I've been working 25 years in computer programming BUT IP and networking has always been my Achille's heel !
Can a kind soul help in configuring a VPN in my house?
Here's the situation
a cable fiber modem 1GB that I cannot change BUT I can access admin and configure port forwarding (192.168.1.254). Seems that I cannot configure in bridge mode.
connected through a switch, there are
an Ubiquiti AP-Pro, which acts as access point and DHCP
a QNAP NAS which is set at static ip 192.168.1.201
Now I would like to configure a VPN to my house (I want, from outside, to connect home). The NAS can act as a VPN server (so I forwarded ports to its IP address) and in fact it was workign, but I understand that it's not a secure setup, therefore...
I do NOT need super fast speed VPN: I occasionally need to connect home to access some files on my NAS and potentially remote desktop to the PC where I have cad software. But again, I can easily tolerate reasonable speeds. At the same time, I don't want to replace the main router with another one (bridge mode) as I would have to buy a fairly expensive device to sustain these speeds. And I want to be cheap since it's occasional.
I was looking at gli MT-300Nv2 because it looks cheap and easy and seems to work in my case, correct?
The way I probably need to setup is something like
the subnet of this router is going to be different from main subnet, correct? So something like 192.168.2.1
port forward a specific port of the router to the MT...to which address?
openwrt does support DDNS services, correct?
do I have to install openwrt or i can simply use MT-300 software (it does support wireguard...)
You can either set it up in client mode, so that it receives an IP address from your ISP router or with a static IP in the same subnet. Just be sure to use a LAN port, not WAN. It's in fact not different than using your NAS.
See above.
Yes. Just install luci-app-ddns if you want a GUI, otherwise ddns-scripts is your friend.
You are in the OpenWrt forum, I wouldn't dare to ask this question
QNAP Nas has been often under sever attacks of ransomware in the nas. I've never been affected (some good security practices on my side and...luck) and on the QNAP forums they hugely discourage putting the VPN server on the nas. So I prefer to have a separate device for it, so I don't have to expose the NAS.
So i'll have to set the MT300 with a static IP as 192.168.1.199 (example) and port forward a specific port to this ip, correct?
With that in mind...so once I am connected to wireguard to my M300 (DDNS included) I can type 192.168.1.201 and I'll connect to my NAS, correct?
Sorry maybe dumb questions but I can write 3-page SQL code but my brain doesnt' function with networking...
OK - some NAS's can run alternative firmware like OpenWrt or virtual machines where you could run OpenWrt. This would save you the extra box.
That's one option yes. With Wireguard the default is 52840 but you can choose any. Be sure to forward UDP.
If you set it up correctly, yes. There is quite good documentation in the Wiki on setting up Wireguard. The only difference is that you do not set up your router as router but similar to a dumb AP (you can disable WiFi if you like):
I'm not completely sure about how to set up Wireguard in a LAN-only scenario, but that should work.
For testing, you can always run OpenWrt in a VM (e.g. in VirtualBox with bridged networking) and forward the external port to your VM. Once you are satisfied with how it works, you can move on to real hardware.
Correct. This nas can run both Containers and VM. I've seen that there are dockers with openwrt.
I guess that this VM or container will have a specific IP (i.e. 192.168.1.199?) which then I portforward to? There are however a few considerations
not sure if this setup would reduce the risks?
when creating a container they are connected to this Virtual Switch. So for example I have a container running mjpg_streamer and it says that it runs at 172.29.0.2...which I guess it's a subnet created by container tool. Therefore there is port forward of 192.168.1.201:9090 -> 8080. It gets complicated...
running wrt on a container wouldn't impact a lot the performances?
ok thanks
I'll have a read...but I might come with new questions...
thanks so far
Because we are in a QNAP forum: dont use QVPN for a remote access! QVPN uses often outdated versions, configuration options are limited, AND: a NAS is not designed for this, use a router/firewall to protect yourself.
Thanks for the link, I totally agree with most of the points discussed there. I had my "NAS" in mind, which is in fact a full-blown Arch Linux system with a few services running in containers. I was tempted to move my OpenWrt router to a VM on this device, but since I have a VDSL connection, I stayed with a modem-router setup.
First question, do you get a public IPv4 address on the cable modem?
What does a mtr/traceroute against, say google's 8.8.8.8 show:
install mtr on your OpenWrt router opkg update ; opkg install mtr
run mtr: mtr -ezb4w -c 10 8.8.8.8
A VPN access from the outside requires a pblic IP, either directly from your ISP or from a remote VPN site to which you establish a VPN tunnel from inside your network....
Well, that is quite likely, only few ISPs hand out "static", that is unchanging, IP-addresses out to end-customers on normal mass-market contract (some offer it for a price though), so most of us deal with "dynamic" addresses that are changed/recycled sooner or later (e.g. over here my ISP enforces an IPv4 address change after 24 hours, while the incumbent will enforce this every 180 days, but will recycle it if the PPPoE connection is re-connected with in this 180 days).
My main gist was more about "public" versus "private" dichotomy, that is do you get a "full" IP addresses that is routable over the internet, or do you get a CG-NAT style private address (where at best you get a number of dynamically assigned ports on a shared address)? Both the IP address and externally visible port numbers can change for any new connection and are recycled, that is if 10.64.1.1:11111 was used 5 minutes ago but that connection closed, the same address:port tuple can be assigned to someone else. In such a system you need to establish a tunnel from with in the CG-NAT network to a publicly visible VPN relay somewhere outside and make sure your tunnel sees regular heartbeat traffic so that the CG-NAT system will maintain your mapping and not recycle it.
In the former case (dynamic IPv4) all you need is a DDNS service, in the later you also need a VPN relay that has a public IPv4 address.
Uhm...Fastweb Italy is (was?) well known for this NAT-style private address, or at least they were doing it in the past. Years ago I was reading forums and people were complaining about gaming issues and such. As far as I know they're not doing this anymore. How can I discover this (without having yet an OpenWRT router?)
My router says that the gateway Ip is 93.43.224.1, that's what I see.
Keep in mind that I've been able to use DDNS services in the past, either through QVPN and their DDNS or through no-ip and similar services, without issues.
OK, that looks like normal generally routable "public" addresses, so setting up a VPN should work.
That makes my posts moot, I apologize for the distraction... (I had overlooked the clear " The NAS can act as a VPN server (so I forwarded ports to its IP address) and in fact it was workign" description which makes my point superfluous).
correct