Site to site VPN options

I've just rented a storage/hobby room in a facility. The owner provides "free" WIFI access but I just found out everything is blocked except port TCP/443. Other tenants there are tinkering with cars or motorcycles so for them https access is plenty enough but I want to tinker with electronics and computers so I need a bit more.
I want to connect site to site VPN between my home and the rented room using a pair of OpenWRT routers but since I found only TCP/443 is open I wonder what would be the best approach:
-use OpenVPN (OpenVPN server in my home, client in rented box initiating the connection since obviously I cannot set port forwarding at the storage facility but I can at my home. Worried about TCP meltdown tough.
-use Wireguard in combination with udptunnel or wstunnel since wireguard only works via (blocked) UDP, wstunnel could go around this, but would the end result not be similar to OpenVPN and prone to TCP meltdown ?
-IPSEC ? (no experience with it)

For simplicity's sake, go with OpenVPN.


I don't know about either udptunnel or wstunnel, I don't have experience with them. I do know about udp2raw. though, and you'd not have any TCP over TCP issues with it. It actually has a fake TCP mode where your firewall will see the packets as TCP but where they are for all intents and purposes really UDP - it's very well done and it basically eliminates TCP over TCP issues. It does work with Wireguard and it's one of WireGuard's suggestions for using TCP. There are some pre-built static binaries available for Arm (32 bit only) and MIPS (be & le) which work on OpenWRT platforms, but I don't use them because it's actually pretty trivial to build it right on your router:

git clone
cd udp2raw
make dynamic

Of course, this assumes your router is beefy enough to install gcc, make, and git. But pretty much any router that has a decent amount or storage or for which you're using extroot should do.

That's the first time I've seen 'simplicity' and 'OpenVPN' used together :wink:
Joking aside, though, I've used OpenVPN in TCP mode and not experienced nearly the issues the doomsayers tell you about. But my usage was just remoting a laptop into my LAN for occasional file transfers, not for all internet usage like you'll be doing. Plus OpenVPN isn't as easy to set up since they deprecated static keys. But in your case it does eliminate the udp2raw middleman and that might make it attractive enough to at least try.

I had OpenVPN in TCP mode on port 443 for ages, even in a port-sharing configuration with my HTTPS web server. This was the only way I found to tunnel through the firewall, everything else was blocked. But it was also a road-warrior setup, not site-to-site.

I've never heard about udp2raw, sounds very promising to switch to WireGuard for this one firewall.

If I recall correctly, OpenVPN traffic can even be disguised as HTTPS.

1 Like