OpenVPN, Must Router be Inline to Modem?

Jose R.

Getting the hang of it
Joined
Mar 14, 2019
Messages
111
Reaction score
83
Location
Miami, FL
Here's the situation: My AT&T U-verse combo router/modem is in the entertainment center, the BI PC is in a closet across the house, and the ASUS 86U is remotely mounted in the center of the house.

I have a cable from the switch in the entertainment center feeding the BI closet switch, which feeds the BI PC and ASUS router running the VPN. Does the VPN work if the router is at the end of the line?

See diagram. Will the blue line work (already run), or do I have to do the red one instead (router inline), which requires extra runs?

BI PC has not yet been deployed online.

Thanks!

Network Diagram.png
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
You'll need to forward a port through the AT&T router to the Asus router for OpenVPN. Ideally that should be the only port that you have open, and UPnP should be off in the AT&T router.

The rest of the setup depends on if you are connecting the Asus router to your LAN via one of its LAN ports or via its WAN port. I'm guessing it is safer to use Asus's WAN port because then you can leave Asus's DHCP server enabled (configured to a different subnet than the AT&T router of course). I'm not sure if the OpenVPN server will work properly if you were to disable the DHCP server.
 

Jose R.

Getting the hang of it
Joined
Mar 14, 2019
Messages
111
Reaction score
83
Location
Miami, FL
Ok so the single cable going to the remote VPN server will work in both directions and protect the BI PC even tho it's not between it and the internet? I have much to learn with these things. It seemed to me that it has a direct line to the outside that way which doesn't protect it. But it does. So we're good.

Anyway, the way the ASUS 86U is wired and installed, the single cable coming from it is a LAN port. I could switch to the WAN port but that requires plaster dust to be made as it's flush against the wall. But totally doable if necessary.

Is having two routers running DHCP ok? They won't fight with each other?

Thanks, BP! See new diagram, I'm also using it as instructions to set the whole thing up.

Network Diagram.png
 

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
No you will want to put the Asus in AP mode and not use it as a router to use as drawn. You do not want two dhcp servers. Also OpenVPN default should be port 1194 which you would need to forward but udp only.

I imagine there is some entertainment system reason to do this? I have an att modem that is set to pass through mode and use an ASUS as the firewall and router. I thought the ASUS had more features that I wanted than the ATT modem. But either way should work.
 

Jose R.

Getting the hang of it
Joined
Mar 14, 2019
Messages
111
Reaction score
83
Location
Miami, FL
Thanks, Noloc. It's drawn this way as that's how the components are physically laid out. Everything was in the entertainment center before the cameras came about. Then when the cameras came into play, I bought the ASUS router for the VPN functionality and also to improve the WiFi. I'd like to use it just for that and have the Uverse router take care of everything else. Unless it's better to do the opposite and have the Uverse router set to modem only?
 

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
I don't know if either way is better. Give it a try as it sounds like the physical layout dictates the install for now. I like the features on the ASUS like reserved ip addresses, but the ATT may do everything you need. It is actually a clever way to gain OpenVPN and additional wifi.
 

Jose R.

Getting the hang of it
Joined
Mar 14, 2019
Messages
111
Reaction score
83
Location
Miami, FL
Yea, I picked up a T-Mobile version of this router on Slickdeals for $39 and flashed it to an AC86U just for the BI PC. Also I had been wanting to get the Wi-Fi radio out of the bottom the A/V Unit and centrally located high on a wall. This unit does both! Just trying to sort the details of integrating it all.

Thanks!
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
On my 68u if you set it to AP mode then both the ddns and vpn options are disabled. I’m still trying to figure out what I need to do so a lot of head scratching.
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
So i it looks like due to running in AP mode I have to do things manually so I've enabled telnet and performed the following in the 2nd post to get DDNS configured and updating the Dynu service that I use for DDNS.

Asus RT-AC68U (AsusWRT) DDNS problem

Now looking on the internet now to see how I can manually set up the VPN service.
 

Jose R.

Getting the hang of it
Joined
Mar 14, 2019
Messages
111
Reaction score
83
Location
Miami, FL
Hmm... It seems that yes, AP mode disables many things we need to have working. Teaf, can I ask why you are going thru all this manually and not just using the Asus as your router? Is that not an option for you, or is there another reason?
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
Hmm... It seems that yes, AP mode disables many things we need to have working. Teaf, can I ask why you are going thru all this manually and not just using the Asus as your router? Is that not an option for you, or is there another reason?
I'm in the UK on a cable service, so I have the providers modem/router in the lounge and the Asus connected via ethernet in another part of the house. I could put the modem/router in modem only mode but I use the utp ports on the router so I run the Asus in AP mode.

To be honest not being able to run these services on the Asus is not the end of the world as I could in theory run them on the BI server but I thought it would be best if the Asus could be configured to do so.
 

Jose R.

Getting the hang of it
Joined
Mar 14, 2019
Messages
111
Reaction score
83
Location
Miami, FL
Shit's always getting complicated. :rofl:

So I was poking around in the ATT router and you can't turn off DHCP. I found some youtube vids on how to bridge this thing and they recommend changing the IP Address pool from 192 to 172. That way you can concurrently run two DHCP servers without any issues. Then you allow the router thru the firewall, disable the Wi-Fi and that's pretty much it. Hopefully this doesn't kill the IPTV DVR's access to ATT?

The snowball is real here. Off to experiment.
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
The problem with running 2 subnets in the home is you will need some way to route between them else devices on one won't be able to see/talk to devices on the other and most homes won't have the hardware to perform the routing. I used to run 2 subnets in my house before as I used to have 2 internet providers and the pain that that caused was unreal so eventually did away with one provider which makes things easy and saves me money to boot :D
 

Jose R.

Getting the hang of it
Joined
Mar 14, 2019
Messages
111
Reaction score
83
Location
Miami, FL
Well, I've spent the entire day on this. It's incredibly frustrating when you don't know what you're doing. Anyway, some points to update:

1. This AT&T router is apparently notorious for being a pain to bridge as there's no real setting for this. Many threads on this online on how to TRY to do it. I tried some of them and I think I have accomplished it. (Connect to WAN port on ASUS, on ATT router bridge by setting ASUS device status to DMZ device, Firewall Disable, Address Assignment: Public) Apparently that's the ass-backwards equivalent of clicking bridge mode on everything else. Seems to be working altho I'm pretty sure I have two DHCP servers now. The IPTV's are still working tho so hey. One did flicker off, showed IP error and restarted itself and fixed it.
2. I have set up OpenVPN and got the client to connect successfully on my phone.
3. I connected remotely to UI3's local address no problem.
4. I believe the ASUS router is handing out IP's and working fine.
5. Blue Iris keeps changing the UI3 address and it's annoying. What setting am I missing?

Question: If using the dual-nic setup, how do the cameras get their IP's if they are separate from the side of the network with the router? Is this (IP addressing) done manually? I couldn't see any of my cameras until I put the router on their switch. Or do you add the router, set them all up, and then remove it? If so, how, because I tried that and then lost the cameras in BI. I seemingly have missed how to properly add your cameras so they stick. So much info to know...

Diagram was updated to reflect what's working so far:
Diagram.jpg
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
Set the cams to a static address. You don't want their IP addresses changing as bi will the lose the cam.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
In addition to what @IAmATeaf: put your NIC1 on your BI pc on static IP address too (or put it in the reservation list on your ASUS).

Good luck!
CC
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
On my server I’ve set the mic on the home net side to be dhcp but have reserved an IP address so it always is allocated the same and on the cam side I’ve assigned a static on the same network as the cams with all the cams also being static. This way I can isolate the cam network from the home and only allow internet access I should need to.
 

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
Did you disable the firewall on the ATT modem? If so, it would seem all those AV Center devices are exposed directly to the internet.
 

Jose R.

Getting the hang of it
Joined
Mar 14, 2019
Messages
111
Reaction score
83
Location
Miami, FL
Good points guys, thanks. Noloc, the firewall is not globally disabled. It just isn't applied to the Asus router so it can do those duties. Everything else is behind the firewall in the av center. Thanks for the catch!

When I get some more time I'll get back into it. Slowly getting there. Thanks, all!
 
Top