Request for advice about VPN

[HarryStottle]

Have a small (~10 devices) home network here in Canada and am considering signing up for NordVPN.

Which scenario would be recommended:

1: Get a new wifi+lan router with VPN capabilties?

2: Use a used PC with two NICs and a network switch for a pfsense install and change my existing wifi router to AP mode?

3: Install OpenVPN on FreeBSD devices or NordVPN app on all machines that access the internet?

Thanks for all your input

 

[cracauer@]

Will you frequently switch the VPN destination (countries)?

Will you need different destinations for different devices?

 

[mer]

If your home network is fronted by a single firewalling device (as in cable modem from upstream feeding into a single device that does firewalling and a switch downstream for all the home devices) I would look at setting up the VPN from that device out. That gets everything connected downstream (switch to home devices) behind the VPN.
But that single device needs to be compatible with NordVPN. If stock OpenVPN client can connect to NordVPN that opens up a lot of possibilities (OpnSense, pfSense, home brew FreeBSD/OpenBSD device running pf and OpenVPN)

 

[HarryStottle]

I don't foresee destination switching very often and all devices will use same destination.
Mainly want to hide my IP.

The cable modem is ISP property and going away soon.
Home network is fronted by cheap TPLINK router without VPN abilities.

NordVPN offers .ovpn files for OpenVPN.

 

[mer]

NordVPN offers .ovpn files for OpenVPN.

Well that is very nice.
My home network is:
Cable modem I own (just need to periodically check compatibility)
Firewall device (currently a pfSense device but OPNSense or roll your own would work)
Switch to everything else

I don't have it, but I could set up an OpenVPN client on the firewall device out to "something" like NordVPN which would make everything behind the firewall go out through the VPN.

It sounds like that's what you intend, so hopefully that gives you some more info on what to explore.

 

[cracauer@]

A friend of mine has a pretty slick VPN setup. His/her end devices are all on Wifi anyway. So he/she set up multiple wifi networks, each one in a different VPN or plain ISP. So for every end device to switch to a different endpoint you just join a different wifi network. Since they all remember wifi passwords that is very convenient.

For me that wouldn't work because I have too many devices on Ethernet cables. For me every device does its own VPN. But I don't bother with e,.g. the Apple TV and VPNs.

I could also set up both.

 

[mer]

A friend of mine has a pretty slick VPN setup. His/her end devices are all on Wifi anyway. So he/she set up multiple wifi networks, each one in a different VPN or plain ISP. So for every end device to switch to a different endpoint you just join a different wifi network. Since they all remember wifi passwords that is very convenient.

For me that wouldn't work because I have too many devices on Ethernet cables. For me every device does its own VPN. But I don't bother with e,.g. the Apple TV and VPNs.

I could also set up both.

Oh that is a very cool solution. "connect here to get this, over there to bypass everything". I'll have to remember that.

Thanks

 

[cracauer@]

Oh and you should check whether openwrt is available for your existing routah. That would give you VPN without purchasing a new one.

 

[HarryStottle]

Existing router was bought in a hurry on a Saturday night when the the previous one died. It's a cheap black box with no chance of any other firmware.

Which of the 3 options in original post would you recommend?

 

[patmaddox]

I use a protectli as my internet gateway and default router, running FreeBSD. I've configured it with wireguard, along with my laptop and iDevices. It provides remote access to my home network. Works great.

 

[mer]

My preference would be option 2 in the original post.
Why? I like separation as much as possible.
Small form factor PC (something like a "NUC" platform) doesn't take much space or resources. Put pfSense or OpnSense on it (just watch out for RealTek 2.5G ethernet devices: they may not be supported out of the box. There are ports/packages, but you need a way to download them to USB and then install).
Then VPN from that device to the provider and everything goes through it. Easier to manage than putting the VPN on all devices that you want to use it.
That gets you firewall and routing (home network, how many internal segments do you need?) along with DHCP server
Separate WiFi only device: that lets you upgrade without breaking everything.

Anyway, that's my opinion

 

[cracauer@]

Which of the 3 options in original post would you recommend?

It depends on your circumstances. We described some parameters.

 

[Espionage724]

3: Install OpenVPN on FreeBSD devices

I'd do that

 

[CShell]

A lot of VPN providers also offer Wireguard as an option. I am currently using Wireguard on FreeBSD (FreeBSD versions 14x and 15x).

Below is from FreeBSD 15.0

# pkg info | grep wireguard
wireguard-go-0.0.20250522_9,1  WireGuard implementation in Go
wireguard-tools-1.0.20250521   Fast, modern and secure VPN Tunnel
#

There is (NOTHING WRONG) with OpenVPN either - I regularly run OpenVPN as well. It just depends on what your VPN provider will let you use.

I also NAT through the Wireguard Interface using PF. I recommend you test your eventual VPN setup using sniffnet(8) -- which provides a "nice friendly GUI" that you can use to see/view your network packets going over your network interfaces.

# pkg info | grep sniffnet
sniffnet-1.4.2_2               Comfortably monitor your Internet traffic
#