VPN Service with UTM recommendations?

With the recent House/Senate votes to allow ISPs to sell users web traffic, and the increased interest in VPN services, I'm wondering if anyone has already stood up a VPN router or is trying out the various services on their computers?

I have been using Tunnelbear on my phone sparingly at coffee shops, etc., but have always had trouble with it connecting when on my home wifi.  I never gave it much mind before, but am curious if something in the UTM is blocking it...and if I would encounter the same thing with other VPN services.

Anyone tried NordVPN, ExpressVPN, IPVanish...etc.?

Thanks,

  • If you use Google, shop at Amazon or Walmart or do any of dozens of other things, your life already is an open book.  In any case, if you want to encrypt all of the traffic out of your UTM and hide your IP, you will need an additional device as the UTM doesn't have the possibility of being a VPN client itself.

    Cheers - Bob

  • In reply to BAlfson:

    Bob -

    I understand the UTM cannot act as a client, that's not what I am trying to do.

    I have a VPN service on my phone, Tunnelbear, and was trying it out on my desktop as well, but the UTM was blocking both from connecting to their servers.  Just curious if others have tried some of the other VPN services already (ie, NordVPN), settled on oneand if it required any configurations to make them work.

    My corporate Cisco VPN works no problem through the UTM without any configuration required.  So I'm not sure why Tunnelbear would be blocked.

    Thanks.

  • In reply to RobertBurri:

    I would assume the firewall is blocking it...did you make rules to allow the connection out?  Check you logs.

  • In reply to RobertBurri:

    Darrell probably nailed it, but you might check #1 in Rulz.

    Cheers - Bob

  • In reply to BAlfson:

    I got it working with a FW rule to allow the specific NordVPN server the client was trying to connect to.

    Is there a way to specify multiple servers (hostnames, not IPs) in a FW rule? IE, Nord has a lot of servers in the US, so I'd like to create a rule that will allow the traffic to any of the US servers, not just one.

    FYI, throughput wasn't bad actually.  I installed the Win10 app, and over Wifi, on speedtest.net I was getting 60/60mbps. 

  • In reply to RobertBurri:

    I'd imagine you would create the hosts as dns hosts and then add them to an availability group which you add as the destination.

  • In reply to RobertBurri:

    What Louis said.

    If there are multiple IPs associated to a single FQDN, create a DNS Group definition instead of a DNS Host - I would be surprised if NordVPN did that though.

    Probably, your best bet is to allow the port you're using for NordVPN to "Any" or "Internet" instead of individual servers.

    Cheers - Bob

  • In reply to BAlfson:

    Not multiple IPs associated to one fqdn, but multiple, hundreds it appears, of fqdns that the app chooses between based on load I presume.

    https://nordvpn.com/servers/

    Will look at what port it might be using that and try that route.

  • In reply to RobertBurri:

    Bob - 

    Thanks for the direction again!

    I've got a simple rule now allowing the ports used (OpenVPN and IKEv2/IPSEC) and it is working nicely.

  • In reply to RobertBurri:

    Whiltst on this subject, I've often thought if the UTM could act like a client ie it's wan connection could be set to that it terminated on one of these services so that traffic was encrypted until it hit the egress point (sort of orion router really) to prevent your ISP spying on you?

    Maybe these services should allow site to site?

  • I've picked up a device for firewall and will be installing Sophos UTM - I too had a similar Q.  Can the firewall device be configured so that it only connects to the external VPN services like Express/NordVPN etc. So all outbound traffic goes via the external VPNs. 

    Would you recommend any guides or discussions I read to figure out how to best achieve this?

     

    Thanks,

  • In reply to maverhick:

    Hi, and welcome to the UTM Community!

    No, it's not possible for the UTM to be a client.  In the 10 years I've been active here, not one person has done this successfully. See the post from Louis-M above.  I have some clients that do this with site-to-site tunnels.

    Cheers - Bob

  • In reply to BAlfson:

     Thanks for the kind reply. I have a spare Netgear Router that I could flash with DDWRT. I've read that DDWRT does support OpenVPN and so connecting to an external VPN can be setup. So now,  I have a couple of questions

    1) I put up a UTM box upfront. Let it handle the routing etc. Do I place the DDWRT flashed router in front or after the UTM box? 
    2) Does this setup solve for both UTM and external VPN connection? Are there any discussions/how-tos I could read that could help me get this right.

    Thanks

  • In reply to maverhick:

    FYI, I've come to the conclusion that a consumer level router is not powerful enough to handle a VPN connection such as the VPN services that are all being considered. I got it working with an ASUS RT-N66U, and the speed was dreadfully slow comparably.  6Mbps vs upwards of 90Mbps using the available clients.  I do think the mini computers most of us are using for the home UTM, ie, my Zotact CI323 NANO would be powerful enough if Sophos supported it.  pfSense supports it, but I'm invested now enough in Sophos that for now I'm not considering it.

    But, I have also had the question about network location...so curious Bob your thoughts.

    For now though regarding the VPN service question...I'm likely to stick with the clients vs a dedicated router/computer.

  • In reply to RobertBurri:

    , thanks for the performance note. I used to have a RT N66U until it broke down, now I have a R7500v2 - seems to be far more powerful. Do you think the chipset in the R7500V2 Netgear might be faster? 

    I'm in the same line of struggle - get a Firewall + VPN. Would prefer Sophos, but looks like only Pfsense supports both out of the box on a single box :)