Looking for a VPN Server (or a client?)

I want to be able to log into my home network from my laptop (say, in a coffee shop) and administer my OpenWrt router and the other devices/servers on that local network. I have a couple questions:

  1. Do I install a VPN Server or a VPN client on my OpenWrt router? I believe I install a client on my laptop, and a server on my OpenWrt router, but I'm just guessin'... (It's surprising, but none of the half-dozen documentation pages describe which is which...)

  2. What is the current state of OpenWrt packages: Which ones are well-maintained? Which ones are reliable? Which ones have clients that run on a wide variety of desktop/laptop/tablet/phone OS's

  3. Are there reasons to choose one over the other?

Many thanks.

Update: It seems as if Wireguard is a secure choice, simple enough to configure for ordinary situations. There are plenty of solutions for more complicated situations, which you're free to ask about.

Go with Wireguard, easiest to set up and fastest.

2 Likes

+1 to what @krazeh said.

To answer your server/client question, wireguard actually doesn’t make a distinction. Everything is just peer based.

But from a practical perspective, you will make your router into a server. Your laptop will be a client (a remote peer in the case of wireguard)

1 Like

Thanks for the advice. I updated the Wireguard page to match what I think you said. See: https://openwrt.org/docs/guide-user/services/vpn/wireguard/start

Comments, please. Thanks

If I'm honest I'm not sure the addition was necessary or makes anything clearer.

OpenVPN.

It is full-functional, flexible software.

E.g., if you want to run OpenVPN-server, and client on the same device, no problem, with only limitation, that server should use TCP protocol. But Wireguard uses UDP only. I've seen examples in PBR configuration, but I don't understand, how they work. So if you need simplest and fastest solution without extra demands, you can use Wireguard. If you have specific requirements like above, use OpenVPN.

Just because you don't understand how it works doesn't mean it doesn't. It's simple to run a wireguard interface with multiple different peers for different needs. More complicated setups are easily catered for through manual routing or packages like PBR.

The only reason to use OpenVPN is that you use an external provider which requires its use, or you have need for layer 2 functionality which is rare.

I repeat once more, I don't understand, how PBR can treat UDP. I've implemented my requirements with the aid of OpenVPN absolutely directly without any trouble.

Do you think you can't route UDP packets? How do you think they normally get from source to destination?

Wireguard is reliable, very fast and simple solution. Its a main point for low resource devices.Much more reliable and simpler than OpenVPN.
UDP is a main point why its more secure and fast. It cant be detected because wont answer packets from unknown peer. Basically undetectable by design for port scanning.

The question is how to route them selectively, i.e. default route via one interface, and specific route for specified port number via another.

You add the required routing rules to the relevant routing tables, either manually or with something like PBR. Then the packets get routed where they need to go...

Yes, but routes can't be added only for specific ports. They could be added for specific IP's.

Well 10 seconds of google found 4 or 5 examples of using iptables to route UDP packets based on ports so...

Plus you'd probably not really need to do any port based routing for a wireguard setup anyway.

OK, give couple of links.

https://lmgtfy.com/?q=iptables+udp+port+forwarding

OK, no link.

As the OP, I am going to close this topic because it's getting testy, and further light isn't being shed on the subject.

I updated the original post with what seems to be a solution.