RFC: WAN and LAN interface on single-port devices - best practice?

I am in the process of configuring a few single-port devices, and I would love to hear from someone more knowledgeable than me to confirm or improve my current approach.

Situation: I want to deploy a few single-port devices into the wild, complete with an OpenVPN server to access them afterwards, and I want the outward-facing ethernet port to be firewalled WAN (at least one of them is supposed to act as an access point with PPPoE on the WAN).

My current approach is as follows:

  • I assign the physical interface to WAN
  • using kmod-dummy, ip and ifconfig I create a "dummy" eth interface and assign it to LAN

In my current experience, the OpenVPN server needs an interface to bind to, and it's also beneficial for the wifi to have a proper LAN interface to serve DHCP. I think it's possible -- and I think I actually did that before -- to have a LAN interface that only has the Wifi interface, but I don't have a Wifi interface on all of those routers, so I'm looking for a more generic way.

My question would now be: Is there a better/simpler way to have a usable "physical port-less" LAN interface than going through creating the dummy interface?

Any input is greatly appreciated!

Is there something special about openvpn in LEDE? I don't understand why it would need more than the interface it binds port 1194 on.

BTW I usually use tagged VLANs on my single-port devices.

That's the point: To get a usable LAN interface it can bind on, when there is only one physical interface and WAN is attached to that one.

That would be a VLAN that's only tagged to the CPU, correct?

(Sorry if those are excessively stupid questions.)

In the meantime I found that one of my "single-port" devices, a TP-Link WA901ND V4, does indeed have eth0 (on the physical port) and eth1 as well as an unused internal switch. I have no idea where eth1 comes from, but apparantly I can simply (ab)use that for LAN.

That’s the point: To get a usable LAN interface it can bind on, when there is only one physical interface and WAN is attached to that one.

I had a deeper look into the openvpn settings in LEDE, and I can't find the setting which specifies the interface or IP address to bind to. It seems to always bind to 0.0.0.0 unless you supply your own .ovpn file, in which case you can specify the IP address.

And I don't understand why you want to bind to the LAN interface since usually the WAN interface has the only IPv4 address reachable from the Internet. And connecting to the openvpn server from the internet seems to be your goal.

Regarding VPN, in my network I use Netgear GS108Tv2, a VLAN switch, which allow me to use a router with a single physical port.

It might just work if I just want to access the machine in question through OpenVPN. However, I seem to remember that OpenVPN, in order to use it to access other devices in the other local network, or as a gateway back into the internet, needs to forward between the tun interface and the LAN interface. My recollection may be completely off, though. I should do some experiments.

That being said, there is other software that needs to bind to an interface (znc comes to mind). So I'm really looking for a generic way to have a usable lan interface without any physical ports to bind them to. The VLAN route seems sensible, but a vlan-capable switch is not always available on single-port devices. Hmm.

I seem to remember that OpenVPN, in order to use it to access other devices in the other local network, or as a gateway back into the internet, needs to forward between the tun interface and the LAN interface. My recollection may be completely off, though. I should do some experiments.

Feel free to describe the scenario in detail and I'll try to help you.

That being said, there is other software that needs to bind to an interface (znc comes to mind). So I’m really looking for a generic way to have a usable lan interface without any physical ports to bind them to.

You might want to create an interface based on the physical interface "lo" instead, if you need an interface which isn't connected to a physical port. It's called "lo" but you can still assign routable IP addresses to the interface which means they can be reachable from other systems in the local network (if you have got a LAN interface).

The VLAN route seems sensible, but a vlan-capable switch is not always available on single-port devices. Hmm.

I mentioned VLAN to explain how you implement a router on a stick (one physical interface). It wasn't a recommendation to use VLAN as a dummy interface.

1 Like

In very few words: That hint exactly hit the spot. Thank you so much!