[logic1485]

Is this a double NAT issue, and can I get my work phone to connect to the work network from home?

I've got the following scenario

work phone (at home) -> PoE switch -> dd-wrt router -> ubiquiti edgerouter-x -> home internet -> office internet -> fortigate -> win10 "wireguard server"

I'm trying to get my work phone working from home, and on the home side it's set up like this so that I can keep everything segregated, such that the work connection can not access my home devices.

Is it possible to get my work phone connected using dd-wrt and wireguard? I don't HAVE to use wireguard, though! I'm open to another option if need be.

The only neccesities are:

I don't have access to the work router
I would like to segregate the two networks at home such that they can access each other's network, which is why I have put in the dd-wrt router on a seperate port on the edgerouter-x.


I'm running DD-WRT v3.0-r44715 mega (11/03/20) on an ASUS RT-N66U

[eibgrad]

To be honest, trying to provide good advice in a case like this is difficult since I'm going to have to make numerous assumptions. But I'll at least try and see if I can come up w/ something close to meeting your expectations.

I assume this is a VOIP phone. And that you're expecting to use the dd-wrt router to establish a VPN connection to your remote workplace. And by routing the dd-wrt router through the edgerouter, it's isolated from the primary (private) network.

I'm going to also assume that if that VOIP phone was directly patched to your remote (office) network (LAN), it would work. And if that's the case, it would probably make more sense to use OpenVPN and a *bridged* tunnel so that the VOIP phone and the remote network were using the same ethernet network. I'm specifically suggesting OpenVPN because Wireguard doesn't offer a bridged VPN, only routed.

Another issue is this lack of access to the work router. That tells me you can't port forward on the workplace router to establish the OpenVPN connection, at least not if you're expecting the workplace to support the OpenVPN server. You would therefore have to establish the OpenVPN server at your home (i.e., on the dd-wrt router), and have the OpenVPN client at your workplace access it.

Finally, you'd want to add firewall rules to the dd-wrt router to keep any traffic over the OpenVPN tunnel confined to only that router (i.e., don't allow routing outbound, LAN to WAN, and over to the private/home network).

Now that's a lot of speculatin' based on very few details. Realize that what I'm suggesting essentially "punches a hole" through your workplace's firewall, making it theoretically possible for anything on the dd-wrt router to gain access back into the workplace. That's the kind of thing that gives network admins sleepless nights, and is often against company policy, and could possibly get anyone caught doing it FIRED if not authorized in advance.

So in the end, the bigger problem may be getting authorization given the risk to the workplace. As a technical matter, it's not all that difficult (well, for me anyway, I obviously have no idea of your own technical skills).

[logic1485]

[eibgrad]

I'm not going to go into excruciating detail here since I believe if given a rough outline, you can work out the details. At least *try* to make some progress on your own, and if you have specific issues, ask questions. At least then we can keep the discussion focused on where you possibly have holes in your knowledge.

As far as the OpenVPN server on the dd-wrt router, you might want to consider using FT (FreshTomato) instead of dd-wrt. I think FT's GUI is a little easier to work with, esp. for an OpenVPN newb. It supports auto-generating of certs & keys for *both* server and client, username/password authentication (or just username/password if you prefer), auto-generation of the OpenVPN client config file, and other niceties. OTOH, if you use dd-wrt, you're quickly into the world of EASY-RSA and more limited options. But ultimately the choice is up to you.

Whichever firmware you choose, you'll want to disable the router's DHCP server and assign it a LAN IP. Ideally this would be in the same network as your workplace (you'd have to ask your admin for a static IP so your choice of IP doesn't cause a conflict on the workplace network). This would make administrating the router possible from both your home and the workplace. However, it is possible to use the default IP network instead (i.e., 192.168.1.1) since it is NOT necessary for the router itself to participate in support of the phone, or any other devices you choose to connect to the wired ports or wireless SSID(s). All those devices are going to be initialized by your workplace DHCP server, over the tunnel! Realize as well that the router can still be managed from the edgerouter's network over the WAN provided you enable remote access to the GUI.

Once configured as a bridged (tap) OpenVPN server, you'll obviously have to establish port forwarding from the edgerouter over to the dd-wrt/ft router in order to reach it.

Back at the workplace, if using Windows 10, you can use the OpenVPN Connect software to establish the bridged OpenVPN client. This is where using FT comes in handy since you can use the OpenVPN server GUI to generate a compatible OpenVPN client config, and configure OpenVPN Connect to use it. If you use dd-wrt, then you'll have to *manually* create a compatible OpenVPN client config file. However you create the config file, once connected, you will see a TAP network adapter in the Windows Network Connections applet, where you can right click it and your normal local network connection (wired or wireless), and select Bridge Connections.

At that point, it will be possible for your workplace phone (back at home) to establish itself on the workplace network, just like any other workplace device. Ethernet traffic will flow back and forth across the tunnel, which will include IP traffic.

What remains is to configure the firewall on the dd-wrt/ft router to deny LAN to WAN traffic.

[egc]

For DDWRT see the OpenVPN Server setup guide there is a section about setting up a TAP (bridged) connection:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398


@eibgrad is FT still on K2.6?

[eibgrad]

[egc]

We use Easy RSA3 nowadays, the guide will walk you through but indeed it is some more work but it is one time only

[kernel-panic69]

Yes, public FT is still K2.6. They would have to borrow from the public svn or github repo to upgrade.

[logic1485]

[egc]

Good luck I hope you will succeed.

For questions about fresh tomato ask at their forum.

[logic1485]

Is there a way to figure out (in dd-wrt) if my N66U is mips based or ARM based?

[blkt]

https://wiki.dd-wrt.com/wiki/index.php/Asus_RT-N66U

https://www.broadcom.com/products/wireless/wireless-lan-infrastructure/bcm4706

https://wikidevi.wi-cat.ru/ASUS_RT-N66U - https://wikidevi.wi-cat.ru/Broadcom_BCM4706

https://openwrt.org/toh/asus/rt-n66u

It's all in the MIPS (yeah). Web GUI Status -> Router page can show it, also dmesg from Telnet as root.

[logic1485]

[logic1485]

So, here's what happened.

There were no good guides with Fresh Tomato that I could find that had client config utility to generate the config file. So, I flashed back to dd-wrt and followed the guide posted by egc.

I've got everything set up, but tls key negotiation and handshake fails.

Quick question: in dd-wrt there are multiple ips that are being used:
192.168.11.247 WAN IP Address
192.168.11.249 Router Local IP Address
192.168.11.240 Server IP/Name (in OpenVPN Client section)

I'm guessing the handshaking is failing because I've not forwarded the correct IP. I've tried 240, going to try 247 (and connect through to the edgerouter through the WAN port) and see if that makes a difference.

(edit: I've plugged in the edgerouter into the WAN port, and forwarded 1194 to 1194 on 192.168.11.247 in the edgerouter port forwarding section and it still doesn't work)

There's one more area of difference:

In the guide by egc, the OpenVPN Server/Daemon section has three data cipher sections, which matches what I see on my dd-wrt, but in the OpenVPN Client section in the guide, after the hash algorithm, there are no data ciphers at all.

Maybe I've missed a setting somewhere, but when pasting the settings into the .ovpn file, in the guide, there is only one cipher, whereas I thought all of them would have to be mentioned. Maybe this is also giving trouble to the handshaking process?

page 31 in this guide is what I am refering to:

https://forum.dd-wrt.com/phpBB2/download.php?id=44043

found in this thread:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795

edit:
picture of my openvpn client section for refernce can be found at the following link:
https://imgur.com/PpIdr1M

edit2:
also, for reference, by build is Firmware: DD-WRT v3.0-r44715 mega (11/03/20)

edit 3:
just read through the troubleshooting guide, and checked the section on TLS error and the server address is resolving correctly (I've set up a ddns), and the port is forwarded correctly.
The Windows firewall is disabled (for testing purposes) so that's not interfering, the only thing that could be interfering could be SFE. Should I disable it, and where can I find it?

edit 4:
eibgrad said I should put the following in the firewall of the dd-wrt:

[egc]

SFE does not matter.

The Tap paragraph is not yet updated (it explicitly states so)
You can just add the datacipher line from the tun interface: