Posted: Sat Jun 18, 2022 16:54 Post subject: How to implement an encrypted (VPN?) link into my local LAN
System information
Quote:
Router: Netgear R7800
dd-wrt version:
Quote:
Firmware: DD-WRT v3.0-r44719 std (11/04/20)
Time: 18:38:38 up 54 days, 9:40, load average: 0.03, 0.09, 0.10
WAN IP: 185.219.109.47
Hi
I have installed a VPN client from an external provider on my router so that my outward going traffic is encrypted at the router and decrypted by the VPN server.
What I would also like to be able to do is to have an encrypted link in to my LAN from an external network.
Could someone clarify what I would need to do to do this ?
Is the way to do it to run a vpn server on my router , open required ports (ssh, https) via port forwarding and connect via a vpn clinet on my device ?
Or does simply opening up ssh/https ports and connecting using those protocols provide a relatively secure link in itself ?
It is not entirely clear if you used a 3rd party VPN client or not, but you should consider using the included
OpenVPN or WireGuard client in DD-WRT for your connection to your VPN provider.
To answer your question regarding how to set up access from the outside world, you should consider reading
the OpenVPN / WireGuard guides that have been written and carefully curated by egc:
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat Jun 18, 2022 17:34 Post subject:
Hello
First your dd-wrt build is seriously outdated (I bet you were looking at router database which is outdated), wireguard and openvpn side has any many patches by egc to fix issues and add features only available in current builds. Well since he patched it last, also current DD-WRT builds have many patched known security vulnerabilities, while your build is...not on any of the above.
You dont need to install anything on router from VPN providers, only maybe their configs, Dd-WRT has both server/client and once setup every connection/client will use the tunnel or whatever you setup following the guides.
WireGuard is better performing as its a in kernel implementation while OpenVPN is a 3rd party component built into DD-WRT.
Both the guides are writen by egc who is our resident tunneling expert and beloved M.C.H.O.
Thank you for the link to the latest firmware - in general we are supposed to use versions under 'beta' ?
> You should upgrade
As far as upgrading goes I was simply going to download the bin file, go to Administration->Firmaware, browse to the bin file and press 'Upgrade'. Is that the correct procedure, or is it more complicated than that ?
> then do a nvram reset and reconfigure from scratch.
So all my configuration will be lost on the upgrade ? including basic setup, wireless configuration, vpn client etc.
If so is there any way to back my current config up to a file of some sort, then re-load it after the upgrade ?
Yes I am using a 3rd party VPN - they provided me with the configuration/certificates to run the openvpn client on the router, so I did not need to put one on every device.
I'm on a fairly steep learning curve as regards VPN at the moment, so I'm still trying to clarify things from a top level, so I'm not entirely clear at the why/how one could have a local vpn client, since I thought you'd always need an external server the other side of the ISP to decrypt ?
I take it from your replies it is OK, then, to run both a VPN server and a vpn client on the router ?
Thank you for the link to the setup guides. I've not come accross wireguard before. As far as I can gather it is a lighter weight, more up to date vpn server implementation - so you either use wireguard or openvpn - is that correct ?
Since I'm pretty new to vpn I am a bit confused as to how routing would work. Before diving in to the vpn set up I'd like to have a bit of a top level understanding of what is needed/how the packets are routed.
General questions that come to mind are things like:
How does the router 'know' that outgoing traffic initiated from my LAN should be routed via the vpn client ?
And what happens with outgoing traffic triggered by requests from my vpn client on my device on an external network - how does it know to route through local vpn server ? or is it all always routed through my vpnn client ?
How does the router 'know' that incoming traffic from my third party vpn server shoud be routed through my vpn client for decryption ?
And incoming traffic from the client on my device (on an external network) should be routed through the vpn server for decryption ?
Which of these routing behaviours do I need to explicitly configure ?
And what is handled automatically by the vpns (I get the impression a separate subnet is set up by the vpn)
Bit outside the scope of this forum - but I don't suppose anyone knows of any documentation that might help answer some of these questions ?
> If so is there any way to back my current config up to a file of some sort, then re-load it after the upgrade ?
Anyone any idea if this is possible ?
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Sun Jul 10, 2022 11:20 Post subject:
Shaggy1 wrote:
> If so is there any way to back my current config up to a file of some sort, then re-load it after the upgrade ?
Anyone any idea if this is possible ?
I downloaded easyddup and am going through the instructions in QuickStart.txt. I got to the point where I run:
Code:
./nvram-save.sh
but this came up with a message :
Code:
nvram-save.sh: NVRAM variable file not found: nvram-dd-wrt.ini
Does anyone know where I should get this file from ?
Is it simply a matter of using the provided nvram-dd-wrt.ini.sample for this or do I need to somehow generate this file from my current routing settings ?