Can you help me in setting up my network and VPN please?
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Can you help me in setting up my network and VPN please?
Hey
This is what I have at the moment in my network
- a TS-451 (that is going to be reset soon)
- a router/ap provided by the company (Fastweb Italy) that CANNOT replace since it's a fiber one. On this one the wifi is disabled
- an Ubiquiti AP-PRO access point that I use as DHCP server and centrally-located AP (since the original router is very far from the center of the house)
Currently therefore I have the TS on a static IP (192.168.1.201) while the AP does provide the dynamic IP to all the other devices in the house.
I would like to setup a VPN to be able to connect from remote. So far I've been using QVPN but I've read your advices and you don't recommend it, so I want to restart.
I've viewed this video https://www.youtube.com/watch?v=rtUl7BfCNMY and looks interesting, unfortunately I have several questions
1) Currently the PI goes >100€. Are there cheaper alternatives?
2) I SHOULD have an old Belkin router/AP->can I install DD-WRT and use that in place of the PI?
3) On the computer that I use daily and I use for traveling unfortunately I am NOT an admin (company policies...). However I do have a VPN client (Check Point EndPoint Security). Will I be able to use that as a vpn client? (I checked and seems I *can* create new profiles) or I need to actually install wireguard?
3a) In case 3) fails, can I install wireguard on the mobile phone, connect with it and create an hotspot (I *guess* so, but I will have to connect to the VPN using mobile and not Wifi, since I can't connect wifi and share)
Disclaimer: I'm an IT who always find issues with networking ahahah
Thanks!
This is what I have at the moment in my network
- a TS-451 (that is going to be reset soon)
- a router/ap provided by the company (Fastweb Italy) that CANNOT replace since it's a fiber one. On this one the wifi is disabled
- an Ubiquiti AP-PRO access point that I use as DHCP server and centrally-located AP (since the original router is very far from the center of the house)
Currently therefore I have the TS on a static IP (192.168.1.201) while the AP does provide the dynamic IP to all the other devices in the house.
I would like to setup a VPN to be able to connect from remote. So far I've been using QVPN but I've read your advices and you don't recommend it, so I want to restart.
I've viewed this video https://www.youtube.com/watch?v=rtUl7BfCNMY and looks interesting, unfortunately I have several questions
1) Currently the PI goes >100€. Are there cheaper alternatives?
2) I SHOULD have an old Belkin router/AP->can I install DD-WRT and use that in place of the PI?
3) On the computer that I use daily and I use for traveling unfortunately I am NOT an admin (company policies...). However I do have a VPN client (Check Point EndPoint Security). Will I be able to use that as a vpn client? (I checked and seems I *can* create new profiles) or I need to actually install wireguard?
3a) In case 3) fails, can I install wireguard on the mobile phone, connect with it and create an hotspot (I *guess* so, but I will have to connect to the VPN using mobile and not Wifi, since I can't connect wifi and share)
Disclaimer: I'm an IT who always find issues with networking ahahah
Thanks!
- dolbyman
- Guru
- Posts: 35005
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Can you help me in setting up my network and VPN please?
1) A used or new ASUS router that supports Merlin FW would also be a good alternative (use it in a double NAT) or check for raspi clones that are compatible with the mentioned repos
2) Model number would be needed to google it (if you do not want to google it yourself)
3) Never used that software, but that probably is only for the VPN that your company uses. But you would have to check with your IT team or Vendor.
3a) If you have to jump through that many hoops, maybe just get some additional cloud storage at onedrive/dropbox/etc ? (you can do sync from/to the QNAP)
2) Model number would be needed to google it (if you do not want to google it yourself)
3) Never used that software, but that probably is only for the VPN that your company uses. But you would have to check with your IT team or Vendor.
3a) If you have to jump through that many hoops, maybe just get some additional cloud storage at onedrive/dropbox/etc ? (you can do sync from/to the QNAP)
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Re: Can you help me in setting up my network and VPN please?
1) how can I check raspi clones? Any keyword to search? "raspberry clone" is ok?
2) found it, is is a belkin f7d4302 v1, belkin play. According to the ddwrt website, looks compatible. Would it suit my need?
3) yeah I guess so. I might ask IT if they allow me to install a different VPN software. Otherwise I have a backup solution (I'll bring my mini pc with me instead of the laptop...)
3a) well, it's expensive, given that I do not connect home often and, when I need, I want one of the movies of my 2.3TB collection... Synching them online will be very expensive
2) found it, is is a belkin f7d4302 v1, belkin play. According to the ddwrt website, looks compatible. Would it suit my need?
3) yeah I guess so. I might ask IT if they allow me to install a different VPN software. Otherwise I have a backup solution (I'll bring my mini pc with me instead of the laptop...)
3a) well, it's expensive, given that I do not connect home often and, when I need, I want one of the movies of my 2.3TB collection... Synching them online will be very expensive
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Re: Can you help me in setting up my network and VPN please?
Can I use a NanoPi instead of a Rasp?
- OneCD
- Guru
- Posts: 12037
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Can you help me in setting up my network and VPN please?
Possibly. Although, low-power devices will struggle with the cryptographic calculations required for VPN. The result will be slow transfer speeds.
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Re: Can you help me in setting up my network and VPN please?
Not sure, I'm not expert Of these boards, but looks like the NanoPi ha more processor power than the Rasp?
- dolbyman
- Guru
- Posts: 35005
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Can you help me in setting up my network and VPN please?
just a quick google
NanoPi RS2 OpenSSL performance
My Asus AX86U (self tested)
So it seems pretty capable
NanoPi RS2 OpenSSL performance
Code: Select all
root@nanopi-r2s:~# openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 8962695 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 2534616 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 652684 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 164408 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 20592 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 16384 size blocks: 10291 aes-128 cbc's in 3.00s
OpenSSL 1.1.1 11 Sep 2018
built on: Tue Nov 12 16:58:35 2019 UTCns:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-J6qvxk/openssl-1.1.1=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 47801.04k 54071.81k 55695.70k 56117.93k 56229.89k 56202.58k
Code: Select all
admin@RT-AX86U-2220:/tmp/home/root# openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 10713696 aes-128 cbc's in 2.97s
Doing aes-128 cbc for 3s on 64 size blocks: 3340700 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 256 size blocks: 900623 aes-128 cbc's in 2.99s
Doing aes-128 cbc for 3s on 1024 size blocks: 227997 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 8192 size blocks: 28409 aes-128 cbc's in 2.96s
Doing aes-128 cbc for 3s on 16384 size blocks: 14283 aes-128 cbc's in 2.98s
OpenSSL 1.1.1s 1 Nov 2022
built on: Sat Dec 3 18:26:21 2022 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: /opt/toolchains/crosstools-arm-gcc-5.5-linux-4.1-glibc-2.26-binutils-2.28.1/usr/bin/arm-buildroot-linux-gnueabi-gcc -fPIC -pthread -Wa,--noexecstack -DBCM4908 -DBCMWPA2 -DBCMQOS -DD11AC_IOTYPES -DPHYMON -DPROXYARP -DTRAFFIC_MGMT -DTRAFFIC_MGMT_RSSI_POLICY -DMFP -D__CONFIG_MFP__ -DHND_ROUTER -DBCA_HNDROUTER -DMCPD_PROXY -DCMS_LOG3 -DLINUX -Os -march=armv7-a -fomit-frame-pointer -mno-thumb-interwork -mabi=aapcs-linux -marm -ffixed-r8 -msoft-float -D__ARM_ARCH_7A__ -Wno-date-time -Wall -Darm -g -fPIC -DMDM_SHARED_MEM -DCMS_MEM_DEBUG -DSUPPORT_ETHWAN -DSUPPORT_TMCTL -DDMP_X_BROADCOM_COM_L2TPAC_1 -DSUPPORT_GRE_TUNNEL -DSUPPORT_IPSEC -DDMP_X_BROADCOM_COM_IPSEC_1 -DSUPPORT_TR64C -DDMP_X_BROADCOM_COM_TR64_1 -DSUPPORT_IPV6 -DDMP_X_BROADCOM_COM_DEV2_IPV6_1 -DDMP_DEVICE2_DSLITE_1 -DDMP_DEVICE2_DSLITE_2 -DDMP_DEVICE2_IPV6RD_1 -DDMP_DEVICE2_IPV6INTERFACE_1 -DDMP_DEVICE2_IPV6ROUTING_1 -DDMP_DEVICE2_DHCPV6CLIENT_1 -DDMP_DEVICE2_DHCPV6CLIENTSERVERIDENTITY_1 -DDMP_DEVICE2_DHCPV6SERVER_1 -DDMP_DEVICE2_DHCPV6SERVERADV_1 -DDMP_DEVICE2_DHCPV6SERVERCLIENTINFO_1 -DDMP_DEVICE2_NEIGHBORDISCOVERY_1 -DDMP_DEVICE2_ROUTERADVERTISEMENT_1 -DSUPPORT_TR69C -DSUPPORT_CPU_MEMORY_WEB_PAGE -DSUPPORT_JQPLOT -DSUPPORT_WEB_SOCKETS -DSUPPORT_HTTPD -DSUPPORT_CLI_CMD -DCLI_CMD_EDIT -DSUPPORT_CONSOLED -DSUPPORT_TELNETD -DSUPPORT_SSHD -DSUPPORT_TOD -DDMP_X_BROADCOM_COM_ACCESSTIMERESTRICTION_1 -DSUPPORT_URLFILTER -DSUPPORT_POLICYROUTING -DSUPPORT_UPNP -DDMP_X_BROADCOM_COM_UPNP_1 -DDMP_X_BROADCOM_COM_DLNA_1 -DSUPPORT_FCCTL -DSUPPORT_SNTP -DDMP_X_BROADCOM_COM_ETHERNETOAM_1 -DSUPPORT_ETHSWCTL -DSUPPORT_PWRMNGT -DDMP_X_BROADCOM_COM_PWRMNGT_1 -DSUPPORT_HOSTMIPS_PWRSAVE -DSUPPORT_ETH_PWRSAVE -DSUPPORT_ENERGY_EFFICIENT_ETHERNET -DSUPPORT_ETH_DEEP_GREEN_MODE -DSUPPORT_STORAGESERVICE -DDMP_STORAGESERVICE_1 -DSUPPORT_NTFS_3G -DSUPPORT_SAMBA -DSUPPORT_PPTP -DSUPPORT_NF_MANGLE -DSUPPORT_INTF_GROUPING -DSUPPORT_VLANCTL -DSUPPORT_QOS -DSUPPORT_RATE_LIMIT -DSUPPORT_DEBUG_TOOLS -DSUPPORT_CERT -DDMP_X_BROADCOM_COM_DIGITALCERTIFICATES_1 -DCOMPRESSED_CONFIG_FILE -DCMS_CONFIG_COMPAT -DCHIP_4908 -DCONFIG_BCM94908 -DCONFIG_BCM_MAX_GEM_PORTS=1 -DSUPPORT_INCREMENTAL_FLASHING -DBRCM_WLAN -DWIRELESS -L/opt/toolchains/crosstools-arm-gcc-5.5-linux-4.1-glibc-2.26-binutils-2.28.1/usr/lib -Wno-date-time -DSUPPORT_RDPA -DRTAX86U -O2 -D__CONFIG_DHDAP__ -D__CONFIG_BCM_CEVENT__ -DBCM_CEVENT -DBCM_CEVENTD -DCONFIG_HOSTAPD -D__CONFIG_LBR_AGGR__ -DBCM_BSD -DBCM_EVENTD -DEXT_ACS -DBCM_DCS -D__CONFIG_EMF__ -D__CONFIG_VISUALIZATION__ -DCONFIG_VISUALIZATION_ENABLED -D__CONFIG_WPS__ -DJFFS_NVRAM -fstack-protector-all -march=armv8-a -fomit-frame-pointer -mabi=aapcs-linux -marm -ffixed-r8 -msoft-float -O2 -ffunction-sections -fdata-sections -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -DOPENSSL_API_COMPAT=0x10000000L -DL_ENDIAN -D__ARM_ARCH_8A__
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 57716.88k 71746.58k 77110.20k 78345.28k 78623.83k 78527.74k
So it seems pretty capable
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Re: Can you help me in setting up my network and VPN please?
thanks @dolbyman
...I've tried to read the DD-WRT installation page...it's FAIRLY complicated. Pages and pages of documentations, exceptions and warnings....
...I've tried to read the DD-WRT installation page...it's FAIRLY complicated. Pages and pages of documentations, exceptions and warnings....
- OneCD
- Guru
- Posts: 12037
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Can you help me in setting up my network and VPN please?
Agreed, but I wouldn't have thunk it. Cheers!
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Can you help me in setting up my network and VPN please?
i find it best to rely on youtube guide when possible. some walk you through step by step. but sometimes you still need to read the documentations on the steps as well..
DD-WRT - Open Source Router Firmware to take your home router to the next level of capability!
https://www.youtube.com/watch?v=ooJPLBDW8qw
i've flashed tomato and rt-merlin before. dd-wrt should be roughly the same, but always follow the exact instructions
i made a quick summary for what you need to do *these are just my recommendations. you can opt for ddwrt flashed on asus if you want, that's also a viable solution
step1: pick a router/firewall to use
(A) hardware
personally though i'm more in favor of these types of router/firewall boxes (Yanling, Topton, Qotom, Protectli ..... )to load them with either pfsense or opnsense
https://www.youtube.com/watch?v=h7U4fCj_Pos
https://www.youtube.com/watch?v=xExmvIHEQao
https://www.youtube.com/watch?v=tZK1l9bXDgs
(B) software
Opnsense vs Pfsense
https://www.youtube.com/watch?v=Of0Zp8h258g
step2: follow the vpn setup guide. there a few different methods, here are some i listed below.
Tutorial: pfsense Wireguard For Remote Access
https://www.youtube.com/watch?v=8jQ5UE_7xds
How to Setup The Tailscale VPN and Routing on pfsense *This is probably easier to setup and manage for you
https://www.youtube.com/watch?v=P-q-8R67OPY
PiVPN + WireGuard Complete Setup - Build Your Own VPN Server! *for this you need to buy a raspberry pi 4 model B ideally
https://www.youtube.com/watch?v=Q4zlrc0F4NU
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
- spile
- Been there, done that
- Posts: 637
- Joined: Tue May 24, 2016 12:13 am
Re: Can you help me in setting up my network and VPN please?
The Raspberry Pi is a reliable option and Wireguard works perfectly on it. I realise prices have gone up but they do come up for sale used. It’s what I would recommend if you don’t want to change your router.
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Re: Can you help me in setting up my network and VPN please?
Thanks, I tried to search it used, no luck. I am evaluating a pizero which is much cheaper. I also have a 3dprinter so I can build a nice case for it
BUT I have this unused router at home (it's not the main router, it's an additional one that I don't use anymore) so if i can install DD-WRT it will come for free.
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Re: Can you help me in setting up my network and VPN please?
So if I configure this modem/router with DD-WRT (it's a modem/router, so it has a yellow "modem" eth port and 4 normal eth ports...it should be fine, as long as I don't use the modem ones), the topology should be
Fiber modem -> Switch ->
And from the switch everything connects there, including this router that will act as VPN
The NAS normally has a static ip 192.168.1.201, I *suppose* that I have to set the router to have a static IP (let's say 192.168.1.107) and, on the modem, open a route for the VPN ports directly to this ip.
Is this correct?
Fiber modem -> Switch ->
And from the switch everything connects there, including this router that will act as VPN
The NAS normally has a static ip 192.168.1.201, I *suppose* that I have to set the router to have a static IP (let's say 192.168.1.107) and, on the modem, open a route for the VPN ports directly to this ip.
Is this correct?
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Re: Can you help me in setting up my network and VPN please?
meanwhile, I've successfully installed dd-wrt on this belkin!
-
- Getting the hang of things
- Posts: 75
- Joined: Tue Oct 03, 2017 10:37 pm
Re: Can you help me in setting up my network and VPN please?
... According to the ddwrt forums pals, seems that this belkin router could work but it's underpowered to run VPN, so I guess I would have slow transmission speed