Single-NIC "VPN in a box"... on DHCP, without reserved lease
Posted: Fri May 01, 2015 11:44 pm
This has taken me all week to get working, so I feel some bragging is in order.
Sitting on my desk right now is a single-NIC "VPN in a box" which will work when connected to any DHCP network, without a fixed reservation, and which will successfully route incoming traffic.
It will detect its internal DHCP-assigned IP address, subnet address, subnet mask, gateway, DNS server, DNS domain and external IP address. It will edit the OpenVPN configuration file with the relevant details.
It will also send me an e-mail with pertinent information, and will create a time-limited (10600 seconds / 3 hours) port forward if it's behind a UPnP-enabled NAT router.
You may now applaud.
*takes a bow*
Background: my aging father often asks me to help him with various computer issues, and sometimes remote access beats trying to talk someone through something. I've got a spare TP-Link TL-MR3020 (a USB-powered "travel" router/wireless access point smaller than a deck of cards, with a single RJ45 Ethernet socket) which I haven't used in ages, a spare USB stick also unused for ages, and some time on my hands, so I figured I'd go about setting up a "magic box" that my father can plug in when desired and which will grant me access to his network.
I could have gone for some remote support software such as TeamViewer or similar, but I figured this'd be a device-agnostic approach (I should be able to talk to any TCP/IP device on his LAN, not just his computers) as well as a handy learning exercise for me.
The router is running OpenWRT Barrier Breaker. The USB stick is needed because the internal storage is too small for additional packages once OpenWRT is installed. The genesis of the project was reading this piece which describes setting up a portable OpenVPN client. It didn't take long for me to see other possibilities.
The tricky bits were getting to grips with iptables and trying to understand why the firewall wouldn't initially allow forwarding in and out of the same NIC (all my previous OpenWRT/OpenVPN installations have been on multi-NIC routers), and learning some scripting to parse the relevant details for the e-mail and configuration files... once I learned where those details were kept in the first place.
I could have gone for static IP addresses if I knew - or cared - what subnet my father's LAN uses and if I could guarantee that the subnet would never change. Instead, I figured I'd go for an approach which allows, for example, for a router replacement without having to worry about reconfiguring the device afterwards. The whole idea is that it's supposed to work seamlessly and truly be a "magic box". Took me a lot more effort, but it works as I hoped and I'm pleased with the result.
If he's not behind a UPnP-enabled NAT router then I'll have to talk the old man through port-forwarding each time his router changes (not very often, admittedly). But you can't have everything.
Sitting on my desk right now is a single-NIC "VPN in a box" which will work when connected to any DHCP network, without a fixed reservation, and which will successfully route incoming traffic.
It will detect its internal DHCP-assigned IP address, subnet address, subnet mask, gateway, DNS server, DNS domain and external IP address. It will edit the OpenVPN configuration file with the relevant details.
It will also send me an e-mail with pertinent information, and will create a time-limited (10600 seconds / 3 hours) port forward if it's behind a UPnP-enabled NAT router.
You may now applaud.
*takes a bow*
Background: my aging father often asks me to help him with various computer issues, and sometimes remote access beats trying to talk someone through something. I've got a spare TP-Link TL-MR3020 (a USB-powered "travel" router/wireless access point smaller than a deck of cards, with a single RJ45 Ethernet socket) which I haven't used in ages, a spare USB stick also unused for ages, and some time on my hands, so I figured I'd go about setting up a "magic box" that my father can plug in when desired and which will grant me access to his network.
I could have gone for some remote support software such as TeamViewer or similar, but I figured this'd be a device-agnostic approach (I should be able to talk to any TCP/IP device on his LAN, not just his computers) as well as a handy learning exercise for me.
The router is running OpenWRT Barrier Breaker. The USB stick is needed because the internal storage is too small for additional packages once OpenWRT is installed. The genesis of the project was reading this piece which describes setting up a portable OpenVPN client. It didn't take long for me to see other possibilities.
The tricky bits were getting to grips with iptables and trying to understand why the firewall wouldn't initially allow forwarding in and out of the same NIC (all my previous OpenWRT/OpenVPN installations have been on multi-NIC routers), and learning some scripting to parse the relevant details for the e-mail and configuration files... once I learned where those details were kept in the first place.
I could have gone for static IP addresses if I knew - or cared - what subnet my father's LAN uses and if I could guarantee that the subnet would never change. Instead, I figured I'd go for an approach which allows, for example, for a router replacement without having to worry about reconfiguring the device afterwards. The whole idea is that it's supposed to work seamlessly and truly be a "magic box". Took me a lot more effort, but it works as I hoped and I'm pleased with the result.
If he's not behind a UPnP-enabled NAT router then I'll have to talk the old man through port-forwarding each time his router changes (not very often, admittedly). But you can't have everything.