Solution for pfSense and VPN client gateway randomness

  • Release Candidate 6
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!



Well-known member
Jul 19, 2021
I had an idea for configuring pfSense with VPN providers (I am using NordVPN and ExpressVPN). As most VPN providers let you connect multiple devices, I have my pfSense router configured for four client connections to NordVPN and four client connections ExpressVPN. I then give each its own gateway so I have eight VPN gateways, then I add all of them to a tier 1 gateway group which is what I assigned most all of my device to as a gateway in the firewall settings. The effect is that my traffic jump around to eight random VPN endpoints to the internet using two VPN providers. I seems to work, although I noticed to YouTube and other ad sites some times will show ads for any of the eight random countries, some times (not often) sites pop up in the wrong language, but I tend to use the same sites and don’t go out far on the internet, so I don’t have any problems. I also know as a developer HTTP has a language header, but my guess is that most sites don’t utilize it. I was wondering what you folks think of this solution? Including Steve. I also don’t remember Steve weighing in on ISPs spying and reselling data, but Leo talks about that in the ExpressVPN ads.
That is an interesting idea for hoping around somewhat randomly.

Possibly of interest to you - another option with some providers like Mullvad (a Steve favorite that doesn't advertise) that provide socks5 proxies you can use over the VPN which allow you to have 1 VPN connection maintained by pfsense but have traffic route out via endpoints all over the world depending on the socks server used. (with pfsense and mullvad just set static route for to use the VPN connection which covers all of their socks5 servers globally)

To easily get random egress then you can use a light weight nginx reverse proxy as setup in this docker image . You set that as the sock5 proxy your apps use and then it randomly proxies out via one of the proxy servers you setup in the proxy config. You could then have hundreds of egress options that are randomly chosen.

This of course only works with apps that support socks5 like web browsers. I find that preferable since it limits what telemetry is also associated with your vpn connections that otherwise can unmask you though a little less of a concern when you egress randomly over hundreds of exit points. But for example OS telemetry and accounts that can be used to correlate who you are like gmail, icloud and such I just have go straight out and use chrome with no proxy and no os proxy setting. Then use Firefox with proxy set for other things, an especially powerful option with their multi container extension that allows you to choose a proxy per container and control which domains use which containers and which cookies can persist restarts etc.

Note to really get around tracking you need to also be very cognizant of browser fingerprint techniques that really do not emphasize IP address very much. desmostration is one of the most powerful I have seen and works by default in same browser even in incognito mode. You can beat it though with Firefox multi containers combined with Temporary Containers and CanvasBlocker extensions in addition to turning on privacy.resistFingerprinting in about:config for firefox. And of cource Ublock origin.
Then there are web-based email apps like Horde that insist you re-login every time they detect that your exit point IP address has changed.. REALLY annoying when using T-Mobile hotspot on my smartphone for Wi-Fi. Apparently, T-Mobile's load balancing is changing my exit point IP address on a regular basis.