Openvpn with an Apple router

[Todd Schmidt]

So I have an Apple AirPort Extreme as my router. It’s in bridge mode currently because I also have the Comcast cable modem/router. I’ve read that vpn won’t work with Apple routers. So how would I go about setting up a vpn?

Network diagram is attached.

 

[aristobrat]

This is splitting nits, but since your AirPort Extreme is running in bridge mode, it's not acting as a router. IMO, it'd be more correct to say "So I have an AirPort Extreme as my WiFi access point" (not router), since your Comcast box is actually doing all of the routing for your network.

VPN doesn't have to run on the router. Since you have a Synology NAS... Synology makes it very easy to install and configure OpenVPN (as well as reverse proxy, if interested). Synology also regularly updates those apps (along with issuing system patches), so IMO it's one of the safer platforms to use for these features. This will require port-forwarding (one port for OpenVPN, and another port if you're interested in a reverse proxy) from the Comcast router over to the Synology box, so as long as you're able to do that, this shouldn't be too difficult.

 

[Todd Schmidt]

This is splitting nits, but since your AirPort Extreme is running in bridge mode, it's not acting as a router. IMO, it'd be more correct to say "So I have an AirPort Extreme as my WiFi access point" (not router), since your Comcast box is actually doing all of the routing for your network.

VPN doesn't have to run on the router. Since you have a Synology NAS... Synology makes it very easy to install and configure OpenVPN (as well as reverse proxy, if interested). Synology also regularly updates those apps (along with issuing system patches), so IMO it's one of the safer platforms to use for these features. This will require port-forwarding (one port for OpenVPN, and another port if you're interested in a reverse proxy) from the Comcast router over to the Synology box, so as long as you're able to do that, this shouldn't be too difficult.

I'm sure I can do it, once I figure out everything you just said. “Alexa, what’s a reverse proxy?”

Ok seriously though thank you for all your help as I try to figure all this out.

 

[SouthernYankee]

The Comcast modem/ router should be put in bridge mode.
I know nothing about apple router.
If the apple does not support openvpn, then try an Asus router, very simple setup.

 

[Todd Schmidt]

The Comcast modem/ router should be put in bridge mode.
I know nothing about apple router.
If the apple does not support openvpn, then try an Asus router, very simple setup.

From what I’ve been reading the Apple router doesn’t support any vpn.

 

[aristobrat]

I'm sure I can do it, once I figure out everything you just said.

Here's Synology's instructions for how to setup OpenVPN.
DiskStation Manager - Knowledge Base | Synology Inc.

Just follow the beginning (as it applies to all VPN types on Synology), and then jump down to the OpenVPN section.

There should be a lot of other guides for OpenVPN on Synology is you google around for them.

 

[catcamstar]

Just my 2c$: I would never run OpenVPN on a Synology which hosts all my precious nature pictures and movies. It's called personal paranoid, but either you add a raspberry pi in your network (which you can still use for television viewing etc) and run it on that. Or the aforementioned ASUS router. With the network components you already shown in your PDF, you are even able to run a vlan secured network (eg on an ubiquity edgerouter) - so you can implement additional networking security. And on that ER-X ($50 - almost same as raspberry pi!) you host openvpn, all your vlan management and firewalling.

Hope this helps!
CC

 

[Todd Schmidt]

Just my 2c$: I would never run OpenVPN on a Synology which hosts all my precious nature pictures and movies. It's called personal paranoid, but either you add a raspberry pi in your network (which you can still use for television viewing etc) and run it on that. Or the aforementioned ASUS router. With the network components you already shown in your PDF, you are even able to run a vlan secured network (eg on an ubiquity edgerouter) - so you can implement additional networking security. And on that ER-X ($50 - almost same as raspberry pi!) you host openvpn, all your vlan management and firewalling.

Hope this helps!
CC

That’s a thought

 

[aristobrat]

I thought you couldn't get rid of the Comcast modem/router combo box (because it's required for your wife's landline) and the Synology only stored Time Machine backups for your wife's Mac?

 

[Todd Schmidt]

I thought you couldn't get rid of the Comcast modem/router combo box (because it's required for your wife's landline) and the Synology only stored Time Machine backups for your wife's Mac?

It does, and I could get a cable modem with landline that doesn’t have a router feature, but I’d rather not spend money I don’t have to. Trying to get the openvpn running on Synology right now, but having some difficulty doing it on my iMac. May have to go do it on the BI pc and set up a time server while I’m on it. Just didn’t want to have to trek into my basement to mess around with it.

 

[aristobrat]

ITrying to get the openvpn running on Synology right now, but having some difficulty doing it on my iMac.

Hmm, are you using Safari to connect to the Synology? That's how I setup/manage mine, haven't needed to resort to a Windows PC.

 

[Todd Schmidt]

Hmm, are you using Safari to connect to the Synology? That's how I setup/manage mine, haven't needed to resort to a Windows PC.

Yeah, I got it enabled and the port open. Just haven’t figured out how to edit the config file. And I’m not sure about the firewall on the Comcast router. Won’t be able to work on it again until Wed, had to go to work.

 

[Todd Schmidt]

Is openvpn necessary if using blue iris app? And if so, how do I configure it?

 

[aristobrat]

Is openvpn necessary if using blue iris app?

Something is necessary. By default, your firewall blocks anyone outside of your network (i.e. you at the grocery store using your cell phone) from being able to connect to anything inside your home network, like your BI PC. You've got to configure a way for that remote access to happen.

IMO:
The most secure way to configure remote access is by setting up a VPN.
The least secure way is to port-forward directly to the Blue Iris PC.
In between is setting up port-forward to a reverse-proxy that acts a middle-man between the Internet and the Blue Iris PC.

And if so, how do I configure it?

There are a lot of how-to guides for this.

 

[Todd Schmidt]

Something is necessary. By default, your firewall blocks anyone outside of your network (i.e. you at the grocery store using your cell phone) from being able to connect to anything inside your home network, like your BI PC. You've got to configure a way for that remote access to happen.

IMO:
The most secure way to configure remote access is by setting up a VPN.
The least secure way is to port-forward directly to the Blue Iris PC.
In between is setting up port-forward to a reverse-proxy that acts a middle-man between the Internet and the Blue Iris PC.


There are a lot of how-to guides for this.

Ok. I need to keep working on this. I got the BI app working now, but it’s just port forwarded. Vpn is enabled on the synology, trying to figure out how to edit the .ovpn file so I can import it to the openvpn connect app, also need to get the .ca file on each device. We'll only be using iPhones/iPad for remote access. There is a lot of learning being done here, especially for someone with zero networking experience. “Networking for Dummies” only covers the basics.

Trying to set up time server right now to get correct time on cameras. We need to add a step by step time server setup to the wiki for win10. Searching leads me to 10 different threads that only have partial answers, of course I could be searching wrong too.

Thanks again everyone for your patience and help. This forum has been amazing.

 

[Todd Schmidt]

When on LAN I don’t need to use the vpn correct? It’s just when outside my local?

 

[catcamstar]

When on LAN I don’t need to use the vpn correct? It’s just when outside my local?

Affirmative, openVPN only really makes sense when being "outside" your LAN, to make your "LAN" an extension to wherever you are in the world.

 

[Todd Schmidt]

Ok, vpn is setup and working.

Do I need to change any settings for remote access in BI now? Such as turning off the port forward, or ip addresses?

 

[Todd Schmidt]

So I know I need to set the wan and lan as the same thing for the app to work using vpn. Does the port need to remain open? And should it be the pc lan (10.0.0.*) or the camera lan (192.168.1.*)? Or can I leave my actual wan in the remote access?

 

[catcamstar]

Hi @Todd Schmidt, glad you have your VPN server up and running. To answer your follow-up questions, it is important for us to know WHERE you actually installed it on? On that synology? On the BI pc? Asus router? Because depending on your answer, our advice will differ.

In any case: when connecting to your VPN server, you "enter" your network through a VPN-port-server forward (default 1194 by heart), and your VPN server gives an "internal" 10.x address. Make sure it does not "collide" with what you call the pc lan 10.0.0.x network. Your VPN server is then "internally" routing that 10.x address to your LAN address (hence it should differ from the aforementioned pc lan network, otherwise routing is not working). From there, you can access your "internal LAN".