VPN Primer for Noobs

[holland53]

I'm running OpenVPN on an Edgerouter-X, which is accessible from pc, Android & iOS. It uses the freely available OpenVPN client from Android Play and Apple Store.

I have an Edgerouter-X on the way, although I still only have a vague idea of what I'm going to do with it. The basic thought is, keep using my TP-Link Archer D9 DSL modem/router for internet access, but use the Edgerouter for its more robust and configurable firewall (the TP-Link doesn't even have a setup tab for the firewall - not even an enable/disable).

The BI box has a WiFi radio as well as an Ethernet NIC. Right now, I have the camera network on the Ethernet NIC, and connection to the outside world comes in on WiFi, as set up by the BI network wizard using uPNP to set up the TP-Link.

From my reading of this thread and the wiki, I'm guessing this es no bueno long term.

So I figure, put the BI server and camera net behind the Edgerouter, and perhaps hook up a WiFi access point to it and keep the BI WiFi separate from the hardwire NIC.

Is this similar to what you have, catcamstar? Internet modem > Edgerouter > BI system?

Edit: My God, I'm fretting over VPN setup on NYE

 

[catcamstar]

So I figure, put the BI server and camera net behind the Edgerouter, and perhaps hook up a WiFi access point to it and keep the BI WiFi separate from the hardwire NIC.

Is this similar to what you have, catcamstar? Internet modem > Edgerouter > BI system?

Hi @holland53, basically yes, although my network counts tons more components. In a nuttshell:

-- internet -- eth0 ER-X
               eth1 ER-X -- vlan 201 -- managed switch                                                                           
               eth2 ER-X -- vlan 202 -- managed switch
               eth3 ER-X -- vlan 203 -- managed switch
               eth4 ER-X -- management

Summary: this setup means that I got 3 downstream 1gbps links into each vlans which are hosted on a 16 port managed switch. Cams, doorbells, NVR, all are hooked up onto that switch in a separate vlan. Your BI could go into that vlan too. NAS, home pc, miniserver are in a second vlan, and all "IoT" stuff go into the third. Guest wifi is separated completely. The ER-X is thus the "propagator" of the VLANs, provides all necessary routing & firewalling (which requires some preparation & thoughts) and more imporantly: OpenVPN server, but in the end, it becomes your "master" entrypoint. Back in the days, ER-X was difficult to configure, but now, OOTB, you can launch a wizard which offers you a couple of "sample" setups (eg dual WAN). In a couple of hours, I got mine ready. Did a bit of finetuning later on, but I'm a happy camper!

Good luck!
CC

 

[wilddog]

I think i need to just get an Asus router that has the VPN capabilities you are talking about. Which one? I currently have a Linksys WRT120N and I can not make out the settings in the setup well enough to tell if it will work like you describe here. I am going to try and attach some screen shots of the setup pages of the WRT120N, maybe you guys can look at them and tell me if I should upgrade to a different router. I am trying use a Laview camera system with NVR that will be left on all the time and might not have a computer on the same network all the time. Any info or links you can provide is appreciated as I have not done this before. Thanks

 

[catcamstar]

I think i need to just get an Asus router that has the VPN capabilities you are talking about. Which one? I currently have a Linksys WRT120N and I can not make out the settings in the setup well enough to tell if it will work like you describe here. I am going to try and attach some screen shots of the setup pages of the WRT120N, maybe you guys can look at them and tell me if I should upgrade to a different router. I am trying use a Laview camera system with NVR that will be left on all the time and might not have a computer on the same network all the time. Any info or links you can provide is appreciated as I have not done this before. Thanks

I hope you have put (at least) WPA2 security key in your settings for your wifi </off-topic>

This Linksys does NOT support OpenVPN (the first screens you show are for VPN passthrough - meaning a device behind the router which is allowed to reach out to another LAN through VPN).

First option I would do if I was you, is look for firmware updates (eg dd-wrt), unfortunately this WRT120N is lowstream and unfortunately on the incompatiblity list: Known incompatible devices - DD-WRT Wiki

I suggest to look for a decent ASUS - if you buy one, have a look first whether (or not) an RMerlin counterpart exists (Download | Asuswrt-Merlin). Almost all "RT-ACxx" models do support OpenVPN.
Hope this helps!
CC

 

[SouthernYankee]

wilddog

Before going out and buying a router. Make sure your internet modem can be set to passthrough. Most providers have gone to a combined modem/router. Some can be set to passthru and others can not. In passthru the device is a modem only. Some providers do not allow you use your own router.

Other problems can occur it you have internet phone service via the modem, and/or cable TV.

I have comcast xfinity, purchased my own modem/router and set it to passthru to disable the router

 

[Coldair]

can I ditch my dedicated comcast if I go to a VPN?

 

[SouthernYankee]

Mike
You still need an internet. A VPN is for secure communications oner the internet.

 

[Coldair]

Mike
You still need an internet. A VPN is for secure communications oner the internet.

I should have said can I just switch to comcast's standard dynamic service which would save 24.95 per month or must I keep the static ip

 

[SouthernYankee]

With a dynamic DNS. you do not need a internet static IP address. You use a asus service for DDNS

 

[nuraman00]

I have an Asus Router and Asus DDNS.

I set up the VPN on my home network router in July. I was able to use Open VPN both on Android, and on a Windows PC, to connect.

Today, when I'm trying, it's not connecting. I tried on both Android, and a Windows PC.

I tried doing a ns lookup on the DDNS, and then pinging the non-authoritative IP address. The request times out.

I am able to connect to my home Tivo through a Slingbox, so something on my home network appears to be working.

Any ideas?

Reboot the router.

Thanks. I don't think I can access the router remotely without logging into the vpn.

That can be problematic then. I experienced the same thing with an Asus router, recently, and it took a reboot to get it running right again.

Thanks. While it's a little frustrating right now because I actually wanted to check my cameras; I wasn't just trying to log into the VPN to test out the connection, the fact that the solution might be a simple reboot is comforting.

It's better than having to spend hours to find the solution.

If I can this weekend, I'm going to try calling Asus to see if there is something they can check on their end, for the DDNS. Or if the can help me narrow in on the problem.

Try accessing your VPN from another internet service.

I was still unable to access the VPN from another internet service.

I called Asus today, to see how their support was.

Since I had an Asus router, and Asus DDNS, I figured they should help.

When logging into my router, on the OpenVPN page, I saw a message in yellow letters next to "Export OpenVPN configuration file" that said "unable to connect to VPN server".

The support representative suggested restarting the VPN. He said one way would be to delete the username, and add it again.

I did that, and it was able to add the username again, and restart the VPN. I could connect to the VPN afterward.

So, good support experience from Asus, it was only a 16 min phone call, and their suggestions were pretty good.

The only thing I didn't like about the phone call was the loud background noise on the representative's end. Too much background conversations, it made it difficult to hear.

So, the suggestion above from @awsum140 to reboot the router probably would have worked too.

 

[awsum140]

Glad you got it sorted out and glad Asus support was "Johnny on the spot". Good to know.

 

[Mortabo]

I should have said can I just switch to comcast's standard dynamic service which would save 24.95 per month or must I keep the static ip

Hey Mike, if you drop the allocated static from Comcast you would likely need to implement DDNS for seamless use, however it is important for people to know that many ISP's no longer refresh your public WAN IP as often or at all unless of a hardware change (modem changeout). Most modern ISP's keep MAC reservations in their edge equipment so usually only a firmware update or modem swap would produce a new public WAN IP.

 

[m3tpe]

Sorry, noobie here.
So I'm reading setting up VPN through the router. But once VPN is set, it's mentioned that it's best not the do port forwarding? If I don't port forwarding, how do I access Blue Iris remotely through their app?

 

[Mortabo]

Sorry, noobie here.
So I'm reading setting up VPN through the router. But once VPN is set, it's mentioned that it's best not the do port forwarding? If I don't port forwarding, how do I access Blue Iris remotely through their app?

Hey m3, what type of router/VPN setup are you running. I've got L2TP VPN to my router on a 10.x.x.x which is added to the routing table and can access the 192.x.x.x subnet that my Dahua NVR is on. I'm using the Easyviewer Lite app for Android with the camera host set as the local 192.x.x.x IP so that only when I am on the home network or on VPN, will I be able to access the system. Most likely that is what you will do, setup the Blue Iris app with a local IP that you have assigned to your Blue Iris PC/server. Although the VPN port will be open, it's not forwarded to anything it is waiting for an established connection, once a tunnel is established that device is now on the LAN. Hopefully that makes sense?

 

[SouthernYankee]

When on a VPN you access all your devices as if you are on your home network. So you access BI via the BI app or the BI web interface UI3. You use the same exact method as on your home network. For me it is 192.168.1.234:8081 to access UI3.

You are not port forwarding at the router when using the VPN.

 

[tung256]

how can i set up VPN with verizon fios setup?
i have Arris ONT1000GI4, it has a coax output into my Actiontec wifi router to serve the 1st floor. a cat5 from the Actiontec goes into my Netgear R7000. this netgear is in AP mode to serve wifi on the 2nd floor.
Actiontec does not have any VPN option available.
Netgear has VPN but it is greyed out.
any idea on how i can get VPN up and running so i can securely access my house cams? thanks!

 

[flynreelow]

VPN wont work on your access point needs to be set up the on the true router (not an AP)

 

[Mike A.]

how can i set up VPN with verizon fios setup?
i have Arris ONT1000GI4, it has a coax output into my Actiontec wifi router to serve the 1st floor. a cat5 from the Actiontec goes into my Netgear R7000. this netgear is in AP mode to serve wifi on the 2nd floor.
Actiontec does not have any VPN option available.
Netgear has VPN but it is greyed out.
any idea on how i can get VPN up and running so i can securely access my house cams? thanks!

There are a number of ways to do it with trade-offs depending on specifics.

Best and easiest is to just put another router with VPN in place of the Actiontec. (I don't know the Netgear well but I'd suspect that it doesn't show the VPN option as available since it's now set as an AP vs router.) That will require that they activate the RJ45 Ethernet port on the ONT (no big deal and your Arris will support it) and that you run network cable from there to your router. Assuming that you can do that and don't have FIOS TV services, then you're done. Plug the cable from the ONT into the WAN port on your router, set the WAN to pull a DHCP address from their network, and you then can do whatever you want behind it as far as setting up the VPN and your internal network.

If you can't get twisted pair from the ONT to your router for whatever reason and/or you have TV services then it gets more complicated. No point in going through all of that now without knowing one way or another. If so, then I can run through some other options.

 

[fenderman]

There are a number of ways to do it with trade-offs depending on specifics.

Best and easiest is to just put another router with VPN in place of the Actiontec. (I don't know the Netgear well but I'd suspect that it doesn't show the VPN option as available since it's now set as an AP vs router.) That will require that they activate the RJ45 Ethernet port on the ONT (no big deal and your Arris will support it) and that you run network cable from there to your router. Assuming that you can do that and don't have FIOS TV services, then you're done. Plug the cable from the ONT into the WAN port on your router, set the WAN to pull a DHCP address from their network, and you then can do whatever you want behind it as far as setting up the VPN and your internal network.

If you can't get twisted pair from the ONT to your router for whatever reason and/or you have TV services then it gets more complicated. No point in going through all of that now without knowing one way or another. If so, then I can run through some other options.

To clarify, I believe the TV services will still work on the fios box, but it will affect the guide and on demand.
A workaround using fios' own cable box is explained here but I have no experience with it.
Using your own router with Verizon FiOS - Verizon Fios Community

I ran ethernet from the ont when using a cablecard tuner with Tivo and hd homerun with no issues.

 

[Mike A.]

To clarify, I believe the TV services will still work on the fios box, but it will affect the guide and on demand.
A workaround using fios' own cable box is explained here but I have no experience with it.
Using your own router with Verizon FiOS - Verizon Fios Community

I ran ethernet from the ont when using a cablecard tuner with Tivo and hd homerun with no issues.

Kind of... If you're using the FIOS STBs the only physical network connection is via coax. So you need the Actiontec (or other device) to serve as a MoCA bridge between the two media/networks. Some STBs have RJ45 and USB ports on the boxes but they're inactive on all models used by Verizon (at least as far as I've seen). Not sure why, that would make it easier as in the case, as you say, for cablecard.

Best detailed description of various options/trade-offs is here:
What are the tradeoffs between the various router configurations Verizon FiOS FAQ | DSLReports, ISP Information

TL/DR bottom line - All that the STBs really need is an out-going Internet connection to use to access Verizon's servers to periodically pull down the guide info and for VOD. So no matter how you do things as long as you give them a pathway out then you're good as far as that goes.

Best way for most I think is to put your own router up front with the Verizon router behind it and on another subnet routing through your primary. That's relatively easy and lets you do whatever you want on yours as far as VPN, etc., and preserves the guide, VOD, etc. The only things that you'll lose in that case are functions that require some remote in-coming connection to the STBs (remote DVR programming, using their app to change channels etc., Alexa control). Technically, you can make that work but since the required ports are assigned dynamically that requires opening up a huge range of ports on your primary and kind of defeats the purpose re VPN (TCP 4567 for control, UDP 63145-up and TCP 35000-up as dynamically assigned).

Also, you don't have to use the Actiontec. Other MoCA bridges will work but they tend to be relatively expensive. Cheapest way if you want to avoid the cost/rental of their new "Quantum" router is to pick up one of the older red and black models just to serve as a bridge. TV side doesn't need much and they work fine.

I expect that at some point they'll move over to IPTV and all of this will be moot. They've been testing in some markets for a while. Kind of surprised that they haven't started a wider roll-out by now.