I'm in the midst of setting up openwrt generic x86, and after having sorted the basics of routing, the dhcp and firewall I'd like to move on to setting up remote access so I can do basic admin tasks while away.
There seem to be a lot of different ways to do this, and even more opinions on which is best, safest, easiest. so I thought that it might be an idea to start a discussion thread on the topic.
I don't have a specific problem, but I'd like to "canvas opinions" before choosing the way that I do it.
fron what I what I can see there are various ways that range from easy to difficult and from safe to extremely ill advised.
direct port forwarding to the Web Interface from your ip
using a third party phone app
using a VPN on a seperate server
using a VPN integrated into openwrt
using third party plugins such as the home assistant integration
a combination of the above
what are everyones thoughts and experiences?
I've not yet settled on a method or my final hardware but I'm leaning toward setting up a virtual instance of openvpn or similar on proxmox, and moving openwrt on the same box, and then just using the gui over the VPN for admin, and creating a home assistant dashboard over the same VPN for monitoring as it allows for custom notifications.
again, this is more of an open ended discussion of what is possible, if what is easy, and what to avoid, you than a specific with a single solution.
your using seperate hardware to host the VPN, rather than a VPN plugin for openwrt. was that a pre planned choice, or just because you already had one set up?
I've seen people saying that it's a safer method, but and others saying that it's better to do from within openwrt to save on vm or docker overheads
I just had a device available in my network to use, otherwise setting it up on your internet facing router is fine.
It uses some CPU cycles but any decent router can handle it, perhaps not at wire speed but for simple access speed that is not important, security wise it is no problem to run a WireGuard server on your router.
Mirroring @egc 's suggestion, I would highly recommend WireGuard. In addition to being a secure and encrypted communications channel, one of the really nice things about the protocol is that it is not "chatty" in that it does not respond to port probes. This means that an attacker (i.e. the internet) will not know that you have any ports/services exposed (if this is the only one, anyway), thus reducing the attack surface significantly.
OpenVPN is also fine, but it is much more complicated to setup and is less performant (on x86, the performance is good, but it can be much slower on devices such as travel routers and mobile phones and may also increase power consumption).
Do not open the web interface to the internet -- it's not hardened and not intended for this purpose.
I'm not sure what 3rd party phone apps you are looking at, but you'll of course need a corresponding app/service on your network -- the security/reliability/performance of these can vary widely. Some can be great, others can be an invitation to hack your network.
re: VPN on the main router or behind it -- it doesn't really matter much. It's mostly a matter of preference. I run mine behind the router for various reasons, but I've helped countless people get it running in both contexts and they work equally well when properly configured.
You also mentioned virtualizing your setup... It is generally not recommended to put your main router in a VM. It greatly complicates the configuration/setup (you're now dealing with 3 different environments stacked up -- the host OS, the suepervisor/hypervisor, and then the VM/guest OS), and can also introduce additional issues with respect to maintenance/updates, reliability, security, and troubleshooting.