I wanted to see if anyone has configured an always on VPN that they use for mobile devices with PFSense as the VPN endpoint, but also being able to have it working when the client mobile device is behind that same firewall? I ask for a few reasons such as ease of use / user doesn’t have to turn it on and off, protection when on mobile or public wifi networks, and some content filtering. I’ve been looking around for configuration like this and while I’m familiar with setting up S2S and remote access VPNs I’ve never tried a setup like this or have seen that kind of configuration.
If you are behind firewall, you should disable VPN. You can achieve this automatically via
- Tasker in Android
- IPhone App has ‘on demand’ option for Wireguard
Works well for me using Wireguard as VPN.
Yeah I have that set up for my home network and mobile devices and it works well. The key is to use split DNS.
From outside, your mobile clients use some FQDN to connect to pfsense. This FQDN should resolve to the public IP of pfsense.
From inside, you need to have the FQDN resolve to the internal IP of pfsense. To accomplish this, I have DNS resolver set up on pfsense, and provide the IP address of pfsense as the DNS server in the DHCP server settings.
Finally, you’ll need to have the OpenVPN server on pfsense listen on the local interface and then port forward 1194 from the WAN interface to the local interface
I use pfsense and wireguard on ios. It is on 24/7, zero issues. Wireguard is setup in a vm running debian using pivpn, it could easily be done with a raspberry pi though.
The WireGuard App (at least on iPhone/iPad/MacOS) has an ‘on demand’ option that allows you to include or exclude certain SSIDs, wifi or cellular (iPhone/iPad) or ethernet (MacOS).
It can easily be configured to be always on but not active when on your ‘safe’ wifi network, activating automatically elsewhere.
I use Tailscale for that, which runs off of wire guard. Set up PfSense as an exit node and it gets used by both android and iPhone phones that I have at and away from home
Doesn’t pfsense allow hairpin NAT? So you can use the WAN IP internally or externally? If there isn’t an explicit switch for it you could set it up under SNAT/DNAT.
Most of the devices are Android but I can have a look at this. Do you happen to know if there are any options to prevent the user from toggling it / making changes? We also use Sophos Intercept X on them so I might be able to put a passcode on it, but was just curious.
This looks like another good option. I’ll check it out.
You could do it that way, but hairpin NAT has its own problems