Openvpn with an Apple router

Discussion in 'Networking' started by Todd Schmidt, Jun 17, 2019.

Share This Page

  1. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    So I have an Apple AirPort Extreme as my router. It’s in bridge mode currently because I also have the Comcast cable modem/router. I’ve read that vpn won’t work with Apple routers. So how would I go about setting up a vpn?

    Network diagram is attached.
     

    Attached Files:

  2. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,126
    Likes Received:
    1,834
    This is splitting nits, but since your AirPort Extreme is running in bridge mode, it's not acting as a router. IMO, it'd be more correct to say "So I have an AirPort Extreme as my WiFi access point" (not router), since your Comcast box is actually doing all of the routing for your network. :)

    VPN doesn't have to run on the router. Since you have a Synology NAS... Synology makes it very easy to install and configure OpenVPN (as well as reverse proxy, if interested). Synology also regularly updates those apps (along with issuing system patches), so IMO it's one of the safer platforms to use for these features. This will require port-forwarding (one port for OpenVPN, and another port if you're interested in a reverse proxy) from the Comcast router over to the Synology box, so as long as you're able to do that, this shouldn't be too difficult.
     
    mat200 likes this.
  3. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    I'm sure I can do it, once I figure out everything you just said. “Alexa, what’s a reverse proxy?”

    Ok seriously though thank you for all your help as I try to figure all this out.
     
  4. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,727
    Likes Received:
    960
    Location:
    Houston Tx
    The Comcast modem/ router should be put in bridge mode.
    I know nothing about apple router.
    If the apple does not support openvpn, then try an Asus router, very simple setup.
     
  5. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    From what I’ve been reading the Apple router doesn’t support any vpn.
     
  6. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,126
    Likes Received:
    1,834
    Here's Synology's instructions for how to setup OpenVPN.
    DiskStation Manager - Knowledge Base | Synology Inc.

    Just follow the beginning (as it applies to all VPN types on Synology), and then jump down to the OpenVPN section.

    There should be a lot of other guides for OpenVPN on Synology is you google around for them.
     
    mat200 and Todd Schmidt like this.
  7. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    733
    Likes Received:
    431
    Just my 2c$: I would never run OpenVPN on a Synology which hosts all my precious nature pictures and movies. It's called personal paranoid, but either you add a raspberry pi in your network (which you can still use for television viewing etc) and run it on that. Or the aforementioned ASUS router. With the network components you already shown in your PDF, you are even able to run a vlan secured network (eg on an ubiquity edgerouter) - so you can implement additional networking security. And on that ER-X ($50 - almost same as raspberry pi!) you host openvpn, all your vlan management and firewalling.

    Hope this helps!
    CC
     
    mat200 likes this.
  8. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    That’s a thought
     
    catcamstar likes this.
  9. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,126
    Likes Received:
    1,834
    I thought you couldn't get rid of the Comcast modem/router combo box (because it's required for your wife's landline) and the Synology only stored Time Machine backups for your wife's Mac?
     
    Last edited: Jun 17, 2019
  10. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    It does, and I could get a cable modem with landline that doesn’t have a router feature, but I’d rather not spend money I don’t have to. Trying to get the openvpn running on Synology right now, but having some difficulty doing it on my iMac. May have to go do it on the BI pc and set up a time server while I’m on it. Just didn’t want to have to trek into my basement to mess around with it.
     
  11. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,126
    Likes Received:
    1,834
    Hmm, are you using Safari to connect to the Synology? That's how I setup/manage mine, haven't needed to resort to a Windows PC.
     
  12. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    Yeah, I got it enabled and the port open. Just haven’t figured out how to edit the config file. And I’m not sure about the firewall on the Comcast router. Won’t be able to work on it again until Wed, had to go to work.
     
  13. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    Is openvpn necessary if using blue iris app? And if so, how do I configure it?
     
  14. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,126
    Likes Received:
    1,834
    Something is necessary. By default, your firewall blocks anyone outside of your network (i.e. you at the grocery store using your cell phone) from being able to connect to anything inside your home network, like your BI PC. You've got to configure a way for that remote access to happen.

    IMO:
    The most secure way to configure remote access is by setting up a VPN.
    The least secure way is to port-forward directly to the Blue Iris PC.
    In between is setting up port-forward to a reverse-proxy that acts a middle-man between the Internet and the Blue Iris PC.

    There are a lot of how-to guides for this.
     
  15. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    Ok. I need to keep working on this. I got the BI app working now, but it’s just port forwarded. Vpn is enabled on the synology, trying to figure out how to edit the .ovpn file so I can import it to the openvpn connect app, also need to get the .ca file on each device. We'll only be using iPhones/iPad for remote access. There is a lot of learning being done here, especially for someone with zero networking experience. “Networking for Dummies” only covers the basics.

    Trying to set up time server right now to get correct time on cameras. We need to add a step by step time server setup to the wiki for win10. Searching leads me to 10 different threads that only have partial answers, of course I could be searching wrong too.

    Thanks again everyone for your patience and help. This forum has been amazing.
     
    aristobrat likes this.
  16. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    When on LAN I don’t need to use the vpn correct? It’s just when outside my local?
     
  17. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    733
    Likes Received:
    431
    Affirmative, openVPN only really makes sense when being "outside" your LAN, to make your "LAN" an extension to wherever you are in the world.
     
  18. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    Ok, vpn is setup and working. :headbang:

    Do I need to change any settings for remote access in BI now? Such as turning off the port forward, or ip addresses?
     
  19. Todd Schmidt

    Todd Schmidt Getting the hang of it

    Joined:
    May 17, 2019
    Messages:
    72
    Likes Received:
    26
    Location:
    Massachusetts
    So I know I need to set the wan and lan as the same thing for the app to work using vpn. Does the port need to remain open? And should it be the pc lan (10.0.0.*) or the camera lan (192.168.1.*)? Or can I leave my actual wan in the remote access?
     
  20. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    733
    Likes Received:
    431
    Hi @Todd Schmidt, glad you have your VPN server up and running. To answer your follow-up questions, it is important for us to know WHERE you actually installed it on? On that synology? On the BI pc? Asus router? Because depending on your answer, our advice will differ.

    In any case: when connecting to your VPN server, you "enter" your network through a VPN-port-server forward (default 1194 by heart), and your VPN server gives an "internal" 10.x address. Make sure it does not "collide" with what you call the pc lan 10.0.0.x network. Your VPN server is then "internally" routing that 10.x address to your LAN address (hence it should differ from the aforementioned pc lan network, otherwise routing is not working). From there, you can access your "internal LAN".