Single-NIC "VPN in a box"... on DHCP, without reserved lease

Use this forum to share your network setup and what's been working for you.
Post Reply
Alex Morris
OpenVPN User
Posts: 23
Joined: Tue Mar 04, 2014 12:38 am

Single-NIC "VPN in a box"... on DHCP, without reserved lease

Post by Alex Morris » Fri May 01, 2015 11:44 pm

This has taken me all week to get working, so I feel some bragging is in order.

Sitting on my desk right now is a single-NIC "VPN in a box" which will work when connected to any DHCP network, without a fixed reservation, and which will successfully route incoming traffic.

It will detect its internal DHCP-assigned IP address, subnet address, subnet mask, gateway, DNS server, DNS domain and external IP address. It will edit the OpenVPN configuration file with the relevant details.

It will also send me an e-mail with pertinent information, and will create a time-limited (10600 seconds / 3 hours) port forward if it's behind a UPnP-enabled NAT router.

You may now applaud.

*takes a bow*


Background: my aging father often asks me to help him with various computer issues, and sometimes remote access beats trying to talk someone through something. I've got a spare TP-Link TL-MR3020 (a USB-powered "travel" router/wireless access point smaller than a deck of cards, with a single RJ45 Ethernet socket) which I haven't used in ages, a spare USB stick also unused for ages, and some time on my hands, so I figured I'd go about setting up a "magic box" that my father can plug in when desired and which will grant me access to his network.

I could have gone for some remote support software such as TeamViewer or similar, but I figured this'd be a device-agnostic approach (I should be able to talk to any TCP/IP device on his LAN, not just his computers) as well as a handy learning exercise for me.

The router is running OpenWRT Barrier Breaker. The USB stick is needed because the internal storage is too small for additional packages once OpenWRT is installed. The genesis of the project was reading this piece which describes setting up a portable OpenVPN client. It didn't take long for me to see other possibilities.

The tricky bits were getting to grips with iptables and trying to understand why the firewall wouldn't initially allow forwarding in and out of the same NIC (all my previous OpenWRT/OpenVPN installations have been on multi-NIC routers), and learning some scripting to parse the relevant details for the e-mail and configuration files... once I learned where those details were kept in the first place.

I could have gone for static IP addresses if I knew - or cared - what subnet my father's LAN uses and if I could guarantee that the subnet would never change. Instead, I figured I'd go for an approach which allows, for example, for a router replacement without having to worry about reconfiguring the device afterwards. The whole idea is that it's supposed to work seamlessly and truly be a "magic box". Took me a lot more effort, but it works as I hoped and I'm pleased with the result.

If he's not behind a UPnP-enabled NAT router then I'll have to talk the old man through port-forwarding each time his router changes (not very often, admittedly). But you can't have everything.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Single-NIC "VPN in a box"... on DHCP, without reserved l

Post by Traffic » Sat May 02, 2015 10:18 am

A simpler approach would be for you to run an OpenVPN server and your Father to connect as a client .. no need for OpenWRT at all. :mrgreen:

Alex Morris
OpenVPN User
Posts: 23
Joined: Tue Mar 04, 2014 12:38 am

Re: Single-NIC "VPN in a box"... on DHCP, without reserved l

Post by Alex Morris » Sat May 02, 2015 12:11 pm

Simpler for me, definitely! But running a VPN server here would require teaching him how to run VPN software on every single device for which he'd want support, or setting up some sort of network sharing on the one computer which connects for his other devices, or replacing his ISP's idiotic all-in-one router (it's a PVR/TV streamer/cable TV receiver with a built-in router as an afterthought, as far as I can tell) with something with equivalent functionality plus a VPN client... and he does rather like his television so I'd best not do anything to disrupt that.

Doing it this way meant spending no additional money (mine or his) as it's using existing hardware which would otherwise gather dust, plus I learned a bunch of useful stuff along the way.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Single-NIC "VPN in a box"... on DHCP, without reserved l

Post by Traffic » Sat May 02, 2015 12:18 pm

Alex Morris wrote:But running a VPN server here would require teaching him how to run VPN software on every single device for which he'd want support
All you need is the one client and you can route the rest of the client subnet.

Also, running openvpn is as simple as clicking the GUI icon and then the VPN .. presumably named such that your Father would have no trouble selecting the right VPN. Or run the Windows service and then the VPN is up all the time.

No doubt you are satisfied with your solution .. I just pointed out that it may not have been necessary.

On the other hand .. I do know users who can not do even that simple task .. so I understand why you took the entire VPN out of the users hands.

ratton
OpenVpn Newbie
Posts: 1
Joined: Tue May 05, 2015 7:44 pm

Re: Single-NIC "VPN in a box"... on DHCP, without reserved l

Post by ratton » Tue May 05, 2015 7:55 pm

Alex,

I'd be most interested to speak with you and peruse your config files if you're willing? You've gone 2 steps ahead of where I need to be and I'm tearing my hair out here!

Aim: Whilst away from home I want to connect to the home network via VPN and have all internet traffic come from the home broadband network, so anyone in the big bad world will consider me at home. ie - invisible passthrough.

I'm using a TP LINK 703N mini router (but also have a 3020 available - they're very similar beasts). It's flashed with OpenWRT, flash extended using ext4 USB drive. OpenVPN installed, server setup. Windows 7 client can connect but at that point it falls on its backside. I've tried a few configs and I swear for one instant the client took my home WAN IP. I'm always able to ping the openVPN server but only with fiddling can I ping the gateway modem/router +/ other machines on the home network.

The TP LINK is not the gateway modem/router and I fear this is my downfall. There has to be clever routing on the openWRT to get requests from the client back out to the internet and responses from the internet down the tunnel to the client - this is where I'm obviously stuck.

I also read logan's blog (and commented upon such!) amongst many, many others. I've read dozens of wikis, how to pages, blogs, forum threads. Most setups are similar but slightly different.

You seem to have done what I need but gone the extra mile and created a dynamic script that will work after network changes. My network should remain static but perhaps I could incorporate some of your clever shenanigans too!

Any help would be very gratefully received!

Mike

Alex Morris
OpenVPN User
Posts: 23
Joined: Tue Mar 04, 2014 12:38 am

Re: Single-NIC "VPN in a box"... on DHCP, without reserved l

Post by Alex Morris » Mon Nov 23, 2015 10:04 am

ratton wrote:Alex,

I'd be most interested to speak with you and peruse your config files if you're willing? You've gone 2 steps ahead of where I need to be and I'm tearing my hair out here!

Aim: Whilst away from home I want to connect to the home network via VPN and have all internet traffic come from the home broadband network, so anyone in the big bad world will consider me at home. ie - invisible passthrough.

I'm using a TP LINK 703N mini router (but also have a 3020 available - they're very similar beasts). It's flashed with OpenWRT, flash extended using ext4 USB drive. OpenVPN installed, server setup. Windows 7 client can connect but at that point it falls on its backside. I've tried a few configs and I swear for one instant the client took my home WAN IP. I'm always able to ping the openVPN server but only with fiddling can I ping the gateway modem/router +/ other machines on the home network.

The TP LINK is not the gateway modem/router and I fear this is my downfall. There has to be clever routing on the openWRT to get requests from the client back out to the internet and responses from the internet down the tunnel to the client - this is where I'm obviously stuck.

I also read logan's blog (and commented upon such!) amongst many, many others. I've read dozens of wikis, how to pages, blogs, forum threads. Most setups are similar but slightly different.

You seem to have done what I need but gone the extra mile and created a dynamic script that will work after network changes. My network should remain static but perhaps I could incorporate some of your clever shenanigans too!

Any help would be very gratefully received!

Mike
Apologies for the slow response; I only received the topic reply notification today, more than six months after your post.

The MR3020 died and has gone to the great router graveyard in the sky; I replaced it with a spare Raspberry Pi instead. I don't have my MR3020 config files any more, but I'll try to answer any questions that I can from memory (with the caveat that my memory could very well be unreliable).

Post Reply