Site to Site VPN for popular TV Streaming Service issues

I am from a multi generation household in the UK and hoping that OpenWrt may be able to solve an issue we are having with a popular TV streaming Service.

I am the only person in the household who has any tech knowledge but even mine is not that good, I got into OpenWrt some years back but mostly via Luci.

I drive around the UK for a living sleeping in my truck or sometimes in a B&B, I use OpenWrt to boost whatever wifi I find myself using. Sometimes it is a paid hotspot or whatever wifi I can get access to.

The issue we are having is that the TV Streaming service keeps kicking us off, usually at the most inconvenient time. We pay for the max service, with four screens, we actually use max three at home and me on the road. One is for my elderly parents but they do not use it that much.

The TV service gets it's knickers in a twist and sends us messages saying you are not part of this household blah blah blah. Sometimes it is for my screen but sometimes one of the others. Usually I do the verify thing and it sorts it out, but lately it has even become confused by the home screens. Sometimes with me I tell it that I am traveling and it says "you have done enough traveling" !!

It always seems to pick the most inconvenient time to get upset, times when either I am asleep or my family are asleep.

The TV Streaming Company are of no help and I am at the point of dumping them, I did consider splitting the accounts but it is not cost effective; why should we pay more for less functionality. I am already annoyed with them for hiking prices, none of us want the ad free version and we are quite resentful about it considering we have been with them for many years and always paid the max subscription.

So the plan is to install a site to site VPN, essentially so that my connection on a remote OpenWrt router connects via the home router of another OpenWrt Router which will be connected to the ISP router.

Naturally I do not want to do anything that will trigger off these errors, I think it is best to isolate wifi clients and disable IP6 etc. All TV's are connected via wifi through either a Roku or an Amazon stick, I might be getting an android alternative soon.

I thought that this project might get me more interested in getting under the hood of OpenWrt.

I would like devices on my traveling OpenWrt to have the same IP subnet as home if that is a possible thing, I assume this is configured in the site to site VPN?

Any suggestions on this project would be gratefully appreciated.

I agree with this plan.

What do you mean by this? If you use a "road warrior" VPN configuration, all the traffic will appear to be originating from your home, even when you are on the road.

They will necessarily be different, but you can at least have two consistent subnets -- your home and your travel router.

I do this same thing with a travel router. When I was abroad for a vacation recently, my travel router connected via VPN back to my home. All of my services operated normally because my apparent IP address was always the same as if I was actually at home.

I recommend a road warrior WireGuard VPN configuration.

https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior

2 Likes

I currently have this setup on a TP Link C7 with wireguard, bandwith around 25mbps. Note that wireguard uses udp and some places blocked udp. I have also setup openvpn (tcp) to get around this. Due to cpu, openvpn only managed 12mbps. If you dont need wifi, go with nanopi r2s which is harder to brick and has better cpu. The R2S would connect to your home router. As for the travel router, i use gl inet AR300m, its light and portable, but would have the bandwidth constrait as the C7

1 Like

By consistent do you mean for example 192.168.0.1 and 192.168.1.1?

Would I need to get a Dynamic DNS?

My home ISP changes the IP randomly, if so I was considering https://www.noip.com/ as always I am trying to figure out if it is really free,

Am I right to suggest that Dynamic DNS needs to be in the ISP router at home not the OpenWrt or can it be done on the OpenWrt router?

If the latter would I need to set something on the ISP router to let it through?

I use noip.com it is free but you have to confirm it every month (they send an email) I also use dynv6 and afraid.org all are free.

DDNS can run on the OpenWRT router, you do not use the WAN as address but an external IP check.

In that case you do not need to set anything on the ISP router

1 Like

There is also duckdns.org, freemyip.com. You will need to port forward on the main router to wrt router

2 Likes

Some ISPs do not issue customers a true public IP (CGNAT) and in some cases there is a public IP but incoming connections are blocked. In either of these cases a simple road warrior to home VPN will not work since home cannot take incoming connections.

Assuming the conditions above are OK, the next step is to run ddns on any device in the home; since they are all NATd to the same outgoing IP the service will see that IP and register the name properly. Make sure to configure remote IP detection don't take the IP from a local interface.

For incoming traffic you will need to forward a port in the main router to whatever device is running OpenWrt VPN server.

1 Like

Thanks for that, which would you say was easier for newbs like me?

I tried to create a no-ip account and when I entered a strong password it gave me this warning

Would OpenWrt have a problem with long and complex passwords?

There should be no problem with OpenWrt and long/complex passwords. Worst case, you can always change your password should there be an issue.

1 Like

Yes, as long as the subnets are different.

For your travel configuration, I'd recommend using a more 'random' subnet that is not one of the very common ones. So maybe 10.53.23.0/24 as an example.

THanks @mk24

I have googled the ISP and CGNat, a recent reply says they do not use CGNAT.

How would I be able to test if it is using CGNat?

So if I understand you correctly if I run DDNS does it overcome CGNAT or am I screwed if ISP uses CGNAT?

Not sure how to " Make sure to configure remote IP detection don't take the IP from a local interface."

It is years since I did a port forward.

Currently we have a Mesh Router my son put in, I do not want to go via that but plug in the OpenWrt router directly into one of the ISP ports.

From what I have read online this ISP is not brilliant at Port Forwarding, I think it needs to be in "modem mode" but I have no idea what mode it is in.

I have only a little time to configure this before I must leave for work tomorrow night.

Is there a way for me to get accessing the OpenWrt router remotely first and then connecting to it remotely so I can install the Road Warrior in the next few days?

Is it possible for me to disable IP6 as part of this, it makes things so much more complex for me?

If CGNAT is not in use, a "what's my IP" test site will return the same IP that the house's main router (ISP provided box in this case) holds on its wan side.

CGNAT IPs almost always are from the reserved private blocks that start with 10 or 100 as the first number.

I find these very hard to remember, also I am concerned about what the Streaming service is capable of sniffing out that may trigger it.

It always seems to be at the worst time of day, either too late for me to call home or an inconvenient time if my activity has kicked them out of the household.

We have two Amazon and Two Roku's, one of the latter I take with me, the plan is to take the OpenWrt router with me in a backpack and connect to it's wi-fi which I will somehow connect to the WireGuard when I get my head around that.

In previous places where I lived, I found issues if I used 10.x.x.x subnet or 172 private IP's to connect to 192.168. ranges, I find it easier to remember 192.168.0.1 and 192.168.1.1, obviously I will need to be mindful of what range the ISP hub uses,

I know the Mesh uses 192.168.0.1 and the default for OpenWrt is 192.168.1.1, I think the mesh is in a bridge mode and the ISP is using 192.168.0.1 which the bridged Mesh is passing on. Does that sound right?

Given that your travel router will have a DHCP server running, does it matter that much? You could always make something more personally memorable... for example, if your home street address is 1234 main street, you could make 10.12.34.0/24 as your network.

What is your concern about needing to remember the subnets?

On a phone or device with a hardware GPS, some services may actually look at the physical location from the operating system's location services functions. However, in most cases, it's purely looking at the IP address from which your traffic originates. With the VPN, it will all tunnel back through your home and it will appear that you are at home from the perspective of the streaming service. (you could still run into issues with concurrent screens, but that would be the same if you were home or away).

I do this myself with either an AppleTV or a Chromecast. The router handles the VPN (Wireguard) and all the traffic goes back thorugh my home. The media player device is not even aware -- it just works.

Again, I'm not really sure why it the "remember" factor is so important here. Specifically, if you use a /24 network, your host range is .1-.254. And if you select the .1 host address for your router, you can always look at your device's DHCP issued lease and know "oh yeah, it says w.x.y.z, and I know that the router is at w.x.y.1".

The OpenWrt default is inded 192.168.1.1. I don't know what you mean by "the Mesh" -- there is no universal mesh, and it is manufacturer dependent in terms of what the defaults might be (and if it can be changed by the user).

Avoid the common ones -- in particular, 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 and probably 10.0.0.0/24 and 10.0.1.0/24.

1 Like

The Mesh I was referring to is a second router used to get wifi to difficult areas in the home.

Now the killer question, If this implementation of OpenWrt was solely for my Road Warrior activity and solely for a TV Streaming Service, could a Raspberry Pi 4 version of OpenWrt cope with Wireguard and all the other parts of this configuration?

I should clarify, that I want to plug the Raspberry Pi 4 into the ISP router at home,not on the road use.

Yes, it would be more than sufficient.

1 Like

The CPU is more than adequate but does it not have only one Ethernet port and crappy wifi? Or is that another model

1 Like

Make sure the rasp pi 4 uses a proper power supply or it will corrupt the sdcard overtime.
Also to power it off and not just unplug the power supply

I have old routers from TPLink, NetGear and Linksys, but it occurred to me that the Rasperry Pi4 I have does not get used, the size/power is attractive and it would be more of a learning process for me for both OpenWrt and Rasperry Pi

Please correct me if I am wrong, but if I used a Netgear say, I would have built OpenWrt, WireGuard etc and just plugged the wan port of Netgear into the ISP Router which is in Modem/Bridge mode. (A Mesh system serves the wifi).

So if I would only be using one port on the Netgear I would only need the single port of the Raspberry PI??

I am currently working on a Diagram so I can get my head around this but in theory the Raspberry Pi would just sit there waiting for a VPN Connection and would act as a conduit to the ISP Router and back to the remote modem (another OpenWrt)

I don't plan on any other wifi or lan connections to the Raspberry Pi at home, they are served by the Mesh system.

I saw a video on YT for this product if I wanted more

The only benefit of using a netgear at home as well is it is much easier for me and it has other ethernet ports which could be used for other devices locally.

I was considering setting up a separate internet connection for home users that was a VPN Wifi and Lan, but I must learn to crawl before I can walk or run. When that day comes I can use the Netgear. The wifi is not that fast, probably 140mb if that.

I want to be able to connect remotely to the Raspberry Pi or Netgear if I use that.

So I imagine I need to create some sort of SSH and a port forward, so that is going to be my first task.

I have trouble remembering all this stuff so I am trying to document it for myself first.