I have a openVPN installed on the raspberry Pi - to be able to connect when i'm out of home.
After using the current setup I noticed a problem.
I have port forward in my main router (to forward traffic from the internet into the Raspberry Pi).
When I connect to the VPN and try to view the cameras, there is a major delay, before (using vlans) I got at least 1 frame per second, now I get 1 frame each 5 seconds.
Does it make sense?
VPN is connected to: 192.168.100.134 (but it uses other interface- 10.8.0.1)
In my IP camera app, I connect to: 192.168.100.5:554
Which is forwarded to: 192.168.101.108:554
I'd be happy to try to answer why you are experiencing lower performance now, but I'd need to understand the configuration you had previously in order to compare.
One thing you could try would be to connect directly to 192.168.101.108 from your Pi -- that assumes that your Pi has an address on that subnet (per your drawing, it would, but you obviously need to have set the Pi to work with that tagged network).
Before having vlans, NVR was on same Vlan as the Raspberry Pi - good at least 1 FPS (but this is not a secure setup, I cannot have the NVR on my main network)
Using two vlans and using socat that runs on the Raspbery Pi to allow me to forward traffic from the Pi to the NVR (this is inefficient, but easy for me to configure). Command used:
This gave good performance, at least 1 FPS (used the Raspberry Pi, to forward from Vlan 1 to Vlan.
Using 2 Vlans with a forwarding rule from vlan1 to vlan 4 (uses TP-Link 1043 to do forward from Vlan1 to Vlan4).
Getting 0.2 FPS sometimes a bit better.
Since your Pi has an address on the '101' subnet, you should be able to connect to the NVR without any other tricks... just simply point the remote browser/app to the NVR's native address (you may need to make sure that the right routes are setup within the context of OpenVPN, but it should 'just work' once configured).
Seems this is more of a openVPN problem than openWRT, so I don't have high hopes here.
Tried to connect using the 101 address, it didn't connect at all (while on VPN).
Tried to setup routes in openVPN, it didn't work (probably configured it wrong).
Added this to the openVPN client config:
route 192.168.101.0 255.255.255.0 192.168.101.1
will try later to do a fresh install of openVPN or wireGuard maybe will work, since when installing openVPN I only had 1 vlan.
This route won't do anything because the gateway is part of the target network. The problem is that your remote end doesn't know how to reach that network in general. If it knew how to reach 192.168.101.1, it would also know how to get to other hosts on that network.
In theory, if your OpenVPN server knows the route to that network, all you need to do is tell the client side that there is a route to that network via the OpenVPN tunnel. In my case, I've done this as a push from the server...
$ cat /etc/openvpn/server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi_6fbc7844-cb90-4e3c-8fa1-6bc03c2c59d5.crt
key /etc/openvpn/easy-rsa/pki/private/pi_6fbc7844-cb90-4e3c-8fa1-6bc03c2c59d5.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
#keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
openVPN client config:
$ cat PC.ovpn
client
dev tun
proto udp
remote my-host-name.no-ip.biz 62520
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name pi_6fbc7844-cb90-4e3c-8fa1-6bc03c2c59d5 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
# cert & keys omitted from this line until EOF
I'm not seeing anything terribly interesting there (except for the lack of the push directive)... but there is one curiosity -- it looks like eth0 and eth0.1 both have the same address. I wouldn't think that would work properly. You might want to look into that.
Is this Pi running OpenWrt, too? or is it something else (like Raspberry Pi OS)?
About eth0 and eth0.1. You are right, I will fix that, probably my vlan configuration on the Pi needs some adjustments.
I removed the push directive from the openVPN server config (since it didn't make a difference).
The Pi is running Raspberry Pi OS (Raspberian 10).