Routing the guest wifi through OpenVPN in pfSense

Posted May 14, 2018

Last updated February 23, 2019 | 2c29b4f


2 minute read

When I originally bought my Unifi AP AC Lite, I hadn’t put much thought into guest access. I was mainly getting it to improve my own network connectivity, and to get an AP that was independent of my router for greater flexibility. At first, I was using DD-WRT as my core router and firewall, but I have since moved to pfSense on an PC Engines APU2C4 which provides even more features than DD-WRT.

While the guest segregation option in the Unifi Controller works well, I was still wanting to give guests their own DHCP range and more importantly, route all outgoing traffic out to the world through a VPN. This is mainly protection for myself, as it doesn’t expose my IP address out to the internet for tracking or for possibly questionable activities that guests might be up to.

The first step was to create a new VLAN in pfSense to get the wifi network from the AP to the router segregated from my regular network traffic. I found some great instructions at RedPacket Security that walked through this step by step with great screenshots (JavaScript required for image viewing).

The next step after getting this to work was to get my new VLAN routing over a VPN connection that is terminated inside of pfSense. An article has been written on kroy.io that will be better and more detailed than anything I could do.

After combining these two processes, I now have a wireless network for guests that is completely segregated from my home network and goes out to the world through a PIA VPN. The APU2C4 is a very low powered device, so speeds aren’t as high as if it were a full blown computer, but they will be more than adequate when throttling guests through the Unifi Controller.

Speed test while on VPN