Is there a primer on OpenVPN you could recommend? On my Note8 and iPhone, I just use the built-in VPN features to connect to the Radius server in the USG. There's this Tasker app on Android which can leverage OpenVPN which I'd like to explore.
I found tons of inspirational stuff on OpenVPN on the Ubiquity forum. And your network situation might be a "bit" different than mine, so what I did, was harvest bits & pieces from other peoples tutorials, stool some great ideas, ditched some (seemingly less great) ideas. But by doing trial and error, you learn from your mistakes
In general, my advice would be:
- DRAW your network layout on paper. Don't start coding / configuration before you have an overview on what you want to implement. Keep in mind: networks do change overtime, you might run into an iterational process and have to start over from this important step. So keep your documentation for later reference, otherwise you find yourself in a situation like: why on earth did I configure vlan 9, clean it up and after a while discover that your smart TV can't play media files anymore. Also important: you have your Physical Diagram (which outlet goes to which room terminated on which switch/router/access point/...) and your Logical Diagram (which IP range, subnet, gateway, vlan number etc)
- once you have your architectural design, you will be able to formulate your requirements:
- if vlans are required: how many, how are they propageted --> this defines whether (or not) you'd require managed switches or unmanaged ones
- if different subnets are required: how many, how are they "concentrated" --> this defines whether (or not) you'd require (additional) routing capabilities
- in case you want to reach your inner network, OpenVPN is thé no-brainer solution. It runs on ample SOHO routers (eg ASUS) but also on the Ubiquity gear. With OpenVPN setup, you can then opt whether you land into a specific vlan, or can connect to restricted subnets.
- in any case of aforementioned options, you'd think about "access restrictions". Everybody on this forum is already aware that blocking internet access TO IPC/NVR is mandatory (which means no port forwarding), however thinking about restricting access TO the internet might be a wise thing too. Exceptions can occur if you really want to have push notifications. Draw these access rules on paper (traffic_in versus traffic_out, by physical interface and/or logical interface (eg which IP can talk with another IP). And think broad: do you really want your Google Home device residing in the same network as your NAS with your family pictures? Same applies for your wifi-IOT-fridge? It's not a question whether they would do you harm NOW, it's more about in 3-4 years, when your fridge is out of warranty, didn't get any firmware update, and the *nix gets whacked and goes rogue on your network. Then you'll be happy to have it isolated in a vlan.
- then it's play time:
- start configuration of your network gear. Do keep regular backups (and keep them in pairs: firmware file + configuration file). Many people only save the configuration file, but if version 4.39 has configuration features which 3.10 does not have, but if your systems breaks down, and you'll get a new device under warranty, but sitting on the factory default of 3.10, you can't just load the 4.39 firmware file. But maybe that firmware file doesn't exist anymore and sits on 5.59, you lack the intermediate 4.39 firmware file. So keep them both!
- more specifically on OpenVPN: I tend to keep the OpenVPN client in "seamless" mode, which means that whenever my OpenVPN connection drops, even when 3g/4g or wifi still "work", no packets are sent over the air. I do not want to let slip any packets (because maybe my openvpn port is blocked on a public hotspot).
Tasker might help you in the last use case to see "if not connected to trusted wifi - connect openvpn", but in seamless mode, you don't actually need it.
Hope this helps!
CC