I just started with my home server, so I’m relatively new to all this. I currently have PiHole running on my server so all of the ads on my network get stopped there. I also have Wireguard in case I need to connect into my network remotely (but that’s very rare). I was wondering if there’s a way to also route my entire network through a VPN (I currently use Surfshark but I can always change providers). Basically, I’d like to have all my traffic on the network go through an external VPN to hide my traffic from my ISP, and then have everything go through PiHole before it goes to my devices to continue blocking ads. I’d also like to be able to turn the VPN on and off via my home server (Ubuntu) if that’s possible. Any advice is greatly appreciated!
do you use docker containers? if so, look into gluetun, it’s designed so you can pick which containers run all their traffic through a vpn tunnel, slightly more elegant than doing all your traffic
Get a router that supports VPN client.
Firewalla
Opnsense
OpenWRT
Sophos
IPFire.
Don’t get Pfsense
Routing all your traffic through VPN seems unnecessary, but if privacy is important to you and you already run a small server, you should look into TOR and maybe become a knot yourself. It is even more private than a VPN, in which case your connection data will be with the provider of the VPN instead of your ISP.
For “normal” everyday use a app or a browser plugin should provide sufficient privacy. Or the TOR Browser.
Unless you live in China under the great firewall, you don’t want to route all your traffic trough VPN. It will slow it down considerably. You want to route only some certain (illegal) traffic trough VPN, such as torrent.
This is generally a bad idea. It gives you the illusion of security and might keep your ISP out of the loop but all you’ve done is moved your traffic trace from your home to the end of the tunnel. VPNs that are truly point-to-point are good at protecting data from prying eyes but this type of tunnel would still allow spying from the end of the VPN tunnel to wherever the traffic’s ultimate destination is. You’ve basically shot up a flare indicating that you’re doing something potentially nefarious and have indicated to those looking where they need to setup eavesdropping (end of tunnel). You’re also doing it at the cost of bandwidth and CPU power. All of the places you go will still have logs of you and your activities. Your traffic endpoints may not know your source IP but can still do a lot to fingerprint your source device and then look at historical logs to figure out identities.
Pretty much all web sessions are natively encrypted these days and every web browser has a method of encrypting DNS services so the value of these types of VPN tunnels have really decreased. Torrents may be a good use case but isn’t an always-on one and I’d say a seedbox would be a better solution. If you’re trying to hide something from a nation-state, it might not be working as well as you think.
I recently did this for like 2 days. Then just said f it. Because crap didn’t want to work right. couldn’t watch tv because hulu and a few other services wouldn’t work. Tried to pay a few bills online and kept getting blocked ip pop up. A couple times surfing the web. Kept getting the blocked ip popup on different sites.
I did a similar thing where I route all of a specific subnet/vlan through my VPN. Not exactly what you’re looking for but may be useful to pick up some ideas. Route Subnet Through W... | swigg
Be aware that using a VPN can slow down your connection due to encryption overhead and the distance to the VPN servers. Furthermore, some services may not work when accessed over a VPN due to geo-restrictions or VPN-blocking measures.
Thanks for this, I’ve been looking to do something similar with user groups for awhile now
Another tip too is that you can run multiple instances. I run two becausr pia allows multiple simultaneous connections but they max out at like 6mbs. My broadband can do better than that.
I would put the above mentioned firewall before your router and use your router just as a switch. It does not take a lot to run those firewall. It should run on any i3 3gen and you would need it to have two Ethernet. So I would get a intel NIC.
I would also add MikroTik to this list.
Is there a way to do this through the home server though? Or do I have to use the router itself?
Does TP Link Qualify?
It depends on what your internet speed is and what speed you actually need, vs the level of privacy you need.
Everyone’s use case is different regardless of where they live.
Recent controversies due to changes in provide features now behind paywalls
you can use libvirt to install the router os (i have used openwrt and mikrotik chr) and create a bridge connection between the vm and the physical interfaces
I would put the above mentioned firewall before your router and use your router just as a switch. It does not take a lot to run those firewall. It should run on any i3 3gen and you would need it to have two Ethernet. So I would get a intel NIC.
I saw Lawrence systems video on it I think that’s just for the specific home lab version that’s being discontinued but CE (Community edition isn’t affected)