We wrap all the LAN traffic in vpn without speed limit

In a previous article, we looked at how to anonymize all Internet traffic from a single host. Now let's increase the level of security by wrapping the entire local area network with a VPN. At the same time, we will get rid of the danger of accessing the Internet from a device not yet configured and associate the address of our provider with this device.

For this purpose, you can simply configure the VPN client on the gateway, if the router allows it. But such a solution is fraught with consequences in the form of a decrease in the speed of the Internet, an increased load on the router, in addition, some clients send all traffic through the main connection immediately if they disconnect from the VPN. Do not forget that even leading VPN providers cannot provide 100% uptime for their servers.

So what are our goals:

– pass all outgoing traffic through VPN
– do it as fast as possible
– not depend on temporary problems of the VPN provider
– maximum anonymity on the Internet


We need a powerful router that can encrypt traffic at high speed. He will act as a VPN gateway. We found wonderful mini-PCs on AliExpress that came up with this task: quad-core Intel Celeron, native support for AES-CBC, AES-XTS, AES-GCM, AES-ICM and as many as four RJ-45 ports. And by default, pfSense was installed on them. We will work with her.

If your ISP requires a special connection setup, you can take two more routers and share access to the Internet and the local network, and put a VPN gateway between them. In another case, you can directly connect the provider's wire to the VPN gateway, and behind it place your home router with a local network. The initial setup of an Internet connection on pfSense is beyond the scope of this article.


The article assumes that the Internet is connected to the first port, your PC or home network to the second, and that before configuring the VPN, you were able to access the Internet.

To avoid further problems, let's log in to your favorite VPN provider and find instructions for setting up pfSense. If your provider does not provide instructions for manual configuration in pfSense, you can use this one from my favorite provider: www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn – the main point will not change. The above article with pictures describes how to fully configure a newly purchased router with pfSense.

Here is a short checklist for setting up a new VPN:

– System – Cert. Manager – CAs. Add a VPN CA certificate
– System – Cert. Manager – Certificates. Add a VPN server certificate
– VPN – OpenVPN – Clients. We create a new client according to the instructions from the VPN provider
– Interfaces – Assignment. Adding Clients as Interfaces
– System – Routing. Check that the gateway has appeared.
– Firewall – NAT. Add NAT Rules for Each Client
– Firewall – Rules – LAN. Add redirection of all traffic from the network through Gateway
– System – Routing. For an active VPN-a, specify Monitor IP in the settings of the gateway, by which ping will check the VPN’s performance

VPNs are rebooted in Status – OpenVPN. View logs in Status – Package Logs – OpenVPN.

At this stage, we stop and check that there is access to the Internet via VPN, and that when disconnected from the VPN, access disappears altogether. If there is no Internet, we’ve made a mistake somewhere, we look at the VPN logs, we check the settings again. If, after disconnecting the VPN, traffic starts to go through the main gateway, it means they’ve messed up in the Firewall – Rules – LAN.

Now for the interesting part. If your provider issues 20 Mbit per second, and then at night – then at this stage you have already received a local network completely closed by the VPN-ohm, which works at the highest possible speed. But what if your channel is wider?

# Scalable

We set up a couple more VPN clients for different servers according to the instructions above. You do not need to add CA and server certificates, we select already added ones. Also, we do not perform the step with Firewall – Rules – LAN, we will do it later. The required number of clients is established empirically by the results of speed measurements through each separate server.

Once completed, we should have the following picture:

– In VPN – OpenVPN – Clients created and activated clients

VPN - OpenVPN - Clients

– Interfaces – Assignment created and activated interfaces for each client

Interfaces - Assignment

– In Status – OpenVPN, all clients are in the "up" state

Status - OpenVPN

– Gateways appeared in System – Routing, and ping IP addresses are indicated for them.
(If you can’t figure out who to ping, open shodan.io and find all the google IPs)

System - Routing

Now let's go to System – Routing – Gateway Groups. Click Add. Enter a memorable name in the Group Name.

System - Routing - Gateway Groups

Now pay attention to the Gateway Priority table. Gateway groups work as follows: failover by level, balancing within a level. The Tier column indicates at what level this gateway will be used. The simplest option is to specify all active VPN gateways in the first level. The option for a slow Internet is to create two clients and place them on the first and second level, but in this case there will be only fault tolerance.

Find the Trigger Level below. This is the condition under which a temporary exclusion of a gateway from a group will occur. Options other than Member Down allow you to stop sending packets to the gateway a little earlier than it drops completely – by exceeding the packet loss threshold and / or by a high ping. The loss and ping thresholds are set for each gateway individually in the System – Routing – Gateway.

Once you have chosen a convenient option for arranging gateways by levels, click Save.

It's time to direct traffic to a new group of gateways. We go to the Firewall – Rules – LAN, open the redirection rule created earlier, go down to the list with gateways and see the group we created in this list. We select it, save the rule and apply the changes. That's it, now every new connection will go through a new VPN client in the group.

Testing time: open api.ipify.me, disable the cache and keep-alive, and reload the page. If you are the only user on the network, for each page update you should see a new IP address that is different from your home one. If you see the same address, completely refresh the page with Ctrl + F5 (Command + Shift + R on the poppies), or open a new private tab. If it doesn’t help, it means that somewhere they made a mistake in the group settings, or did not change the gateway in the firewall rules.

Now about the bad. Unfortunately, this solution has a small elusive bug if you use it in front of the router of the local network (and not the switch). Sooner or later, one of the VPN clients falls off, expels him from the group, and everything is fine until the VPN rises back. Since all users are behind NAT, and the VPN router sees only one IP address and 65 thousand ports, over time it associates all ports with those VPN clients that never fell. Accordingly, as soon as the VPN client rises, no traffic goes through it. The client is completely alive, pings and some stable amount of service traffic go through it, but client traffic does not go through it. In theory, this would be solved by resetting the connection table, and for this there is even a checkmark in the pfSense settings, but in my research this checkmark completely blocked all access to the router, as clients began to crash cyclically, while dropping the newly established connections from the web interface, which made it very difficult to fix the problem. Without this checkmark, if there are more than two VPNs, they balanced themselves, so that access through at least one was always there. In the end, I configured the monitoring condition “if five minutes on the interface had less than 1000 bytes of traffic per second, tell me”, and in especially advanced cases I manually restart the zombie VPN client in order to reset the connection table.

So, we got a network that is completely passed through several distributed VPNs. Due to the combination of several different VPN servers, we are not dependent on the availability of each of them individually, and the network speed is limited only by your channel minus encryption. If suddenly one router is not enough for you – they can also be scaled, but this is a topic for a separate article.

Similar Posts

Leave a Reply