Openvpn with an Apple router

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
So I have an Apple AirPort Extreme as my router. It’s in bridge mode currently because I also have the Comcast cable modem/router. I’ve read that vpn won’t work with Apple routers. So how would I go about setting up a vpn?

Network diagram is attached.
 

Attachments

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,407
Reaction score
2,177
This is splitting nits, but since your AirPort Extreme is running in bridge mode, it's not acting as a router. IMO, it'd be more correct to say "So I have an AirPort Extreme as my WiFi access point" (not router), since your Comcast box is actually doing all of the routing for your network. :)

VPN doesn't have to run on the router. Since you have a Synology NAS... Synology makes it very easy to install and configure OpenVPN (as well as reverse proxy, if interested). Synology also regularly updates those apps (along with issuing system patches), so IMO it's one of the safer platforms to use for these features. This will require port-forwarding (one port for OpenVPN, and another port if you're interested in a reverse proxy) from the Comcast router over to the Synology box, so as long as you're able to do that, this shouldn't be too difficult.
 

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
This is splitting nits, but since your AirPort Extreme is running in bridge mode, it's not acting as a router. IMO, it'd be more correct to say "So I have an AirPort Extreme as my WiFi access point" (not router), since your Comcast box is actually doing all of the routing for your network. :)

VPN doesn't have to run on the router. Since you have a Synology NAS... Synology makes it very easy to install and configure OpenVPN (as well as reverse proxy, if interested). Synology also regularly updates those apps (along with issuing system patches), so IMO it's one of the safer platforms to use for these features. This will require port-forwarding (one port for OpenVPN, and another port if you're interested in a reverse proxy) from the Comcast router over to the Synology box, so as long as you're able to do that, this shouldn't be too difficult.
I'm sure I can do it, once I figure out everything you just said. “Alexa, what’s a reverse proxy?”

Ok seriously though thank you for all your help as I try to figure all this out.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
2,269
Reaction score
1,300
Location
Houston Tx
The Comcast modem/ router should be put in bridge mode.
I know nothing about apple router.
If the apple does not support openvpn, then try an Asus router, very simple setup.
 

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
The Comcast modem/ router should be put in bridge mode.
I know nothing about apple router.
If the apple does not support openvpn, then try an Asus router, very simple setup.
From what I’ve been reading the Apple router doesn’t support any vpn.
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,407
Reaction score
2,177

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,045
Reaction score
662
Just my 2c$: I would never run OpenVPN on a Synology which hosts all my precious nature pictures and movies. It's called personal paranoid, but either you add a raspberry pi in your network (which you can still use for television viewing etc) and run it on that. Or the aforementioned ASUS router. With the network components you already shown in your PDF, you are even able to run a vlan secured network (eg on an ubiquity edgerouter) - so you can implement additional networking security. And on that ER-X ($50 - almost same as raspberry pi!) you host openvpn, all your vlan management and firewalling.

Hope this helps!
CC
 

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
Just my 2c$: I would never run OpenVPN on a Synology which hosts all my precious nature pictures and movies. It's called personal paranoid, but either you add a raspberry pi in your network (which you can still use for television viewing etc) and run it on that. Or the aforementioned ASUS router. With the network components you already shown in your PDF, you are even able to run a vlan secured network (eg on an ubiquity edgerouter) - so you can implement additional networking security. And on that ER-X ($50 - almost same as raspberry pi!) you host openvpn, all your vlan management and firewalling.

Hope this helps!
CC
That’s a thought
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,407
Reaction score
2,177
I thought you couldn't get rid of the Comcast modem/router combo box (because it's required for your wife's landline) and the Synology only stored Time Machine backups for your wife's Mac?
 
Last edited:

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
I thought you couldn't get rid of the Comcast modem/router combo box (because it's required for your wife's landline) and the Synology only stored Time Machine backups for your wife's Mac?
It does, and I could get a cable modem with landline that doesn’t have a router feature, but I’d rather not spend money I don’t have to. Trying to get the openvpn running on Synology right now, but having some difficulty doing it on my iMac. May have to go do it on the BI pc and set up a time server while I’m on it. Just didn’t want to have to trek into my basement to mess around with it.
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,407
Reaction score
2,177
ITrying to get the openvpn running on Synology right now, but having some difficulty doing it on my iMac.
Hmm, are you using Safari to connect to the Synology? That's how I setup/manage mine, haven't needed to resort to a Windows PC.
 

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
Hmm, are you using Safari to connect to the Synology? That's how I setup/manage mine, haven't needed to resort to a Windows PC.
Yeah, I got it enabled and the port open. Just haven’t figured out how to edit the config file. And I’m not sure about the firewall on the Comcast router. Won’t be able to work on it again until Wed, had to go to work.
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,407
Reaction score
2,177
Is openvpn necessary if using blue iris app?
Something is necessary. By default, your firewall blocks anyone outside of your network (i.e. you at the grocery store using your cell phone) from being able to connect to anything inside your home network, like your BI PC. You've got to configure a way for that remote access to happen.

IMO:
The most secure way to configure remote access is by setting up a VPN.
The least secure way is to port-forward directly to the Blue Iris PC.
In between is setting up port-forward to a reverse-proxy that acts a middle-man between the Internet and the Blue Iris PC.

And if so, how do I configure it?
There are a lot of how-to guides for this.
 

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
Something is necessary. By default, your firewall blocks anyone outside of your network (i.e. you at the grocery store using your cell phone) from being able to connect to anything inside your home network, like your BI PC. You've got to configure a way for that remote access to happen.

IMO:
The most secure way to configure remote access is by setting up a VPN.
The least secure way is to port-forward directly to the Blue Iris PC.
In between is setting up port-forward to a reverse-proxy that acts a middle-man between the Internet and the Blue Iris PC.


There are a lot of how-to guides for this.
Ok. I need to keep working on this. I got the BI app working now, but it’s just port forwarded. Vpn is enabled on the synology, trying to figure out how to edit the .ovpn file so I can import it to the openvpn connect app, also need to get the .ca file on each device. We'll only be using iPhones/iPad for remote access. There is a lot of learning being done here, especially for someone with zero networking experience. “Networking for Dummies” only covers the basics.

Trying to set up time server right now to get correct time on cameras. We need to add a step by step time server setup to the wiki for win10. Searching leads me to 10 different threads that only have partial answers, of course I could be searching wrong too.

Thanks again everyone for your patience and help. This forum has been amazing.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,045
Reaction score
662
When on LAN I don’t need to use the vpn correct? It’s just when outside my local?
Affirmative, openVPN only really makes sense when being "outside" your LAN, to make your "LAN" an extension to wherever you are in the world.
 

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
Ok, vpn is setup and working. :headbang:

Do I need to change any settings for remote access in BI now? Such as turning off the port forward, or ip addresses?
 

Todd Schmidt

Getting the hang of it
Joined
May 17, 2019
Messages
79
Reaction score
28
Location
Massachusetts
So I know I need to set the wan and lan as the same thing for the app to work using vpn. Does the port need to remain open? And should it be the pc lan (10.0.0.*) or the camera lan (192.168.1.*)? Or can I leave my actual wan in the remote access?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,045
Reaction score
662
Hi @Todd Schmidt, glad you have your VPN server up and running. To answer your follow-up questions, it is important for us to know WHERE you actually installed it on? On that synology? On the BI pc? Asus router? Because depending on your answer, our advice will differ.

In any case: when connecting to your VPN server, you "enter" your network through a VPN-port-server forward (default 1194 by heart), and your VPN server gives an "internal" 10.x address. Make sure it does not "collide" with what you call the pc lan 10.0.0.x network. Your VPN server is then "internally" routing that 10.x address to your LAN address (hence it should differ from the aforementioned pc lan network, otherwise routing is not working). From there, you can access your "internal LAN".
 
Top