VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    618

tung256

Young grasshopper
Joined
Feb 3, 2017
Messages
60
Reaction score
5
Best and easiest is to just put another router with VPN in place of the Actiontec.
you are right, the Arris ONT also has an Ethernet port! does it output anything though?
i will remove the Actiontec. place another router with vpn in and see if the Arris's ethernet port works or not. it should without me doing any configuration right? (strangely no manual for this Arris Ont anywhere, not even from Arris's tech support. they wanted me to call Verizon)
 

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
484
Reaction score
310
Needs to be activated. Can be done remotely. Just give them a call and tell them that you need it turned on. It's a fairly standard request. Shouldn't be any trouble or confusion.

You'll need to do some minimal config of your router to look for a DHCP address on their network. I don't know the Netgear but generally it's relatively simple. No MAC cloning stuff, domain names, passwords, or anything else required. It will automatically set up the gateway, DNS, etc. You'll need to do your own config for your internal network obviously.

Best to go into the admin for the Actiontec and release the IP address before you do the swap. It can be kind of tough to get their network to let go of an address and renew sometimes. You may also need to power down the ONT let it sit for say ~30 minutes or so and then power it back up. If you still can't get an address after that then give them a call and ask them to try to force it on their end. Sometimes even then you may need to wait for a while.

Note that they will not support much if anything related to your router. Their support will (officially at least) end at the ONT. Not unusual these days to have people running their own though so they're used to dealing with it and they're generally helpful in my experience when I've had various issues.
 

tung256

Young grasshopper
Joined
Feb 3, 2017
Messages
60
Reaction score
5
i called Verizon to get the ethernet port activated. the guy gave me a hard time saying i need to be on the 100mbps to have ethernet activated! (im paying $60 per month for 75mbps). he got his manager on the line to get approval. after 10mins wait, i was approved. i did not have to configure anything on my netgear r7000 router's side to have internet working once the ONT's ethernet port was activated.

getting VPN working on netgear was as simple
1. checking a box to have VPN running on the router.
2. copy 4 files to my android phone.
3. install OpenVPN app from Play store
4. after opening OVPN app, i imported the client3.ovpn file from step 2.
5. for whatever reason OVPN refuses to connect. i had to go to http://192.168.1.1/openvpn_crt_check.htm to update certificates? i hit the update button and BAM, the OVPN app connected to the netgear vpn and it's all good.
6. i was able to view files stored in my home's Kodi shared folder.

very cool! thanks for all your help, especially Mike!!!
 

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
484
Reaction score
310
Great. Glad to hear that you got it working without any trouble. Probably just trying to up-sell you with the 100 service nonsense. Never heard that before. That would mean that nobody under 100 could run their own without theirs (or more complication anyway). Which I know isn't the case. I've had mine that way since I've had 25 and 50. Gig now (same price with promo so no reason not to; otherwise, not worth it) where it's required and I believe that's their default way of installing for all levels other than when they just can't get there any other way than over existing in-place coax.
 

Barboots

Pulling my weight
Joined
Mar 15, 2018
Messages
269
Reaction score
139
Location
Perth, Western Australia
Just came across a new (to me anyway) hurdle regarding VPN connectivity to access our NVRs remotely.

I had just left for holidays and suddenly my VPN stopped connecting. My ISP has been very steady with IP addresses and I'd not got around to migrating my DDNS settings to a new router I'd purchased... so I figured I'd been caught out with an IP address change and had no one to blame but myself. Headers on email alerts confirmed the change. Not knowing if it would work I tried modifying my config to reflect the new IP address, however that was a wasted effort.

When I got back I went about setting up DDNS. It updated in No-IP, but I couldn't connect. My router was showing a message about having a "private IP" and seemed to be suggesting I need to port forward the VPN. I tried this to no avail, so then removed it. I then hit Google for help.

After a few pages I started to understand that I'd need to discuss the "private IP" with my ISP. I then came across a discussion regarding the provider and their response to the diminishing availability of IPv4 addresses. It basically meant that my router was now effectively behind another router... a system called CG-NAT. You can not tunnel back into this arrangement.

Fortunately the ISP has an opt-out for those with a "valid reason". After a quick call I'm again able to VPN into my system. However I thought that this is something to watch out for in the lead up to IPv6 addressing becoming mainstream.

Cheers, Steve
 

snookered

n3wb
Joined
Sep 7, 2018
Messages
13
Reaction score
2
Location
Canada
I've got a Netgear R7000 router that I use exclusively for my IP Cameras. I have another router that I use for normal everyday use (PC/TV/Smartphone/etc).
I went through all the usual steps with setting up a DDNS/OpenVPN Connect without any issues on the R7000/Smartphone.
When I'm at home and I connect to the internet with my Smartphone (non R7000 router), I can use OpenVPN Connect with gDMMS Plus and it all works flawlessly - better than I would have expected.
However, if I try using OpenVPN Connect from a free WiFi location, I get a Server Poll timeout error. Does anyone know what would cause this?
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
3,061
Reaction score
2,020
Location
Houston Tx
Some free wifi location block the openvpn traffic.

I can get my openVPN to work correctly from the local library and a local coffee shop. But it will not work from a chain restaurant or chain coffee shop.
 

snookered

n3wb
Joined
Sep 7, 2018
Messages
13
Reaction score
2
Location
Canada
Maybe I should test at the local library as well....
OK, then let me ask this question.
I haven't read anyone mention doing setup in noip.com
My ip address on noip.com is a private IP address (99.255.xx.xx), and the port forward they suggest (1154) doesn't match my router. Does the IP address need to match my R7000 router address (192.168.xxx.xxx)? And is it OK to skip the port forward?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,175
Reaction score
763
Maybe I should test at the local library as well....
OK, then let me ask this question.
I haven't read anyone mention doing setup in noip.com
My ip address on noip.com is a private IP address (99.255.xx.xx), and the port forward they suggest (1154) doesn't match my router. Does the IP address need to match my R7000 router address (192.168.xxx.xxx)? And is it OK to skip the port forward?
If you run your OpenVPN server on port 443, you have the highest chance that (public) wifi's allow that connection - 443 is for httpS communication. Regarding your 1154: I suspect this is required when you run the no-ip.com client. No need for that if you update your dns record accordingly.
 

snookered

n3wb
Joined
Sep 7, 2018
Messages
13
Reaction score
2
Location
Canada
Thanks Cat, but it doesn't really answer either of my questions.
Should I be using a private IP address (99.255.xxx.xxx) or the local router address (192.168.xxx.xxx) in noip.com?
Should I change my Tun Mode Service port to 1194 to match noip.com?
I had assumed everything was set up correctly since everything worked when I was at home.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,175
Reaction score
763
Thanks Cat, but it doesn't really answer either of my questions.
Should I be using a private IP address (99.255.xxx.xxx) or the local router address (192.168.xxx.xxx) in noip.com?
Should I change my Tun Mode Service port to 1194 to match noip.com?
I had assumed everything was set up correctly since everything worked when I was at home.
Then I misread your original Q, sorry! If you put your 192.168.x.y address in the no-ip.com, then that name resolve will only work within your proper lan. Once you leave it, it won't work (or worse case, drop you at that internal ip address of the wifi/network you are currently connected to). So answer one: yes, put the 99.255 in no-ip.com and test connecting to it through 4G (not from your home lan, as your ISP router might not have a static (internal) route).

Secondly, you indeed put 1194 OpenVPN service port forward to match to the no-ip.com DNS. You do not need 1154. But like I wrote above: it's "better" to use 443 or some other commonly used ports which have slighter chance of being blocked.

Good luck!
CC
 

snookered

n3wb
Joined
Sep 7, 2018
Messages
13
Reaction score
2
Location
Canada
Thanks Cat.
It's easy to change things, but it's a pain to drive 10 minutes to get to the free wifi location (each time you change something).
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,175
Reaction score
763
Thanks Cat.
It's easy to change things, but it's a pain to drive 10 minutes to get to the free wifi location (each time you change something).
That's true, and I feel your pain. However, once this is setup, you can sleep on your 2 ears, wherever you are (and that's why I suggested port 443, no hotel blocks that traffic otherwise nobody orders stuff/goes online banking/...).

Good luck!
CC
 

snookered

n3wb
Joined
Sep 7, 2018
Messages
13
Reaction score
2
Location
Canada
OpenVPN.net - troubleshooting client vpn tunnel mentions the following under 'Server Poll Timeout':
"Another common mistake is to forget to open the 3 ports required for OpenVPN Access Server to be reachable properly. By default these are TCP 443, TCP 943, and UDP 1194".
So I changed Tun Mode Service Type to 443 TCP, TAP Mode Service Type to 943 TCP. I also changed Clients use All sites and Home.
Under Web Service Management - Turn Remote Management ON, I changed the Port Number to 1194.
That all seemed to do the trick. Tested 2 different Free WiFi locations and it worked like a charm.
I'm not totally sure if everything I changed needed to be done, but it just kind of evolved to that. I will start changing things back and see if it can be closer to the default settings and still work.
 

iseeker

Getting the hang of it
Joined
Nov 16, 2018
Messages
174
Reaction score
56
Location
TEXAS
Not specifying gateway addresses for IoT devices, thinking this would keep them accessing the internet all together it can also prevent you from accessing it via LAN because your VPN Server is likely to put you in its own subnet and route traffic to your LAN and the VPN on its own.
I don't understand this comment. Can someone give me an example or some additional description? I am running a VPN Server on my Synology NAS (using openvpn), and it is the only way I access the router/NAS from the outside world.
 

CaliBear

n3wb
Joined
Jun 20, 2019
Messages
8
Reaction score
4
Location
CA
If I set up OpenVPN on a w10 machine that I use for Blue Iris as well - what happens if I close OpenVPN on the w10 machine? The router (which in this setup is not running a VPN server) would have port forwarding towards the w10 machine for the VPN traffic. What happens to that port if OpenVPN is off? Is the port now exposed? Is the w10 machine now vulnerable through that port? Are the IP cameras now exposed as well, or merely unavailable?
 

truglo

Getting the hang of it
Joined
Jun 28, 2017
Messages
123
Reaction score
29
The answer to that depends on many different settings, from ovpn auth methods, to cipher settings, windows firewall, and also your router settings. That is a big scope to answer in one shot, but the general answer is if you aren't sure then it is best not to port forward.
 

Inigo

Young grasshopper
Joined
Oct 2, 2016
Messages
60
Reaction score
15
You may want to add the Pepwave Pelink Surf Soho to the VPN solution survey at the top. It has L2TP and VLAN built in, the software is actually maintained, tech support is responsive, and my until has been running great for a couple of years.
 

Cupofschmoe

Young grasshopper
Joined
Apr 13, 2017
Messages
82
Reaction score
17
Reconfiguring my BI server since the SSD took a dump, I just need a quick confirmation:
for the VPN on my Netgear R7000, I just port forward the router to BI Server correct?
Keep it at port 81 by default? when would you change the port number?
UPnP is also disabled and BI app works on my android phone.
I was reading through the BI4 help file and wizard and it says to enable UPnP... is it just because it is easier and more so for LAN use?
It's been a while since I touched the networking stuff since I first set this up originally.
 
Top