I am looking to install a VPN server on pocket openwrt router behind the main router at a remote location. I would use it for 2 purposes:
1- redirect client Internet trafic through this location
2- private cloud storage
I have already been using this type of setup for 8 years but now the location must change and there are new constaints. The main router is controlled entirely by the ISP (the one and only fiber provider at that location) meaning I do not have the admin password to open ports. Fortunately they provide a full ipv4/ipv6 dual stack.
Is there some wizardry that could make this work? I have openwrt routers at home and DDNS domains if that helps
If you are looking for an incoming connection to the vpn endpoint at that location and you cannot administer the isp router, your options are:
- ipv6
- zerotier
- tailscale
- Create a site-to-site that establishes a connnection outbound, then use the public IPv4 on the other side to connect and tunnel accordingly. (This can be done with a VPS, too)
Precisely that, I could not word this better. I was suspecting that IPV6 would allow that but I will need to reconfirm the IPv6 capabilities over there when I visit again. In case this does not work, I was thinking something along the last option but I have no knowledge of the magic receipe.
Would you be so kind to enlighten me on "zerotier" and "tailscale" which are new concepts to me.
I cannot give specific advice about zerotier and tail scale (I have never used them), but they can traverse NAT and I think they use a broker service to setup the connection.
Search the forums of the web at large and there will be tons of information. Both are supported on (and work well with) OpenWrt.
1 Like
They're all basically wireguard mesh with nat traversal and a coordination server to set up point to point links. Failing to set up nat traversal then they use a relay server.
Another one is netbird but my only practical experience is with tailscale.
Tailscale has been reasonable for getting something up fast for me. I only have used it for management overlay connections not for large amounts of data.
I'd not recommend any of them if you want to host your own infrastructure as they all appear to have caveats when self hosting. netbird if using docker is acceptable looks the best but again I have no practical experience with it.
Indeed! My goal is to be as independent as possible of any third party provider. The IPv6 solution would be the best for me if I can make it work. My experience so far has been at making an IPv4/IPv6 tunnel through an IPv4 VPN with OpenVPN, so I am looking for a good guide to make a dual stack tunnel through via an IPv6 VPN (Wireguard or OpenVPN) on a sub-router.
First you need to confirm that the network at the site supports IPv6, and specifically incoming TCP or UDP connections on IPv6. A few ISPs and many home routers (including OpenWrt in its default configuration) block incoming connections.
OpenVPN configuration should be exactly the same whether the "outer" encrypted packets are traveling by v4 or v6. It is for Wireguard. Either kind of packet can exist inside the tunnel.
That could very well be the case. I will be traveling to the "remote" location in a few weeks so I will be able to confirm but I need to prepare for a plan B:
and this one looks interesting but I only have a conceptual understanding of it.
I believe this is about creating your own coordination server. i.e. self hosting with one of the mesh vpn implementations. Or it's a hub and spoke and all traffic goes through the VPS?
Mm. My experience is that most ISP provided modems and even some mobile carriers their default ipv6 firewall is inbound is blocked by default on ipv6.
Assuming that the IPv6 firewall at the premices wont't allow incoming connections and given my limited time to built an entirely private solution, Tailscale looks like the best solution so far with its peer2peer "mesh". I'll investigate further on that. Any feedback from direct experience or not is welcome!
Update: I am not so happy with involving a "third party" (Tailscale) for my solution but I found this wireguard "Internet gateway as a spoke" guide that looks promising:
https://www.procustodibus.com/blog/2022/06/multi-hop-wireguard/#internet-gateway-as-a-spoke
in my case the hub itself would be redirecting its local client internet to the remote site that connects to it. Need some time to digest this, I am new to wireguard
You can self host your own coordination and relay servers with most off the different implementations. Rolling your own has its own security implications. Given it's end to end encrypted you can do your own risk assessment on whether the metadata they'd have is OK or not.
Your VPN of course shouldn't be your only method of security. You would still have to cater for a node being compromised anyway so I don't have any issues myself. My threat model was having to manually update the relay server if I was self hosting tailscale.
Other ones are zerotier and netbird but I've only read their documentation and haven't implemented them.
You could run another VPN such as wireguard inside the a SD-WAN (tailscale zerotier etc) to be absolutely sure it is secure.
Thanks all for your suggestions! I still have to do my homeworks based on your suggestions. I'll come back in a couple of weeks with more specific question. 