To VPN or not to VPN

[lane]

I logged into my router last night and it looks like I can make changes to the settings. I think I may have to contact att (which can be a nightmare) to find out what would happen if I was able to put it in a bridge mode. My uverse TV comes through that device along with another that is connected. I guess my biggest concern is if I loose internet, trying to diagnose the issue. If everything is their standard, it's easy for them to resolve. If i add on, then I would likely have to remove my equipment, restore the original router settings before they can troubleshoot.

That's why I thought the raspberry might be a good option. I don't know how it works together but if I could just add in line between my existing combo router and my switch, it could provide VPN on that portion and maybe not interfere with the TV portion. Guess i might need to talk with ATT.

 

[stratfordwill]

The raspberry looks like an interesting option.

Can it be put in line between the NVR and router port?

I'm assuming there is an open source application?

How easy or complicated would this be to get working? Would it require changes to be made on my isp router? Certainly cost effective .

The rasbperry pi is not "daisy chained" or "in-line". It simply occupies any open router port (it could be done wirelessly but wireless is silly for critical infrastructure). If you don't have an open port, get a $20 switch.

pivpn is openvpn which is open source. Th os, raspian, is open source. You need a pi, a case (optional), a usb stick or sd card, a power supply, and a network cable.$40 to $50.

As far as easy or complicated. If you have any experience with the command line and basic networking knowledge, it's trivial.

If all you've ever done is windows, it may take a little patience and reading.The fact that you're concerned with security and willing to dig around in your router suggests you should have no problem.

Read the VPN Primer for Noobs, if you haven't already. If you go the router route, the articles linked by looney are thorough.

 

[stratfordwill]

That's why I thought the raspberry might be a good option. I don't know how it works together but if I could just add in line between my existing combo router and my switch, it could provide VPN on that portion and maybe not interfere with the TV portion. Guess i might need to talk with ATT.

A VPN should have no effect on your TV stuff.

It doesn't affect your normal traffic. It only lets you remotely connect like you are on your own network.

 

[SouthernYankee]

I use Comcast as my ISP. My router/ modem is in bridge or pass through mode and is connected to an Asus router. The router/ modem also provide home phone service. Both work with no interference.

 

[lane]

My att router does not have a bridge mode but does have a pass through mode.

Looking online I see routers with VPN support but many types listed.

Ipsec, l2tp, pptp, pass through.

Is there a preferred type?

 

[SouthernYankee]

What is the make and model number of your attention modem?
I was under the impression that bridge and pass through were the same thing.
I recommend an Asus router.

 

[lane]

What is the make and model number of your attention modem?
I was under the impression that bridge and pass through were the same thing.
I recommend an Asus router.

It's an Arris NVG589 plus they have another wireless router onnected to that for wireless TV.

I think from looking that it is probably the same as a Motorola nvg589

 

[Mike A.]

Do you have TV or phone services or use a coax connection to set-top boxes? The VPN itself won't affect service but some services/installations (e.g., Verizon and Frontier FIOS, AT&T Uverse in some areas, etc.) rely on a router/modem with a coax/MoCA connection to the set-top boxes/TVs. Also separately specific settings for VoIP phone service and for other in-coming connections for some services (remote DVR programming, home monitoring, etc.). Putting the device into a bridge or 'pass-through' mode may affect how that all works at least without some added steps (and 'pass-through' does not appear to be a true layer 2 bridge). I could tell you how to do it for FIOS but don't know the Uverse/Arris stuff. Just so you know in advance that it may not be as simple as just putting it into a pass-through mode and plugging in a new router behind it. The good news is that on a quick search it does appear that the Arris NVG589 can be made to work with a pass-through VPN. What all is involved and how that may affect things otherwise I don't know. Search for 'Uverse NVG589 VPN' and you should find some discussions.

 

[lane]

Mike, if I recall correctly, I think I have a combination of all three types, wireless, Ethernet cable and coax.

I did find some info on the att forum where someone gave the steps to add 3rd party router.

Steps listed
Change DHCP start and end address
Turn wireless off
Disable packet filter
Enable pass through
Select dhcps fixed
Enter Mac address for 3rd party router
Turn off firewall
Reboot

Setup 3rd party router

This poster had problems with their wap and left it on the att modem.
So the add on Wireless device I was calling a router must be a access point.

 

[Mike A.]

Yeah, that will enable the pass-through. What happens from there, I don't know. (And the "turn off firewall" step doesn't really seem like the best config, probably better to only open up some specific rules.) Only way to know really is to try it and work your way through whatever issues may arise. Hard to tell much just by reading random posts from years ago and not knowing whether someone has the same services/installation/etc., what AT&T may have pushed out as changes since, and on and on... I *think* that the pass-through should keep most all of that working but, for example, I saw one guide that said putting it into that mode breaks in-coming VoIP phone calls. Possibly some way to work around that. Won't know until you try. Does at least seem possible on a quick read.

The other thing too is that you're going through all this ideally shut down anything else in-coming and just have the VPN as your entry point. But who knows what ports the AT&T device may have (and likely does have) open anyway. I know that FIOS does to permit updates/diagnostics, for in-coming remote services, etc. Pass-through mode won't shut any of that down so you may end up setting up a secure link with a bunch of potential holes otherwise. ; ) You'd think that they'd keep on top of whatever vulnerabilities pop up but...

 

[lane]

Yes, I saw a post about VoIP but I'm not using their service for that so that's at least one thing I don't have to worry about. I am using ooma for VoIP though. It's plugged into my lan port, so don't know if that would be an issue?

 

[Mike A.]

*shrug* Don't know. Technically you likely can get everything to work if it's set up right but figuring that out may take some work and involve some trade-offs. e.g., With my FIOS service locking everything down breaks the ability to use any in-coming services like their app and remote DVR programming. But I can live without that and it's a sacrifice that I'm willing to make. I could open up a range of ports to make that work, but I don't really want to do that. Again, I don't know the Uverse stuff at all, was just letting you know that even with a bridge or pass-through mode it may not be as easy as just dropping another router behind it. Might be able to use the DMZ or some other ways too with trade-offs on that side. Or just open up a port to BI if you're using that. Not as good but a reasonable fall back. Very likely can make it work in one way or another though.

You might want to make another post with a more specific title re VPN and Uverse. Somebody else here who's also using it might better see it that way.

 

[SouthernYankee]

lane

read how to set to bridge mode,

How to put the Motorola NVG589 in 'bridge mode' (or as close as you can).

after the NG589 is in bridge mode, connect the VoIP into the new router that supports VPN.

As i said i recommend using asus router.

 

[lane]

Yankee, I did see that post and have book marked it.

It may be that I just go for it and see what happens. Keeping track of before and after settings so I can restore if necessary.

You may have already posted but what model Asus are you using? I'm thinking if they have them preloaded with the VPN stuff, that might be easier to get going.

And I think somewhere in this thread mentioned a free DNS to update IP changes. Many years ago I used one but don't recall the URL.

 

[SouthernYankee]

Rt-a66u_b1 .
This is an older Asus router.
Any newer Asus router has the vpn loaded.

 

[lane]

Think I have narrowed down to
RT-AC88U
RT-AC66U B1
RT-AC87U

Looks like the 66 would do the job, but don't know if there is a compelling reason to choose a different one.

I don't do gaming, have 3 floors in my house so wireless signal is important, and besides that, don't really know the difference for my use.

 

[looney2ns]

Think I have narrowed down to
RT-AC88U
RT-AC66U B1
RT-AC87U

Looks like the 66 would do the job, but don't know if there is a compelling reason to choose a different one.

I don't do gaming, have 3 floors in my house so wireless signal is important, and besides that, don't really know the difference for my use.

Hard to beat this: RT-AC68U | Networking | ASUS USA

 

[lane]

Hard to beat this: RT-AC68U | Networking | ASUS USA

Glad to hear because I just ordered one from bhphoto and it was on sale. Just hope it works ok with my att uverse.

 

[cam26]

@lane getting ready to do the same thing? Did you ever get it to work?

 

[lane]

@lane getting ready to do the same thing? Did you ever get it to work?

Yes and no. I did get it working but if I connect through Verizon I get lots (dozens) of send errors In the logs. If I connect using WiFi it doesn't have the errors. The errors will prevent or delay pages to load.

I've searched other forums and see posts with the same issue but no solution.

I'm guessing it's either something up with my Moto Droid phone or an issue with Verizon.

I may just use P2P and forgot the VPN. If it gets hacked, they can look out at my woods.

I think most likely, it will work for you. Just something unusual in my case.