Generic VPN assistant?

Hi, while I use OpenWRT for some years and I'm verry happy!
But I still struggle on setting up VPNs in SoHo environments. I failed on OpenVPN, but also with TINC and now Wireguard. I guess it's not the technology, but a lack of my knowledge on all the layers that need to play together.

So I like to ask if there are plans to simplify this process? How about an assistant, that allows even normal users to setup an VPN connection to securely access their home site and LAN boxes? Something technology agnostic that guides you trough the single steps and helps you to check your configuration.
For example: I like to connect to my home LAN when I travel around and access various internal services. I fire up the $VPN_ASSISTANT and it ask me about an VPN scenario that I like to realize. I pick 'roadwarrior' (it explains that here it will allow dynamic access to internal services only for a single endpoint) and pick 'wireguard' as technology (it explains it is fast, modern and secure for this scenario). The assistant says I need an DDNS as the WAN IP is dynamically / and offers various services (simple to setup listed first place) and I pick 'INWX Subdomain'. Next I enter my account of my DNS provider and subdomain for the endpoint.
Next step the assistant suggest an random high port for the VPN server that will be opened at the Firewall. It also offers to enable an portknocking sequence for additional security, but I just pick the default setting.
Next step it explains, that he created an 'vpn' firewall zone, that isolates the endpoint from WAN and LAN. The checkboxes say, that VPN nodes will only acces LAN devices. I keep (allow secured Internet-Access) disabled.
Last step, it asks me to create VPN accounts that will be able to access via VPN. I enter 'Laptop' and click Linux and click add. Now it points me to wireguard.com to get the packages for Linux and lists the content of a /etc/wireguard/wg0.conf file that I need to paste via a sudo nano.
Next I create a client 'smartphone' and click Android. It then tells me to download the wireguard mobile client. I click 'show QR config' and import it to the mobile app.
At the last page, the assistant suggest to check the single stages of this setup and I agree. It checks if endpoint is reachable, if port is open and if wireguard can connect. Then it checks if VPN can access the router itself and another LAN IP address. It confirms full functionality and closes.

I know there are a lot of tutorials out there, but they mostly vary in nuances and are sometimes outdated or don't help very much on troubleshooting.

I understand your point, and I suppose it could be easier. Have you checked out the existing luci apps for OpenVPN/wireguard?

If you're in the business of setting up VPN's for SoHo's, why don't you simply learn the different layers involved though? I mean, today it seems to me people are helpless without a step-by-step tutorial, or a youtube video showing where to point and click.

Dig into the VPN software documentation. Dig into OpenWrt's existing documentation on firewalls, zones and interfaces. Once you understand how it works, setting up VPN is a breeze. And if it isn't you'll know where the problem is and how to troubleshoot it.

2 Likes