VPN Primer for Noobs

[llarsx]

Hallo 58chev,
You said "You should be able to change your ASUS router to 10.x.x.x it does not have to be on 192.168.x.x"

Thank you for the answer. Do you mean first router (bridge) 10.0.0.1 and the second router 10.0.1.1 or simular? As one of my problem is difficulties changing ip on some connected devices I wonder if it possible to change ip on the first router (inteno) to 10.0.10.1 and open for 10.0.0.1 on the second router?

 

[nuraman00]

Not to influence you into one (or another) direction, but lastpass has had some security issues (If you use a password manager, you need to read this)

That's the reason why I opted for an "offline" vaulting mechanism.

Just my 2c.

Thanks for the article.

How does LastPass work differently than KeePass, which you do use?

What do you mean by "offline"? If KeePass gets synced to a Google Drive account, then isn't it still "online" somewhere?

@catcamstar , did you see that last post?

 

[catcamstar]

@catcamstar , did you see that last post?

Yes, but I was still thinking about how to formulate my answer

I personally don't like to put all my eggs into one basket: if you are putting your trust in 1 party to 1) secure, 2) host and 3) maintain all your Sensitive and Personal Information, then to me, the risk is too high to be vulnerable. Like the reference I gave, thousands of passwords were thrown on the internet. KeePass does encrypt the database on its own, and by storing it somewhere I choose (eg Google Drive), I "split" that risk. Not that I fully trust Google Drive, but even when that gets hacked, the 512AES encrypted database is worth the effort to be hacked open. Colleagues of mine work with other password managers, on usb sticks (which can get corrupted), or with fingerprint techniques (works fine until they are somewhere without a finger printer reader). Luckily, there are apps which allow 2FA and eliminates the "need" of a password manager...

Then again, my 2c. Like with VPNs, these things aren't "mandatory", and you can go for the last mile to have a quite conciense, but the question for you is: do you want to make that effort?

Hope this helps!
CC

 

[llarsx]

I am quite frustrated as I got following answer from Asus Support when I asked them about any problems if I buy a new Asus router at my cabin, config it with routervpn and attach the webcamera there to it. And hope be able to reach the camera from home or on travel through the "myconnection.ovpn" file. I mentioned to them that I also have an asus router at home. Here is the answer:

I am sorry to say that you might end up finding the experience less then pleasurable, the test solution will be setup remote access, as you already have, if I understand you correctly in one of your mail.

"The VPN server will need to be setup on the network you wish to access and that will mean you will have to setup the VPN on the router at your cabin and then connect the home router to it as a client.
This will mean that all traffic will be routed through the router at the cabin and will end up having impact on your network speed on your home setup.
We unfortunately cannot recommend this solution for you and will rather suggest that you keep the solution you already have with "no-ip" that you are already using and then enable remote access on your router so you will be able to have easy access to it."

I of course thought that the slowing of the home network must be when and if I config the home asus router as a vpn Client - all over, but that is not the case. Here is my reply:

"Thank you for detailed answer, but as I already have been hacked once I can’t continue with port forward. As I read your answer you say that install of a vpn client at my home router and the vpn server on the remote (with poor broadband) will effect my home broadband. That can I understand. But I am not going to install vpn on my home router as I hope only to use the .ovpn file (from the asus router vpn in the cabin) on mobil, ipad or computer from anywhere. "

And got this answer: "No, the only options is as decribed by my college in the previous mail he sent you."

I have 50 Mips up and down at my home network, but only 1 Mips up at my cabin and slowing down all traffic at my home router would be a disaster. Can Asus Support be right? Any other solution?

 

[catcamstar]

Can Asus Support be right? Any other solution?

Maybe they didn't grasp your use case. What they tell you is not wrong: IF you configure your home ROUTER as a VPN client, and let it connect to your VPN server in your cabin, the "most logical" solution would be to toggle the "redirect gateway" option, which means that all WAN traffic of your home ROUTER is forwarded over that vpn tunnel towards your cabin, and from their to the internet. Off course, with the 1mips up at the cabin, that will heavily impact your home internet connectivity.

Like I said, I am doubting that this use case is applicable for the scenario you asked help for? Correct me if I'm wrong: you have an independent WAN connection to your cabin, not interconnected in any way to your home LAN. If you would install an ASUS router there, install Rmerlin (for more features and patches), configure the OpenVPN server on it - combined with an no-ip configuration and generate an .ovpn file for your ipad/cell phone whatever. And from then, if you're at home, at work, in the airport, on Mars, you can always connect, via that ovpn (which links to the WAN ip of your cabin). Only advice I can give you beforehand: use ANOTHER subnet for your LAN in the cabin than used at home (eg 192.168.1.x at home and 192.168.2.x), otherwise you'll end up with intersubnet routing issues because the vpn tunnel does not know which (overlapping) subnet belongs where. If you do want to keep the same subnets, for whatever reason, you can always opt for a Site-to-Site openvpn tunnel construction, and even "share" the dual WAN path between home and cabin. But that would lead us too far away from your subject.

So bottom-line: I know only 1 guy (from this forum btw) who wasn't able to construct a VPN solution on his ASUS router, but I cannot imagine that you won't have any success with the aforementionned solution.

Good luck!
CC

 

[nuraman00]

Yes, but I was still thinking about how to formulate my answer

I personally don't like to put all my eggs into one basket: if you are putting your trust in 1 party to 1) secure, 2) host and 3) maintain all your Sensitive and Personal Information, then to me, the risk is too high to be vulnerable. Like the reference I gave, thousands of passwords were thrown on the internet. KeePass does encrypt the database on its own, and by storing it somewhere I choose (eg Google Drive), I "split" that risk. Not that I fully trust Google Drive, but even when that gets hacked, the 512AES encrypted database is worth the effort to be hacked open. Colleagues of mine work with other password managers, on usb sticks (which can get corrupted), or with fingerprint techniques (works fine until they are somewhere without a finger printer reader). Luckily, there are apps which allow 2FA and eliminates the "need" of a password manager...

Then again, my 2c. Like with VPNs, these things aren't "mandatory", and you can go for the last mile to have a quite conciense, but the question for you is: do you want to make that effort?

Hope this helps!
CC

Thanks. I wouldn't be putting all of my passwords in a password manager. I'm thinking of 3 passwords. For most things, I can reset my password, so I don't need to store them.

For the VPN password, I can't reset it, only delete the user and create it again. That's why it's different.

 

[nuraman00]

I am quite frustrated as I got following answer from Asus Support when I asked them about any problems if I buy a new Asus router at my cabin, config it with routervpn and attach the webcamera there to it. And hope be able to reach the camera from home or on travel through the "myconnection.ovpn" file. I mentioned to them that I also have an asus router at home. Here is the answer:

I am sorry to say that you might end up finding the experience less then pleasurable, the test solution will be setup remote access, as you already have, if I understand you correctly in one of your mail.

"The VPN server will need to be setup on the network you wish to access and that will mean you will have to setup the VPN on the router at your cabin and then connect the home router to it as a client.
This will mean that all traffic will be routed through the router at the cabin and will end up having impact on your network speed on your home setup.
We unfortunately cannot recommend this solution for you and will rather suggest that you keep the solution you already have with "no-ip" that you are already using and then enable remote access on your router so you will be able to have easy access to it."

I of course thought that the slowing of the home network must be when and if I config the home asus router as a vpn Client - all over, but that is not the case. Here is my reply:

"Thank you for detailed answer, but as I already have been hacked once I can’t continue with port forward. As I read your answer you say that install of a vpn client at my home router and the vpn server on the remote (with poor broadband) will effect my home broadband. That can I understand. But I am not going to install vpn on my home router as I hope only to use the .ovpn file (from the asus router vpn in the cabin) on mobil, ipad or computer from anywhere. "

And got this answer: "No, the only options is as decribed by my college in the previous mail he sent you."

I have 50 Mips up and down at my home network, but only 1 Mips up at my cabin and slowing down all traffic at my home router would be a disaster. Can Asus Support be right? Any other solution?

If you have slow internet speed in your cabin, and faster one on your home network, why is it a disaster to connect your cabin network to to your home network via vpn? Would it slow down your home network that much?

I think your case needs it the other way though, which you are trying to do. You are trying to set up the VPN server in your cabin, and connect to it from home or anywhere else as a client. I think this should work?

 

[llarsx]

Att: #1045 - Thank you very much, catcamstar

Your post got me back on trail. As I already have bought the new asus 68u I can open the package and begin (and not return it to the dealer).
I am very, very happy to receive your answer.

Regards,
llarsx

 

[58chev]

Hallo 58chev,
You said "You should be able to change your ASUS router to 10.x.x.x it does not have to be on 192.168.x.x"

Thank you for the answer. Do you mean first router (bridge) 10.0.0.1 and the second router 10.0.1.1 or simular? As one of my problem is difficulties changing ip on some connected devices I wonder if it possible to change ip on the first router (inteno) to 10.0.10.1 and open for 10.0.0.1 on the second router?

If your Inteno will allow you to change the IP, yes do that first then change the ASUS IP.
If your Inteno is in "Bridge Mode" Do you really have to change the IP? I know when my modem is in bridge mode, it has an internal address that I don't have to worry about.

 

[llarsx]

Thanks,
I have a simular setting at home: a Zyxel from my fiber broadband set as bridge with intern ip 192.168.10.1 and with an asus 68u on 192.168.10.136 with wifi (all the rest of the Devices has intern ip 192.168.10.100-199). Is it possible to set the cabins asus (after the bridge inteno 10.0.0.1) to 10.0.0.2 or 10.0.0.136 and keep my other Devices with their intern ip with the recent setting (10.0.0.30, 10.0.0.31 etc.)?

 

[catcamstar]

Thanks,
I have a simular setting at home: a Zyxel from my fiber broadband set as bridge with intern ip 192.168.10.1 and with an asus 68u on 192.168.10.136 with wifi (all the rest of the Devices has intern ip 192.168.10.100-199). Is it possible to set the cabins asus (after the bridge inteno 10.0.0.1) to 10.0.0.2 or 10.0.0.136 and keep my other Devices with their intern ip with the recent setting (10.0.0.30, 10.0.0.31 etc.)?

If you deploy OpenVPN server on the ASUS router in your cabin, it is using the 10.8.0.x subnet for "internal VPN tunnel" stuff. As long as you set your gateways/subnets tight enough that there is no overlap from 10.0.0.x towards 10.8.0.x you are good.

Or maybe I did not understand your question completely

 

[llarsx]

Thank you again, catcamstar
As I am not familiar with the technical expressions its a little difficult. I'm not sure what "internal VPN tunnel" is but can guess that is is either part of all vpn Connection to the vpn server or only when it is a Connection to a vpn Client (ex asus vpn router as Client elsewhere).

Second, to avoid overlap you advise me to keep off the ip 10.8.0.x. Still a little confused. 10.8.0.x is of course on a subnet (10.8.x.x.) but in my last mail I wrote 10.0.0.2 or 10.0.0.136 (and 10.0.0.30-10.0.0.31 etc.).

The question is: Can I use the mentioned ip's on the second router (asus as vpn router) with the inteno as bridge still with 10.0.0.1?

 

[Jimmy Forester]

Im thinking about setting this up but its a little overwhelming to digest it all. I have the concept down and im sure i could figure it all out. Would this only affect remote viewing of the cameras. Would anything change when you are using the network locally? I'm fine with having to login to the vpn if i want to view my cameras remotely but i don't want to have to deal with the vpn if i'm just using the wifi at my house surfing the internet or watching netflix or whatever.

 

[fenderman]

Im thinking about setting this up but its a little overwhelming to digest it all. I have the concept down and im sure i could figure it all out. Would this only affect remote viewing of the cameras. Would anything change when you are using the network locally? I'm fine with having to login to the vpn if i want to view my cameras remotely but i don't want to have to deal with the vpn if i'm just using the wifi at my house surfing the internet or watching netflix or whatever.

this will have no effect when you are local.

 

[catcamstar]

Thank you again, catcamstar
As I am not familiar with the technical expressions its a little difficult. I'm not sure what "internal VPN tunnel" is but can guess that is is either part of all vpn Connection to the vpn server or only when it is a Connection to a vpn Client (ex asus vpn router as Client elsewhere).

Second, to avoid overlap you advise me to keep off the ip 10.8.0.x. Still a little confused. 10.8.0.x is of course on a subnet (10.8.x.x.) but in my last mail I wrote 10.0.0.2 or 10.0.0.136 (and 10.0.0.30-10.0.0.31 etc.).

The question is: Can I use the mentioned ip's on the second router (asus as vpn router) with the inteno as bridge still with 10.0.0.1?

With "Internal VPN tunnel stuff": have a look at this image:

Your Mobile (remote) device has a WAN IP (eg through 4G). Your Home router has a WAN IP (through your ISP). But when connecting from mobile to your VPN server, there is a new subnet created (10.8.0.0/24 is the OOTB config, but can be changed) which gives an IP to your VPN client. The VPN server is then routing all required traffic (either to your LAN, either to your WAN or both).

What I'm stating with the overlap of 10.x, if your original 10.0.0.0 has a too wide subnetmask (eg 255.0.0.0), it covers the 10.8.0.0/24 range too, and that's a no go. So make sure you "limit" your 10.0.0.0 subnet (eg. 255.255.255.0) then you are fine!

Good luck!
CC

 

[llarsx]

Hallo catcamstar,
Thanks a lot. Config /all show 255.255.255.0. I don't get everything, but shall be aware of possible overlapping ip-range.

May be same problem: In the Asus 68u manual under 4.3.5 DDNS it is a warning I don't really understand:

*NOTE

DDNS service will not work under these conditions:
• When the wireless router is using a private WAN IP address (192.168. x.x, 10.x.x.x, or 172.16.x.x), as indicated by a yellow text.
• The router may be on a network that uses multiple NAT tables.*

My case is an inteno router today 10.0.0.1 to be set in bridge mode and install a new asus 68u router behind. The asus will be configured as vpn-router (openvpn) also using the asus own DDNS as I have to secure a webcamera (ethernet to the asus) and wish to reach it from elsewhere. Standard ip on the asus is 192.168.1.1, but can be changed.

I do not understand what the Note mean and hope to get help here. Will my configuration/setting work?

 

[catcamstar]

Hallo catcamstar,

I do not understand what the Note mean and hope to get help here. Will my configuration/setting work?

Regarding your subnet: you are safe there, so that's okay.
Regarding DDNS service: it becomes clear when you know how this service works. Your router will "pingback" on a regular base to the DDNS service. In that pingback message, it identifies itself, and by doing so, it takes back the IP address on its WAN interface, so the DDNS service can make the link to your-DDNS-name.ddns.com and your WAN IP. However, if your router is behind a NAT, or a private WAN IP (like 192, 10, 172 because of special modems, routers, gateways), the DDNS service will grab that IP with it, however these addresses are private and cannot be routed over the internet. Which renders the DDNS service useless.

There are services available where you can "manually" set the DNS names (eg no-ip.com back in the days), not sure if they still exist.

I personally do not need DNS, as my ISP changes my IP address once in 6 years, I do however have a safeline built in, in case WAN IP changes, I can backtrack to where the place went.

Hope this helps!
CC

 

[llarsx]

Superb, catcamstar
You also remind me about the fact that my extern ip hasn't changed the last year may be because my adsl have very few other user on the same copper line. But I also have a paid No-IP account lasts until Sept. 2019.

It seems that I can avoid some problems if I don't config DDNS until later.

 

[llarsx]

A short, but important question.

Is this the original site to download openvpn Clients (for private consumers) from VPN Apps | Desktop & Mobile | Private Tunnel ? (ipad, Android and win 10)
I find it through Community Downloads | OpenVPN

 

[catcamstar]

A short, but important question.

Is this the original site to download openvpn Clients (for private consumers) from VPN Apps | Desktop & Mobile | Private Tunnel ? (ipad, Android and win 10)
I find it through Community Downloads | OpenVPN

The question is: do you want a private tunnel (hosted by them) or your home-made VPN tunnel? In the first case, you need the links above, otherwise I advice to use the native OpenVPN app (eg android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn). Look for Openvpn client in the respective "markets".