in higher bandwidth utilization for data transfers due to a lower overhead and a lower latency. Also, similar to IPsec, Wireguard can establish multiple connections to different instances at once, which means you can bridge multiple networks together easily, however Wireguard is supported through a third party module in PFSense and is also natively supported in recent builds of DD-WRT. Wireguard support will natively exist within the Linux Kernel beginning with v5.6 and has received the endorsement of Linus Torvalds https://arstechnica.com/gadgets/2020/01/linus-torvalds-pulled-wireguard-vpn-into-the-5-6-kernel-source-tree/ https://www.theregister.com/2020/01/29/wireguard_vpn_will_be_in_linux_56_kernel/ Still may have to overcome the dynamic IP problem as well. Using dynamic domain names is a possibility.

This is easy with Linux, I have done this very thing (with a bit more stacked on top of it) between my apartment, and a few family members. For clarification, I do have symmetrical gigabit fiber and one of the remote connections does as well. I do maintain a self-managed centralized connection point in the cloud to avoid messing with dynamic IPs that the WireGuard VPN connects to. Adding a few entries to the routing table on the edge routers allow for the machines to create a VPN link between each connecting device that is shared seamlessly with the LAN connections on the opposite side of the edge routers. Both sides of the network can access anything that is included in the routing tables of the edge and VPN (hub) in order to allow communication across the bridged networks. I restrict this via VLAN tagging through Linux, smart switches for end devices, and firewall rules on the edge routers. Even mobile devices can become elements of this network as well by connecting to the VPN. EDIT: I added a rough diagram, it doesn't include mobile devices but they can be added easily by connecting to the VPN Router in the cloud. Software and hardware used for this. Granted, you can use DD-WRT to handle the role of the router as well, but configuration and performance will vary. Hardware: Edge routers: ODroid H2+: Each device supports up to 2.5Gig Ethernet on two ports and operates on a x86 Intel Celeron J4115. Feel free to use PFSense or Linux.I have partnered with it a Samsung 970 EVO Plus and 8GB of RAM. https://ameridroid.com/products/odroid-h2 Smart Switches: Each side has a TP-Link TL-SG1016PE Not the best option in the world, but they are cheap and support tagged and port assigned VLANs. VPN: Wireguard VPN - A fast and flexible VPN that runs as a Linux kernel module https://www.wireguard.com/ DNS: Pi-Hole Caching DNS Server/Proxy -- Also supports DNS blacklists and can be run inside docker containers easily. https://pi-hole.net/ Cloud Services: Amazon AWS EC2 Instance Free Tier is available for the Amazon t3.micro and t3.nano instances. t3.micro will allow you to run an instance with a dual core vCPU, 1GB of ram, and 30gb of block storage and you can deploy any Linux OS image that you wish for free. 1GB of ram is well suited for a VPN gateway, I wouldn't want to rely on it for much more than that. (Amazon limits instance time to 750hrs/month for free, which means the 750 hours is split between the number of the EC2 instances that you have assigned to Free Tier, any additional usage is billed (Current cost is $0.0104/hr (https://aws.amazon.com/ec2/instance-types/t3/) .) Other software - Included with most Linux distros for free.: Shorewall Firewall - Easy management of IPTables for zone based network management. DNSMasq - Used for address management (DHCP and reservations)