After publishing my updated home network tour article, many of you asked to know more about my firewall setup and all of these VPN connections I mentioned. So in this article we’re going to cover our VPN between friends and family!
VPN Between Friends and Family Video
Let’s Start with the Firewall
So let’s start with covering my firewall choice and the SuperMicro server that it runs on. I got a lot of questions about this.
The hardware I chose is a SuperMicro 5018D-FN8T. Ultimately, this is nothing more than a Intel Xeon rack server. However, SuperMicro specifically designed it to be used as a firewall or router appliance, hence the 1U small form factor with front facing network ports. The fans are also designed to be reversible to change the airflow direction, giving you numerous mounting options.
The appliance also features IPMI management, meaning I can connect to the keyboard/video/mouse remotely over Ethernet even when the box is powered off or even if it crashes. I’ve also populated the firewall’s motherboard with 32GB of RAM and a 500GB NvME drive.
Now being that at the end of the day this is simply a server, you can run anything on here you want. I chose to run pfSense. It’s the worlds most popular Open Source firewall, far surpassing its rivals. With this level of popularity it means a rock solid reliable code base, incredible community support, and lots of 3rd party packages and integrations.
It might not surprise you then that most of my friends and family also use pfSense for their firewalls. So let’s talk about a VPN between friends and family!
OpenVPN between Friends or Family
I have many VPNs up and running, some for remote devices, and some for site-to-site connections. I’m only going to discuss two of them in detail today for brevity, and because I thought they were the most interesting.
My oldest son, my brother, and I all live in the North Texas area. I live in the northern part of city named Keller. My brother lives in a small town called Kennedale. And my son lives in West Fort Worth. My brother is 23 miles (or 37 kilometers) away as the bird flies, while my son is 14 miles (or 23 kilometers) away.
So let’s stop right here. Some of you are already saying “23 miles away? You should just use Ubiquiti AirFibers! At that distance you’ll get 1.5 gigabit between you! No need for a VPN between friends and family!”. Well, we actually considered doing just this. And that would have been awesome. Unfortunately it was just not meant to be! If you look at the AirFiber planning map you can see we are link obstructed at both locations do to the terrain between our houses.
So no AirFibers for us. In fact, the only solution that would fix this would be for us to both install towers at our houses and install the AirFibers atop them. However, these towers would have to have been 246 feet (or 75 meters) tall! I don’t think our neighbors or the city would be too happy if were to do this! So VPN it is then!
Luckily, I am in an area where I have symmetrical gigabit services from Frontier Communications. My son’s neighborhood has AT&T Fiber, but he’s only willing to spend enough to get symmetrical 300 megabit service. But poor David being where he lives can only get Spectrum internet at 90 meg down and 10 meg up.
Site to Site VPNs Between Family
As mentioned previously, I have the SuperMicro server as my pfSense box. My son and David both have my favorite Amazon no name boxes for pfSense. These boxes are fanless, while still being quite powerful.
With that all in place, we simply connected the devices using OpenVPN, which is most popular Open Source VPN software on the planet, and is built-in to pfSense out of the box.
OK! So that’s how we’re configure, but what in the world do we do with these tunnels?
What Runs over Your Family VPN?
You’ll remember from my recent home network tour that I have two Synology NAS boxes and two SuperMicro 1U servers in my lab. All of this compute and storage can be accessed over the VPN. That means my Son and David both have access to all of my Synology file shares, and any virtual servers I am running.
Of course, PLEX sharing works over the open internet, but in our case PLEX appears to all of our devices as a local service and therefore tunnels over the VPN. This makes PLEX traffic 100% invisible to our ISPs. They can’t shape it, throttle it, or block it.
You might remember from my home network tour video that I also run Observium for system and network monitoring. In addition to monitoring all of my own devices, this box polls SNMP across the VPN tunnels for all of my son’s and David’s devices: tracking uptime, firewall status, bandwidth usage, storage usage, wireless access points, and much more. Well, except for David’s non-enterprise “dumb switches”.
I also run a central Syslog server. Remote devices send their log files here for storage for 90 days. This is super handy for times when things go bump in the night. Not only can we can look back in the logs to see what happened, we can correlate logs across devices to see when one device causes something to go wrong on another. For example, if a camera keeps rebooting, it might be due to the switch running out of power over Ethernet capacity.
And of course, it should be noted that this VPN also works in the opposite direction allowing me to access David’s file shares as well.
What about VPN Network Security?
Now, some of you who know networking are probably wondering about security with this VPN between friends and family, and you might be wondering what happens when David gets a virus or some 8-Bit malware on his network. Won’t that just propagate to me?
Well, no. We’re not a bunch of boneheads. These OpenVPN connections have full firewall policies running on them and we only allow very specific traffic across them. This means that only port 445 is open to my NAS for example.
OK. So what other things connect to my VPN? I have a remote access VPN in place so that all of my laptops and phones can connect. In fact, I never access public Wi-Fi without my VPN turned on.
I also have a VPN to my VPC at Amazon Web Services. This is of course where we host TheGeekPub.com and The8BitGuy.com! Remember those Observium and Syslog servers? Those also monitor the health of our webservers. So we immediately know if a server is down, or there is something wrong with it.
If you have any questions about how we use our VPN between friends and family, let me know in the comments below!