OpenVPN from remote to router. Breakout to internet without VPN

I would like to configure the following for when I'm travelling abroad.

  • VPN provider = Private Internet Access (they only allow OpenVPN to run on routers).
  • VPN connection from my laptop to my home OpenWrt router.
  • Traffic from my laptop is routed to my OpenWrt router via VPN.
  • Traffic breaks out to internet, from my home router, without using VPN.

Would this allow me to access UK streaming services as if I was in the UK? For example, I would like access NowTV which no longer supports EU roaming, Netflix UK service, iPlayer, etc.

Is this possible?

yes, it's doable.

Not sure why you need PIA, if you're bouncing off your home router, to get an UK IP.

You shouldn't really need VPN for streaming UK services while being in UK ?

The VPN connection would be from the laptop (anywhere) to home router. Is there another way to obtain a secure connection to the home router and break out to the internet?

I have configured adblock and DNS redirection on my home wan, so it would be nice to route my phone's mobile data via my home router to maintain adblocking, etc.

Thanks

If you make a VPN connection e.g. via Wireguard to your router then have "Allowe IPs on 0.0.0.0/0, ::/0" on the client then all traffic from the client goes to the router. If you put the wireguard in a firewall zone that allows it to be forwarded to wan then all the traffic from the client can go the internet. I can make some screenshots from my config if needed

My VPN provider is PIA and they don't allow wireguard to run on routers. My only option is openvpn.

If I'm using my router as the VPN server, do I need to use a third party VPN provider or can I run my own private VPN?

You can run your own. I am doing pretty much the exact same thing.

I have wireguard on my openwrt at home. With my phone I connect to the openwrt router and from there i access the internet. I mainly do this for privacy and security reasons, e.g. if i use a public WiFi then everything i send is secure, also people cannot detect what sites/IPs im using. Of course my ISP at home can detect. There is always somebody you need to trust.

BTW why do they not allow wireguard? And how can they detect if you do?

Wireguard isn't supported except via their desktop application, so it isn't possible to obtain the necessary configuration files/settings.

Would you mind sharing your configuration screenshots?

Ok what i did was the following.






Fill in the clients public key.

On the client (=phone) ,
Main config:
Address: 192.168.16.100/32
DNS server is 192.168.8.1 (= router main IP address on "lan" interface)
Define a peer:
Public Key: Fill in routers public key.
Allowed IPs: 0.0.0.0/0, ::/0
Endpoint: Router public IP:43648
Preshared key: xxxxxxxxxxxxxxx

The preshared key is not really needed btw, but you can use it for extra security. Guest interface is also not needed. Do make sure that the wireguard port is accessible from the internet. My main lan is 192.168.8.1/21
I put both of them in the "lan" firewall zone and set "forward" to accept=allow forwarding between different interfaces in the zone.

If you want broadcast to also get through then you may want to install avahi-dbus-daemon

for avahi config:

I've followed this guide:

And this YouTube tutorial, but the official guide appears to have been updated since the video was produced - i.e. there is a new line

wg genkey | tee wgclient.key | wg pubkey > wgclient.pub

I used nano to set wgclient.pub to the same public key value as my Windows Wireguard client.

This is the configuration of my Windows Wireguard Client.

image

It says wireguard connection active, but zero bytes received.

I'm not able to ping anything.

Pinging 1.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

My router is showing 'Latest Handshake: Never'

image

I've checked the client and server are using the correct Public keys.

The logs show the handshake is timing out.

Any ideas?

Did you open a firewall port?

Oh and check for small letter L="l" vs. capital i="I" if you type it the keys manually. etc

I think it might have been the pre-shared key. Because it was 'optional', I hadn't added it to my wireguard client. Once I added that, it started working - but only for LAN.

When I attempted to use my mobile phone as a hotspot, the connection didn't establish.

The firewall rules had been added via the CLI, but I'd fiddled with the settings in an attempt to get it working - I had changed the 'destination zone' to 'WAN'. I've now changed that back to 'Device (input)' and everything appears to be working correctly.

My traffic is routing via 192.168.9.1 and I have full access to my LAN:

Tracing route to bbc.co.uk [151.101.192.81]
over a maximum of 30 hops:

1 * 45 ms 33 ms 192.168.9.1
2 78 ms 62 ms 38 ms lo0.ar86.tn2.core.as5413.net [62.72.136.44]
3 57 ms 39 ms 39 ms 201.141.72.62.ha.bb.gxn.net [62.72.143.201]
4 62 ms 41 ms 38 ms 201.141.72.62.ha.bb.gxn.net [62.72.143.201]
5 48 ms 52 ms 39 ms Bundle-Ether21.cr05.tn2.core.as5413.net [62.72.142.46]
6 67 ms 33 ms 37 ms ip81-59.fastly-gw1.lonap.net [5.57.81.59]
7 92 ms 59 ms 70 ms 151.101.192.81

Problem solved then?

Yes. Thanks so much for your help.

I've now added my laptop as a client. For future reference, the router needed a reboot to get that working - I think restarting the VPN interface would also have worked.

I'll try and get my phone working next.

** Edit **

My phone is now using my home connection when mobile data is enabled and I have full adblocking, etc.

With regards to security, just how secure is Wireguard and this configuration? Do I need to be worried about opening up my network?

1 Like

WireGuard is secure enough to be accepted in the mainline kernel.
This is currently the recommended way to access the home network remotely.

I agree, wireguard is relatively easy to setup, has a small attack surface, and is fast. Especially if you add the preshared it is secure. Of course the weak point here is not the protocol, it is the endpoint. If that gets compromised then you are out of luck. If you do not care about accessing your home network, but still want your traffic to go via your router, you can consider adding it to the "guest" network then you can keep it separated.

Would you recommend changing the default IP addresses and subnets to provide additional security? I've used the IPs in the guide which, I presume, would be the ones targeted if Wireguard were to become compromised?

In general if a certain device does not need access to a certain resource it is better to not give it access. E.g. if you have visitors dont give them access to your secure WiFi, make a guestnet. Or if you have IoT device that do not need access to your file server, then separate them. Or your new fridge needs internet, why allow it to talk to anything else. Ideally separate the trafic with VLANs if you have multiple switches/routers.

What I did was make a guest network, with separate SSID and use vlan tagging to keep it separated (I have a r7800 which is AP& router, and an r7800 which is just an AP and also have a e4200V2 which i use as switch). Things like an internet radio also only get access to the guestnet. I did set it up that I can operate the internet radio via my RPi which is on my secure net.