Posted: Wed Dec 07, 2022 21:58 Post subject: Can someone help me with networking?
Hi
I've been working 25 years in computer programming BUT IP and networking has always been my Achille's heel
Can a kind soul help in configuring a VPN in my house?
Here's the situation
- a cable fiber modem that I cannot change BUT I can access admin and configure port forwarding
- connected through a switch, there are
- an Ubiquiti AP-Pro, which acts as access point and DHCP
- a QNAP NAS which is set at static ip 192.168.1.201
Now I would like to configure a VPN to my house. The NAS *can act* as a VPN server (so I forwarded ports to its IP address) and in fact it was workign, but I understand that it's not a secure setup, therefore...
...I found in my closet an old Belkin "play" ap/router/modem (F7D4302 v1) where I've been successfully able to install DD-WRT mega version (v3.0-r50963 mega)
I would like this device to be the VPN server (I've been using OpenVPN in the past, but I understand that wireguard is better, so it's fine by me). I want to be able to connect to my home and then reach the NAS and other devices at home.
Here's the hard part, I have difficulties understanding how to do it.
This SHOULD be the proceudre, but can you help me?
1 connect the router to the switch
2 set the router to a static IP (let's say 192.168.1.107)
3 port forward the VPN ports from the cable to this IP
4 configure a DDNS service so I can have a public reachable address
5 configure OpenVPN or Wireguard on dd-wrt
6 connect via openvpn or wireguard to my DDNS address
Am I missing something?
Once I am connected, can I type 192.168.1.201 and connect to my NAS?
On DD-WRT I don't see a wireguard section, does it mean it supports only OpenVPN?
Bonus question: can this Belkin act as a firewall too? Could be interesting to investigate this too...
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Thu Dec 08, 2022 1:29 Post subject:
Here are a few pointers to start with.
1. Place your fiber modem in bridge mode so the routing functions are shifted to your own router. This way, you have more control of your home network, as well as flows of incoming and outgoing traffic.
2. Your Belkin (F7D4302) might be under-powered to handle VPN traffic. VPN traffic is encrypted, resulting in more crunching power needed of the router (i.e. both encrypting and decrypting processes). You will need to invest in a more powerful one. (This also implies that you're better off by not placing VPN Server on your NAS, but on the router).
3. The new router, with its WAN port connected to your fiber modem (in bridge mode), should be where all firewalls are setup to secure your home network. It also means that the router should be the only device connected to the fiber modem. Every other network device in your home should be behind it, including the switch.
And lastly, I'd say that program coding would require more efforts and focus than setting up VPN Server. Of source, expect one to run, before one can walk, may seem overwhelming. But, running is just a progression of walking. I am sure people here will help you.
The rest of your post seems in order to me.
Cheers _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
1. Place your fiber modem in bridge mode so the routing functions are shifted to your own router. This way, you have more control of your home network, as well as flows of incoming and outgoing traffic.
2. Your Belkin (F7D4302) might be under-powered to handle VPN traffic. VPN traffic is encrypted, resulting in more crunching power needed of the router (i.e. both encrypting and decrypting processes). You will need to invest in a more powerful one. (This also implies that you're better off by not placing VPN Server on your NAS, but on the router).
3. The new router, with its WAN port connected to your fiber modem (in bridge mode), should be where all firewalls are setup to secure your home network. It also means that the router should be the only device connected to the fiber modem. Every other network device in your home should be behind it, including the switch.
And lastly, I'd say that program coding would require more efforts and focus than setting up VPN Server. Of source, expect one to run, before one can walk, may seem overwhelming. But, running is just a progression of walking. I am sure people here will help you.
The rest of your post seems in order to me.
Cheers
Thank you!
A few answers.
1. I'm not sure that I can set the modem in bridge mode (also: I've read this many times, but I don't know what it means). It's a very "consumer grade" modem. Even port forwarding is not named like that but something like "internal devices". If I can't setup it in bridged mode, will I be able to setup a VPN anyway?
Regarding the modem, I initially started with a project of setting up a VPN with a Raspberrypi, but prices are high now and so I remembered that I had this modem in a closet and ddwrt came into my mind. Low power means low transfer speed, I guess. How much could I expect?
Note that my VPN would be an occasional feature, something like "oh damn I forgot that file that I had at home..."
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Thu Dec 08, 2022 21:35 Post subject:
When placed in bridge mode, ISP modem/router only works as a modem but its routing functions are suspended. This allows the use of more advanced features such as QoS, VLANs, VPN, etc. of users' own routers. ISP modem/router is typically very basic due to cost considerations.
Simply ask your ISP about the steps for bridging it. (Let them know that you don't expect them to provide support for own router). And they would be more than happy to oblige.
Now, without your own router doing the total routing part (i.e. no bridge), it's likely to be a bit more complex and less secure to set up VPN Server.
And maybe trying out with the Belkin first to see if ok. It'd give you a chance to gain knowledge of setting up VPN. You can get always a new router, if needed.
I use VPN connection to backup my NAS to my relative's NAS. And vice versa. Not to 3rd party and no ongoing fees. Here is a picture to tickle your fancy, _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
When placed in bridge mode, ISP modem/router only works as a modem but its routing functions are suspended. This allows the use of more advanced features such as QoS, VLANs, VPN, etc. of users' own routers. ISP modem/router is typically very basic due to cost considerations.
Simply ask your ISP about the steps for bridging it. (Let them know that you don't expect them to provide support for own router). And they would be more than happy to oblige.
Now, without your own router doing the total routing part (i.e. no bridge), it's likely to be a bit more complex and less secure to set up VPN Server.
And maybe trying out with the Belkin first to see if ok. It'd give you a chance to gain knowledge of setting up VPN. You can get always a new router, if needed.
I use VPN connection to backup my NAS to my relative's NAS. And vice versa. Not to 3rd party and no ongoing fees. Here is a picture to tickle your fancy,
Hey man, thanks a lot. I'm not sure that Fastweb Italy would setup the router in bridge mode and besides that, I don't want to setup bridge, rely on my router that I can't configure (yet) and that it may not be good enough, and then call them again to revert...
Also, the link you provided does not look easy and I can't see where am I supposed to set ddwrt as server. Plus, how do I configure it given that my router is not the normal router?
A lot of us are using a VPN server on DDWRT to connect to our homes.
WireGuard is probably available for your router if you are using a K3X build e.g.:
dd-wrt.v24-50963_NEWD-2_K3.x_mega_f7d4302.bin
@DWCruiser already pointed you to the WireGuard Server setup guide.
Setting up a WireGuard connection is really easy, but you have to consult the manual.
You have to port forward to your Belkin router just as when you are using the VPN on your NAS.
Damn... I'm stupid. I am logged in but was not able to see any link in that page. But as I opened in new page, I wasn't in that new tab. Apologies, now I downloaded and I'll have a look and come back with questions
"As WireGuard is a routed solution all three involved subnets have to be different. So the Servers subnet, the
WG subnet and the Clients subnet all have to be different!"
Not sure if I understand this part. What are the three different subnets? My local devices are in the 192.168.1.x subnet, should I change them?
In my setup, where the belkin is not acting as a routes, should I set it to a fixed ip (like for example 192.168.1.177) and port forward wireguard ports to it? How should I configure this device to act just as a VPN server (so disabling routing functions)?
Then I also guess I need to public my ip from the belkin using a ddns service.
Joined: 18 Mar 2014 Posts: 12814 Location: Netherlands
Posted: Sat Dec 10, 2022 9:34 Post subject:
The subnet of the router, the subnet of WireGuard and the subnet of your client.
The routers subnet is by default 192.168.1.1 but as this is a secondary router on an existing subnet this routers subnet (local IP) should be different from the main router.
So if your main router is 192.168.1.1 set your Belkin to 192.168.2.1 (mask /24 = 255.255.255.0)
The easy way:
After you have upgraded your Belkin and resetted to defaults, plug your Belkin's WAN port to the LAN of your main router.
Connect your PC to the LAN of your Belkin and if you have internet you are good because that means the Belkin's subnet is different from your main router.
If you do not have internet change the Local IP of the Belkin from 192.168.1.1 to 192.168.2.1
Then proceed setting up WG according to the manual.
The subnet of the router, the subnet of WireGuard and the subnet of your client.
The routers subnet is by default 192.168.1.1 but as this is a secondary router on an existing subnet this routers subnet (local IP) should be different from the main router.
So if your main router is 192.168.1.1 set your Belkin to 192.168.2.1 (mask /24 = 255.255.255.0)
The easy way:
After you have upgraded your Belkin and resetted to defaults, plug your Belkin's WAN port to the LAN of your main router.
Connect your PC to the LAN of your Belkin and if you have internet you are good because that means the Belkin's subnet is different from your main router.
If you do not have internet change the Local IP of the Belkin from 192.168.1.1 to 192.168.2.1
Then proceed setting up WG according to the manual.
The client (e.g. your phone) usually will have a different subnet so do not worry about that
So I connected the Belkin to the main router and my laptop to the belkin, and I had no internet.
IPCONFIG said
I don't know what happened...it was working fine (192.168.1.1) so I configured no-ip.net, and set the required parameters on the DDNS page of DD-wrt...I clicked "Apply Settings" and now I can't reach the admin anymore.
I still have internet, but I can't reach anymore admin. Not 1.1 or 2.1
What have I done?
Anyway....I'm doing a full reset (30 30 30) and not touching that setting just be sure and wait for your input...