OpenVPN, Must Router be Inline to Modem?

Discussion in 'Networking' started by Jose R., Apr 18, 2019.

Share This Page

  1. Jose R.

    Jose R. Getting the hang of it

    Joined:
    Mar 14, 2019
    Messages:
    54
    Likes Received:
    30
    Location:
    Miami, FL
    Here's the situation: My AT&T U-verse combo router/modem is in the entertainment center, the BI PC is in a closet across the house, and the ASUS 86U is remotely mounted in the center of the house.

    I have a cable from the switch in the entertainment center feeding the BI closet switch, which feeds the BI PC and ASUS router running the VPN. Does the VPN work if the router is at the end of the line?

    See diagram. Will the blue line work (already run), or do I have to do the red one instead (router inline), which requires extra runs?

    BI PC has not yet been deployed online.

    Thanks!

    Network Diagram.png
     
  2. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,195
    Likes Received:
    5,075
    It doesn't make any difference if you use the red or blue cable. Just don't use both because that would make a loop in your network ;)
     
    fenderman likes this.
  3. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,195
    Likes Received:
    5,075
    You'll need to forward a port through the AT&T router to the Asus router for OpenVPN. Ideally that should be the only port that you have open, and UPnP should be off in the AT&T router.

    The rest of the setup depends on if you are connecting the Asus router to your LAN via one of its LAN ports or via its WAN port. I'm guessing it is safer to use Asus's WAN port because then you can leave Asus's DHCP server enabled (configured to a different subnet than the AT&T router of course). I'm not sure if the OpenVPN server will work properly if you were to disable the DHCP server.
     
  4. Jose R.

    Jose R. Getting the hang of it

    Joined:
    Mar 14, 2019
    Messages:
    54
    Likes Received:
    30
    Location:
    Miami, FL
    Ok so the single cable going to the remote VPN server will work in both directions and protect the BI PC even tho it's not between it and the internet? I have much to learn with these things. It seemed to me that it has a direct line to the outside that way which doesn't protect it. But it does. So we're good.

    Anyway, the way the ASUS 86U is wired and installed, the single cable coming from it is a LAN port. I could switch to the WAN port but that requires plaster dust to be made as it's flush against the wall. But totally doable if necessary.

    Is having two routers running DHCP ok? They won't fight with each other?

    Thanks, BP! See new diagram, I'm also using it as instructions to set the whole thing up.

    Network Diagram.png
     
  5. NoloC

    NoloC Getting comfortable

    Joined:
    Nov 24, 2014
    Messages:
    653
    Likes Received:
    388
    No you will want to put the Asus in AP mode and not use it as a router to use as drawn. You do not want two dhcp servers. Also OpenVPN default should be port 1194 which you would need to forward but udp only.

    I imagine there is some entertainment system reason to do this? I have an att modem that is set to pass through mode and use an ASUS as the firewall and router. I thought the ASUS had more features that I wanted than the ATT modem. But either way should work.
     
  6. Jose R.

    Jose R. Getting the hang of it

    Joined:
    Mar 14, 2019
    Messages:
    54
    Likes Received:
    30
    Location:
    Miami, FL
    Thanks, Noloc. It's drawn this way as that's how the components are physically laid out. Everything was in the entertainment center before the cameras came about. Then when the cameras came into play, I bought the ASUS router for the VPN functionality and also to improve the WiFi. I'd like to use it just for that and have the Uverse router take care of everything else. Unless it's better to do the opposite and have the Uverse router set to modem only?
     
  7. NoloC

    NoloC Getting comfortable

    Joined:
    Nov 24, 2014
    Messages:
    653
    Likes Received:
    388
    I don't know if either way is better. Give it a try as it sounds like the physical layout dictates the install for now. I like the features on the ASUS like reserved ip addresses, but the ATT may do everything you need. It is actually a clever way to gain OpenVPN and additional wifi.
     
  8. Jose R.

    Jose R. Getting the hang of it

    Joined:
    Mar 14, 2019
    Messages:
    54
    Likes Received:
    30
    Location:
    Miami, FL
    Yea, I picked up a T-Mobile version of this router on Slickdeals for $39 and flashed it to an AC86U just for the BI PC. Also I had been wanting to get the Wi-Fi radio out of the bottom the A/V Unit and centrally located high on a wall. This unit does both! Just trying to sort the details of integrating it all.

    Thanks!
     
    NoloC likes this.
  9. IAmATeaf

    IAmATeaf Pulling my weight

    Joined:
    Jan 13, 2019
    Messages:
    281
    Likes Received:
    158
    Location:
    United Kingdom
    On my 68u if you set it to AP mode then both the ddns and vpn options are disabled. I’m still trying to figure out what I need to do so a lot of head scratching.
     
  10. IAmATeaf

    IAmATeaf Pulling my weight

    Joined:
    Jan 13, 2019
    Messages:
    281
    Likes Received:
    158
    Location:
    United Kingdom
    So i it looks like due to running in AP mode I have to do things manually so I've enabled telnet and performed the following in the 2nd post to get DDNS configured and updating the Dynu service that I use for DDNS.

    Asus RT-AC68U (AsusWRT) DDNS problem

    Now looking on the internet now to see how I can manually set up the VPN service.
     
  11. Jose R.

    Jose R. Getting the hang of it

    Joined:
    Mar 14, 2019
    Messages:
    54
    Likes Received:
    30
    Location:
    Miami, FL
    Hmm... It seems that yes, AP mode disables many things we need to have working. Teaf, can I ask why you are going thru all this manually and not just using the Asus as your router? Is that not an option for you, or is there another reason?
     
    IAmATeaf likes this.
  12. IAmATeaf

    IAmATeaf Pulling my weight

    Joined:
    Jan 13, 2019
    Messages:
    281
    Likes Received:
    158
    Location:
    United Kingdom
    I'm in the UK on a cable service, so I have the providers modem/router in the lounge and the Asus connected via ethernet in another part of the house. I could put the modem/router in modem only mode but I use the utp ports on the router so I run the Asus in AP mode.

    To be honest not being able to run these services on the Asus is not the end of the world as I could in theory run them on the BI server but I thought it would be best if the Asus could be configured to do so.
     
  13. Jose R.

    Jose R. Getting the hang of it

    Joined:
    Mar 14, 2019
    Messages:
    54
    Likes Received:
    30
    Location:
    Miami, FL
    Shit's always getting complicated. :rofl:

    So I was poking around in the ATT router and you can't turn off DHCP. I found some youtube vids on how to bridge this thing and they recommend changing the IP Address pool from 192 to 172. That way you can concurrently run two DHCP servers without any issues. Then you allow the router thru the firewall, disable the Wi-Fi and that's pretty much it. Hopefully this doesn't kill the IPTV DVR's access to ATT?

    The snowball is real here. Off to experiment.
     
  14. IAmATeaf

    IAmATeaf Pulling my weight

    Joined:
    Jan 13, 2019
    Messages:
    281
    Likes Received:
    158
    Location:
    United Kingdom
    The problem with running 2 subnets in the home is you will need some way to route between them else devices on one won't be able to see/talk to devices on the other and most homes won't have the hardware to perform the routing. I used to run 2 subnets in my house before as I used to have 2 internet providers and the pain that that caused was unreal so eventually did away with one provider which makes things easy and saves me money to boot :D
     
  15. Jose R.

    Jose R. Getting the hang of it

    Joined:
    Mar 14, 2019
    Messages:
    54
    Likes Received:
    30
    Location:
    Miami, FL
    Well, I've spent the entire day on this. It's incredibly frustrating when you don't know what you're doing. Anyway, some points to update:

    1. This AT&T router is apparently notorious for being a pain to bridge as there's no real setting for this. Many threads on this online on how to TRY to do it. I tried some of them and I think I have accomplished it. (Connect to WAN port on ASUS, on ATT router bridge by setting ASUS device status to DMZ device, Firewall Disable, Address Assignment: Public) Apparently that's the ass-backwards equivalent of clicking bridge mode on everything else. Seems to be working altho I'm pretty sure I have two DHCP servers now. The IPTV's are still working tho so hey. One did flicker off, showed IP error and restarted itself and fixed it.
    2. I have set up OpenVPN and got the client to connect successfully on my phone.
    3. I connected remotely to UI3's local address no problem.
    4. I believe the ASUS router is handing out IP's and working fine.
    5. Blue Iris keeps changing the UI3 address and it's annoying. What setting am I missing?

    Question: If using the dual-nic setup, how do the cameras get their IP's if they are separate from the side of the network with the router? Is this (IP addressing) done manually? I couldn't see any of my cameras until I put the router on their switch. Or do you add the router, set them all up, and then remove it? If so, how, because I tried that and then lost the cameras in BI. I seemingly have missed how to properly add your cameras so they stick. So much info to know...

    Diagram was updated to reflect what's working so far:
    Diagram.jpg
     
  16. IAmATeaf

    IAmATeaf Pulling my weight

    Joined:
    Jan 13, 2019
    Messages:
    281
    Likes Received:
    158
    Location:
    United Kingdom
    Set the cams to a static address. You don't want their IP addresses changing as bi will the lose the cam.
     
  17. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    638
    Likes Received:
    308
    In addition to what @IAmATeaf: put your NIC1 on your BI pc on static IP address too (or put it in the reservation list on your ASUS).

    Good luck!
    CC
     
  18. IAmATeaf

    IAmATeaf Pulling my weight

    Joined:
    Jan 13, 2019
    Messages:
    281
    Likes Received:
    158
    Location:
    United Kingdom
    On my server I’ve set the mic on the home net side to be dhcp but have reserved an IP address so it always is allocated the same and on the cam side I’ve assigned a static on the same network as the cams with all the cams also being static. This way I can isolate the cam network from the home and only allow internet access I should need to.
     
  19. NoloC

    NoloC Getting comfortable

    Joined:
    Nov 24, 2014
    Messages:
    653
    Likes Received:
    388
    Did you disable the firewall on the ATT modem? If so, it would seem all those AV Center devices are exposed directly to the internet.
     
  20. Jose R.

    Jose R. Getting the hang of it

    Joined:
    Mar 14, 2019
    Messages:
    54
    Likes Received:
    30
    Location:
    Miami, FL
    Good points guys, thanks. Noloc, the firewall is not globally disabled. It just isn't applied to the Asus router so it can do those duties. Everything else is behind the firewall in the av center. Thanks for the catch!

    When I get some more time I'll get back into it. Slowly getting there. Thanks, all!
     
    NoloC likes this.