OpenWrt Forum Archive

Topic: Firewall confusion - single-NIC OpenVPN - SOLVED

The content of this topic has been archived on 23 Mar 2018. Unfortunately there are posts – most likely complete pages – missing.

HooTooJunkie wrote:

Did you choose the option to 'keep old settings' ... when you did the FW update to 15.05.1
(I only ask because some others said ...keeping the settings messed-up some other aspect of the install)

Yes. Force of habit; I couldn't be bothered with a factory restore and reconfiguring afterwards. Don't know if I should have done, but it doesn't appear to have broken anything.

HooTooJunkie wrote:

I know the squashfs-sysupgrade.bin is the file to use, after changing the original factory FW ...
But what's the initramfs-uImage file for, shown in that same folder?
(Just curious) smile

Without reading the release notes, I'm not sure (or can't remember). I would hazard a guess that it might be the file to use for the first change from the manufacturer's firmware to OpenWRT. I put OpenWRT on my TM02 as soon as I bought it, which was a while ago.

HooTooJunkie wrote:

What if I wanted to place this VPN TM02 before my main router?
In other words, have the Cable-Modem Ethernet go into the TM02 Ethernet, instead of my main router, and my main router linked to the TM02 thru WiFi.

It's certainly technically possible (configure eth0 as the WAN and wlan0 as the LAN), but I wouldn't recommend it. The TM02 is woefully underpowered and I suspect it would become a bottleneck. Your router's throughput should always be faster than the speed your ISP offers, not slower. Shunting packets around at high speed takes CPU power and RAM.

On top of this, if you're contemplating any sort of white-listing or filtering, or even a VPN server, then that takes even more CPU power and RAM. Your router is actually a little computer, albeit one which is optimised for network traffic, and, as with all computers, faster CPUs and more RAM is better. I'd be happy to use the TM02 as a VPN server if all I was doing was simple admin work in a text console, e.g. SSH or Telnet. I wouldn't want to use it for anything data-heavy, such as a graphical remote console, video streaming, or the like.

Lastly, WiFi is half-duplex, not full-duplex, is contended between all of your wireless devices, and you will never achieve the headline speed advertised by the manufacturer. This is especially noticeable when the wireless router has a slow CPU and not much RAM available.

This page - http://www.smallnetbuilder.com/tools/charts/router/view - gives some benchmark wired throughput figures for lots of different devices. Right down near the bottom of the list, with a pitiful 36.6Mbps, is the TP-Link TL-WR710N. The specs of this device are very similar to the HooToo TM02 - see https://wiki.openwrt.org/toh/hwdata/tp- … l-wr710n_1 and https://wiki.openwrt.org/toh/hwdata/hoo … tenano_v15 and compare the CPU speeds and RAM.

As a comparison, the GL-MT300N has a 580MHz CPU and 64MB RAM - http://www.gl-inet.com/mt300n/#14425660 … 448f7-2698 - and Amazon UK has it for 22 quid. I've ordered one out of curiosity; it should arrive some time next week. 

HooTooJunkie wrote:

-- would there still be a need to create a forwarding rule for the main house router, as you needed to do with your Buffalo router?  Or does the forwarding rule now need to be placed on the TM02, or both routers?

The only reason I offered an instruction for a port-forwarding rule was because I was testing OpenVPN on an internal device on my network for the purpose of this thread - the TM02.

Normally I run OpenVPN directly on the Buffalo, I have only one port open to the outside world - UDP 1194 - and I don't have any port forwards configured. Once I connect to the VPN then I'm on my home LAN and can interact with all the devices on my network.

If you're planning on making the TM02 your public-facing router, then you also won't need any port forwarding configured, for the same reason. If all you want to do is browse the Internet as if you were at home, then you're done.

If your other computers are connected via Ethernet to the WRT54G then you can configure the WRT54G as an access point (or wireless bridge) instead of a router (assuming you can do so; I'm not familiar with the software on that device) and your other wired equipment should also be accessible to you over the VPN. If you can't configure the WRT54G as an access point/wireless bridge then you're into the realm of routing tables, which is beyond the scope of this thread.

HooTooJunkie wrote:

I'm considering doing this setup, because I also want to create an IP White-List, on the TM02 to filter everything except my needed allowed ports and IP / URL's to enter, before it gets to my main router.

I've been getting hackers constantly trying to get into port 520, among others, and figured I can also block them from even getting into my computers if I block it with this TM02.

My main router doesn't support OpenWRT.  ( WRT54G v8 )

My advice? Do one of two things:
* Ditch the WRT54G and buy a fast router which will run OpenWRT as well as a white-list/filter - https://wiki.openwrt.org/toh/views/toh_ … ilable_864 - install OpenVPN on it, and don't bother trying to daisy-chain multiple routers, or;
* Keep the WRT54G and buy/build a cheap computer and install Ubuntu or similar on it, and use that as your OpenVPN server. I recently installed OpenVPN on a Raspberry Pi 3 running Raspbian Jessie; it's a single-NIC device just like the TM02 or TL-MR3020, so lots of the principles were the same or similar.

Lastly, keep the TM02 as a cute little toy for experimentation and teaching yourself about OpenWRT, networking, and other related concepts.

HooTooJunkie wrote:

One note from your additional info regarding the VPN config...
The original config listed in your TM02 post didn't have the option mute 20 line at the end...
as the new example you show at post #23
https://forum.openwrt.org/viewtopic.php … 06#p316706

Does that line need to also be used, or you were just giving an example?

Fixed. I inadvertently missed that line out when copying the config file originally.

(Last edited by 600cc on 26 Mar 2016, 02:40)

@ 600cc

Thanks for this incredible bunch of info, and explanation.

I've decided to get a new main Home router that has OpenWRT compatibility, and use the TM02 as a private secure VPN Client bridge, outside, to connect to my new main routers VPN Server, thru my iPad 2, by the TM02 created network the iPad 2 would connect on.

That's the best option for me, given all your info about it.

Yes...I wasn't planning to stream videos on the VPN, and just was trying to use my home private internet connection as my outside secure access to the internet, when on public HotSpot WiFi.

You have no idea how much you've helped me... smile
I truly appreciate it..!

HooTooJunkie wrote:

@ 600cc

Thanks for this incredible bunch of info, and explanation.

I've decided to get a new main Home router that has OpenWRT compatibility, and use the TM02 as a private secure VPN Client bridge, outside, to connect to my new main routers VPN Server, thru my iPad 2, by the TM02 created network the iPad 2 would connect on.

That's the best option for me, given all your info about it.

Yes...I wasn't planning to stream videos on the VPN, and just was trying to use my home private internet connection as my outside secure access to the internet, when on public HotSpot WiFi.

You have no idea how much you've helped me... smile
I truly appreciate it..!

You're welcome. Hope it helps.

For what it's worth, I'll soon be migrating my edge router away from OpenWRT, now that I've acquired this little gizmo: https://www.ubnt.com/edgemax/edgerouter-x/ - 50 quid for a five-port gigabit-speed business-grade router slightly larger than a packet of fags, with hardware specs which put the more expensive Buffalo to shame! I'll move the OpenVPN installation to an internal computer (or a VM on my NAS) and install OpenConnect alongside it. I'll keep OpenWRT on the portable USB-powered routers, for when I spend time away from home in hotels and the like.

(Last edited by 600cc on 26 Mar 2016, 03:02)

smile
Thanks

(Last edited by HooTooJunkie on 27 Mar 2016, 18:56)

600cc wrote:

For what it's worth, I'll soon be migrating my edge router away from OpenWRT, now that I've acquired this little gizmo: https://www.ubnt.com/edgemax/edgerouter-x/ - 50 quid for a five-port gigabit-speed business-grade router slightly larger than a packet of fags, with hardware specs which put the more expensive Buffalo to shame! I'll move the OpenVPN installation to an internal computer (or a VM on my NAS) and install OpenConnect alongside it. I'll keep OpenWRT on the portable USB-powered routers, for when I spend time away from home in hotels and the like.

Scratch that "move the OpenVPN installation to an internal computer" nonsense... Turns out the ER-X is based on Vyatta, which is derived from Debian. I can run OpenVPN directly on the ER-X. Time to experiment...

Anyway, this has all become rather off-topic. This is an OpenWRT forum, not an Ubiquiti one... :-)

600cc wrote:
600cc wrote:

For what it's worth, I'll soon be migrating my edge router away from OpenWRT, now that I've acquired this little gizmo: https://www.ubnt.com/edgemax/edgerouter-x/ - 50 quid for a five-port gigabit-speed business-grade router slightly larger than a packet of fags, with hardware specs which put the more expensive Buffalo to shame! I'll move the OpenVPN installation to an internal computer (or a VM on my NAS) and install OpenConnect alongside it. I'll keep OpenWRT on the portable USB-powered routers, for when I spend time away from home in hotels and the like.

Scratch that "move the OpenVPN installation to an internal computer" nonsense... Turns out the ER-X is based on Vyatta, which is derived from Debian. I can run OpenVPN directly on the ER-X. Time to experiment...

Anyway, this has all become rather off-topic. This is an OpenWRT forum, not an Ubiquiti one... :-)

Hi, what's up? smile

I was considering getting one of the above Edge routers you linked to, and was wondering if you succeeded on running OpenWRT on it, or kept the stock firmware?

I wanted to use this to also act as a WhiteList, to block everything except the wanted allowed sites and IP's.
Does the stock firmware support creating a WhiteList, as well as having its VPN Server?
Or would I need to use OpenWRT?

HooTooJunkie wrote:

Hi, what's up? smile

I was considering getting one of the above Edge routers you linked to, and was wondering if you succeeded on running OpenWRT on it, or kept the stock firmware?

I wanted to use this to also act as a WhiteList, to block everything except the wanted allowed sites and IP's.
Does the stock firmware support creating a WhiteList, as well as having its VPN Server?
Or would I need to use OpenWRT?

Yo. Merry Christmas and stuff. Sorry - again - for the delay. Not sure why I'm not receiving reply notifications.

I never tried putting OpenWRT on it; the stock firmware is good enough for my purposes. I did succeed in putting OpenVPN on it, though.

The stock firmware supports PPTP and IPSec out of the box. OpenVPN can be added as a package from the command line.

As for whitelisting, it's possible though I've not experimented with any censorship so I don't know how much effort would be involved. I'm the only user of my network, so I don't feel a need to limit what websites I allow myself to use. :-)

As noted earlier, this is an OpenWRT forum, not an Ubiquiti forum. The members of the Ubiquiti forum are very knowledgeable, friendly, and helpful, should you be tempted to buy into the EdgeRouter ecosystem. I'm on there, too, although with a different username...

The discussion might have continued from here.