Routing traffic through Synology OpenVPN connection

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 181

PostPosted: Wed Mar 08, 2023 7:15    Post subject: Routing traffic through Synology OpenVPN connection Reply with quote
My Use case:
I've currently got OpenVPN running on an R7800 Router with all traffic routed through a VAP, allowing me to simply change WIFI on my Apple TV if I want to watch content that required me to be in another country - and it works great.

The Problem:
My R7800 only allows about 30MB/s through due to the CPU power on the router.

Proposed Solution:
I could use Wireguard which would allow faster throughput, however the end point on the other side (my brothers Synology) does not support Wireguard.
So what I was think is the following:

Enable a OpenVPN Client on my Synology to set up the connection, then do some magic in DD-WRT to route traffic from a certain VAP through to the Synology's VPN rather than the routers VPN.

Is this possible? Any pointers? Smile
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Mar 08, 2023 9:36    Post subject: Reply with quote
On the R7800 disable OpenVPN and for the VAPs subnet set a static route to your Synology server on the Setup/Advanced routing page.

Your VPN speed is rather low for an R7800, I get around 85 MB/s on my R7800 but the router is not heavily taxed.


Pity you cannot use WireGuard as that will usually more than triple the speed of OpenVPN

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Wed Mar 08, 2023 11:55    Post subject: Reply with quote
This may help, how to run Wireguard on Synolgoy NAS in Docker.
https://youtu.be/Tf74tyE0YjQ

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 181

PostPosted: Fri Mar 10, 2023 12:40    Post subject: Reply with quote
Thank you both.. I will have a look at this.
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 181

PostPosted: Sat Mar 11, 2023 11:18    Post subject: Reply with quote
Thanks for that excellent video @foz111, I now have Wireguard running on my Synology. (I knew it was possible, but didnt think it was this easy)

Also, @egc, I have been able to set up a Wireguard tunnel with PBR on my R7800, and the throughput is better, around 130MB/s(ish) rather than 30MB/s. So A great improvement.

The next challenge is how to restrict access on the remote site.. (I know this isnt a Wireguard forum, but as some of you might have some experience in this, I'll ask anyway)..

I do not want to be able to access anything on the remote LAN, I only want to use their Internet connection.. How can we restrict access on the Wireguard connection?

The Remote Synology is running wg-easy in a docker container.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Mar 11, 2023 11:36    Post subject: Reply with quote
If your WG Client (the R7800) is having NAT enabled then anything arriving at the synology has a source address of your WG client e.g. 10.4.0.2.

So on the Synology you use iptables rules (assuming this is supported) to block traffic to your local subnet e.g.:
iptables -I FORWARD -s 10.4.0.0/24 -d <local-lan-subnet> -j REJECT

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 181

PostPosted: Sun Mar 12, 2023 20:23    Post subject: Reply with quote
So to answer my question (in additional to what egc said)..

I managed to amend the iptables in the wg-easy docker image I have running in such a way to all LAN access was denied..

Thanks for the input, I now have a Wireguard solution working on the DD-WRT which routes selected traffic through the VAP.. Great stuff. Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum