OpenVPN Home Appliance
#1
Original Poster
Join Date: Nov 2006
Location: Detroit; Formerly Dubai
Posts: 3,652
OpenVPN Home Appliance
I'm looking at an appliance for OpenVPN access to my home network and for confidential surfing. As more and more services are blocking public VPNs, I'd like to just tunnel through my own system.
By the way, I moved back to the US a long time ago. Despite my handle, I'm not interested in piping in the UAE's censored (though far less than before) internet into other locations.
By the way, I moved back to the US a long time ago. Despite my handle, I'm not interested in piping in the UAE's censored (though far less than before) internet into other locations.
#2
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
If you enjoy a little tinkering, you can get an Asus router (I recommend the RT-N66u - I don't care about AC wireless, personally) and put Tomato on it. I use it for OpenVPN all the time. I also maintain a site-to-site VPN between my parents' house, office, and my house.
#3
Join Date: Jul 2011
Posts: 38
I have a QNAP NAS that acts as a OpenVPN server at home for me. It pretty much worked out of the box for me.
I also have a Asus RT-66U routher with Shibby Tomato firmware setup as a PPTP server. The NAS is also able to simultaneously run as a PPTP server, but I felt it was better to have a server on a second device as a backup instead in case the NAS falls over (it hasn't yet however; but I'm gone for long periods of time, and it would allow me the ability to reset the NAS as well as issue Wake-on-Lan packets to it via the router only, if ever required).
The router is also able to run as an OpenVPN server - but I found the NAS performance and throughput to be better than the router, hence stuck with it.
I also have a Asus RT-66U routher with Shibby Tomato firmware setup as a PPTP server. The NAS is also able to simultaneously run as a PPTP server, but I felt it was better to have a server on a second device as a backup instead in case the NAS falls over (it hasn't yet however; but I'm gone for long periods of time, and it would allow me the ability to reset the NAS as well as issue Wake-on-Lan packets to it via the router only, if ever required).
The router is also able to run as an OpenVPN server - but I found the NAS performance and throughput to be better than the router, hence stuck with it.
#4
Original Poster
Join Date: Nov 2006
Location: Detroit; Formerly Dubai
Posts: 3,652
I have a QNAP NAS that acts as a OpenVPN server at home for me. It pretty much worked out of the box for me.
I also have a Asus RT-66U routher with Shibby Tomato firmware setup as a PPTP server. The NAS is also able to simultaneously run as a PPTP server, but I felt it was better to have a server on a second device as a backup instead in case the NAS falls over (it hasn't yet however; but I'm gone for long periods of time, and it would allow me the ability to reset the NAS as well as issue Wake-on-Lan packets to it via the router only, if ever required).
The router is also able to run as an OpenVPN server - but I found the NAS performance and throughput to be better than the router, hence stuck with it.
I also have a Asus RT-66U routher with Shibby Tomato firmware setup as a PPTP server. The NAS is also able to simultaneously run as a PPTP server, but I felt it was better to have a server on a second device as a backup instead in case the NAS falls over (it hasn't yet however; but I'm gone for long periods of time, and it would allow me the ability to reset the NAS as well as issue Wake-on-Lan packets to it via the router only, if ever required).
The router is also able to run as an OpenVPN server - but I found the NAS performance and throughput to be better than the router, hence stuck with it.
I looked on the QNAP forum and saw others complaining about the same lack of this feature and assume it wasn't possible (absent serious hacking of the device). If I'm wrong, please let me know. One less device is always better.
#5
Join Date: Jun 2008
Location: YVR
Programs: Aeroplan, AAdvantage
Posts: 2,100
I find setting up VPN an absolute nightmare and use OpenSSH (built in SOCKS proxy) + redsocks instead (or sshuttle). You can set your SSHD to port 443 for something that's never blocked. If you need HTTPS too then use SSLH. Both OpenSSHD and SSLH are readily available for OpenWRT. (And QNAP http://wiki.qnap.com/wiki/Replace_ssh too)
Last edited by chx1975; Jan 2, 2015 at 11:09 pm
#6
Join Date: Jul 2011
Posts: 38
I have a dual NIC QNAP NAS but wasn't able to get the VPN to connect to my home (or outside network). I could VPN into the NAS just fine and access the files on it, but I couldn't get it to relay/bind with the other network connection.
I looked on the QNAP forum and saw others complaining about the same lack of this feature and assume it wasn't possible (absent serious hacking of the device). If I'm wrong, please let me know. One less device is always better.
I looked on the QNAP forum and saw others complaining about the same lack of this feature and assume it wasn't possible (absent serious hacking of the device). If I'm wrong, please let me know. One less device is always better.
My QNAP OpenVPN settings page looks like this:
I believe, the VPN client IP pool must *not* be in the same subnet as the LAN IP pool (eg: Lan is 192.168.1.xxx; VPN is 10.18.0.xxx).
My .ovpn config file to connect to my home VPN looks like this:
Code:
client dev tun script-security 3 proto udp remote dynamicdns.example.com 1194 resolv-retry infinite nobind reneg-sec 0 cipher AES-256-CBC comp-lzo auth-user-pass credentials.txt setenv CLIENT_CERT 0 <ca> -----BEGIN CERTIFICATE----- (bunch of gibberish characters live here) -----END CERTIFICATE----- </ca>
And of course, my router has the correct port forwarding to the NAS internal ip address.
When I'm out and about, I can VPN home, and access the files on my NAS, as well as surf the net and do everything else normally. whatismyip.com shows my ip address as coming from my home system.
I don't remember right now, but it may not be possible to connect to the VPN while you are connected on your internal network at home... (eg: if you're at home, and connected to the internet by your home router).
Edited to add: I believe what they would like to do, is have incoming OpenVPN connections on ETH1, and 'outgoing' OpenVPN traffic on ETH2. I'm guessing if you could set this up, it might give you slightly better performance; but on the whole, I didn't care to make that happen, as I believe my main bottlenecks were the speed of my home internet connection, and my router itself...
Last edited by slowmail; Jan 2, 2015 at 11:10 am
#7
Original Poster
Join Date: Nov 2006
Location: Detroit; Formerly Dubai
Posts: 3,652
Thanks. I will look at my config and see what I am doing differently. I tested the configuration with a cellular modem to avoid the problem of VPNing on the same network. I mentioned the dual NICs only for VPN reasons.
#8
Join Date: Dec 2002
Location: Oregon
Programs: AA EXP, AS 75K, UA 1MM Gold, HH Diamond, Hyatt Explorist, IHG Plat, National EE, Hertz PC
Posts: 4,001
Other than appliance vs PC, is there any particular advantage to open VPN versus using the PPTP server built into recent versions (<15yr) of windows?
Never mind. Answered my own question. Looks like there are some hoops to jump through to avoid vulnerabilities in MS-CHAP v2. However, if you VPN into something like a free-level Amazon EC2 server just for internet access from behind the great firewall... then I guess who really cares.
Never mind. Answered my own question. Looks like there are some hoops to jump through to avoid vulnerabilities in MS-CHAP v2. However, if you VPN into something like a free-level Amazon EC2 server just for internet access from behind the great firewall... then I guess who really cares.
Last edited by elCheapoDeluxe; Jan 2, 2015 at 6:24 pm
#10
Join Date: Jan 2014
Location: ORD
Programs: UA 1k, SPG Plat 100
Posts: 619
If you enjoy a little tinkering, you can get an Asus router (I recommend the RT-N66u - I don't care about AC wireless, personally) and put Tomato on it. I use it for OpenVPN all the time. I also maintain a site-to-site VPN between my parents' house, office, and my house.
#11
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
I pay a little bit each month for a VPS to host my web page and some personal backups. Having that anyway, I just run an OpenVPN server there -- pretty easy install on CentOS.
There's a PPTP server and not just a client in desktop versions of Windows?
My experience setting up the Linux PPTP daemon was that it was a pain in the neck to set up, and my home router didn't really pass everything it needed on incoming connections. SSL-based VPN which just needed a single port was easier.
Once running a free-level EC2 server, OpenVPN is pretty easy. Bunch of steps, but pretty much just "follow the instructions."
My experience setting up the Linux PPTP daemon was that it was a pain in the neck to set up, and my home router didn't really pass everything it needed on incoming connections. SSL-based VPN which just needed a single port was easier.
Never mind. Answered my own question. Looks like there are some hoops to jump through to avoid vulnerabilities in MS-CHAP v2. However, if you VPN into something like a free-level Amazon EC2 server just for internet access from behind the great firewall... then I guess who really cares.
#12
Join Date: Dec 2002
Location: Oregon
Programs: AA EXP, AS 75K, UA 1MM Gold, HH Diamond, Hyatt Explorist, IHG Plat, National EE, Hertz PC
Posts: 4,001
Yes. Can't speak for "home" versions because I can't remember the last time I owned one - but certainly in XP pro, Win 7 pro, Win 8 pro. Go to your network adapters window, go to the file menu (press alt-F in Win 8 to display) and select "new incoming connection". Just need to allow the PPTP port through your firewall as applicable after that.
#13
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
Yes. Can't speak for "home" versions because I can't remember the last time I owned one - but certainly in XP pro, Win 7 pro, Win 8 pro. Go to your network adapters window, go to the file menu (press alt-F in Win 8 to display) and select "new incoming connection". Just need to allow the PPTP port through your firewall as applicable after that.
#14
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,151
If you want to make your head hurt, consider this...
ASUSWrt-Merlin is an open-source product, which is based on a commercial product (ASUS standard firmware) which is based on an open source product (Tomato) which is based on a commercial product (Linksys firmware), which is based on an open source product (Linux).
#15
Join Date: Nov 2003
Location: San Jose, CA
Posts: 460