After getting my hands on a WiFi Pineapple (a post on this to follow!) and enjoying exploring its features I quickly realised my mobile device is super promiscuous when it comes to joining open access points I’d previously connected too (Premier Inn, McDonalds etc). This got me started on looking into VPN solutions and after looking online one particular VPN provider seemed to crop up a lot – Private Internet Access (PIA for short). Now there may be others out there not part of the “fourteen eyes”, or have better “no logging” policies but this isn’t a concern of mine as I just wanted to ensure traffic was encrypted between my device and the endpoint to prevent snooping in public locations. On my Android device the app was easy to configure and worked fine, but I figured I had another 4 devices I could install the client on and wondered if I could do something with my Sophos XG to tunnel all traffic from my home.
Unfortunately the Sophos XG doesn’t provide connectivity options for PIA’s VPN service, which relies on OpenVPN for such connections. What I could do however was setup a pfSense appliance to use it’s OpenVPN client and position this in front of the Sophos XG.
Now I still wanted inbound SSL VPN traffic to the Sophos XG when I was away from home and wanted access to files and so on, but outbound I wanted HTTP and HTTPS traffic to be encrypted in the VPN tunnel from the pfSense box.
My first step was to download the pfSense image and install it as a Virtual Machine on my HP Micro Server. The install was straight forward and there were many guides to setup pfSense with PIA’s VPN online including PIA’s own website. It’s also possible to setup a kill-switch if this is something that you’re looking for.
Once I was happy the pfSense box was establishing a VPN tunnel successfully I then created a new vSwitch to connect a “LAN” vNIC of the pfSense VM to a new “WAN” vNIC on the Sophos XG VM. This meant the pfSense had a outside link connected to the DMZ network on a DHCP address with no port forwarding as well as having an inside link to the Sophos XG appliance on which would carry the traffic that was to be encrypted. The Sophos XG had two “WAN” links, one straight onto the DMZ with ports forwarded for SSL VPNs and a HTTPS website and another to the pfSense which would be the primary gateway for outbound traffic. A static route was also added to the pfSense to route traffic for the user LAN back via the Sophos XG.
The next step was to create a new policy rule on the XG to allow management of the pfSense as well as adjust existing rules to use the new WAN link as the primary outbound connection as by default it will attempt to load balance between the two WAN links.
All in all this didn’t take too long to setup and cost me only around £30 for a years subscription. Speed-wise, I’ve not noticed any slowdowns or any other issues aside from some initial dropouts of the tunnel, however I identified this was because I’d enabled logging against the tunnelled traffic on the pfSense which regularly caused the service to need a manual restart. Since I’ve disabled the logging there have been no instances of downtime. Below PRTG graphs show the before and after for pings and HTTP requests to bbc.co.uk: