pfsense

Warning

make sure hostname is filled in correctly: pfsense.local.rgbrouwer.com to prevent DNS rebinding error when trying to access thru reverse proxy.

Wireguard

No issues making tunnels DNS was a pain. Need to add DNS in clients as: [[IP]] of WireGuard interface AND search domain to allow local resolution DNS: X.X.X.X, local.rgbrouwer.com

Need outbound NAT rule to allow traffic out of the pfsense box as pfsense doesn't automatically recognise the WireGuard interface WireGuard interface needs firewall rules Client peer needs X.X.X.X/24 even though server peer is X.X.X.X/32

protonVPN

Uses pfsense as a Wireguard client to their server.
Use aliases for the hosts you want to use protonVPN
NAT rules to translate the internal [[IP]] address to the one required by protonVPN wireguard server.
Firewall rules to force hosts to use the protonVPN gateway defined in pfsense.
Useful to have a block rule for same hosts as a killswitch
For DNS leaks, use a NAT rule to redirect traffic arriving on the interface destined to port 53 (DNS) from the hosts to the DNS server of the VPN.

Reinstallation

Painless when done properly:
1. USB stick with both firmware and config.xml file in a folder called config
2. Hook up console with cablea
3. sudo screen -U /dev/cu.usbserial-0155FF3A 115200i
4. Halt system (option 6)
5. Cancel autoboot
6. run recovery
7. Power cycle leaving USB in when done

Warning

remove USB after boot as otherwise will overwrite the config file with next boot!!

Instructions from Netgate
Software is stored in iCloud drive: Documents -> Richard