VPN Setup with offshore WAN interface

Hi

I try to set up vpn connections on my 18.06.2 and I wonder how to do this special setup. I need three vpn connections:

a) a connection to my brother's Fritzbox (which is not really working with vpnc due to routing problems).

b) roar warrier setup so I can connect my mobile devices for accessing my home server and to tunnel my traffic in public / untrusted wlan to my home location for internet access

c) kinda offshore wan connection. As my provider tries to charge 20,- per month for a singe static public IPv4 and is not able to give me IPv6 at all, I wonder if this would work:

  • get a VPS located somewhere with static public ip and unmetered traffic.
  • set up a tunnel between this VPS and my homerouter
  • set up DNS entries for a mail server for my domain to the VPS' static ip
  • forward any incomming traffic for mail (smtp) for my domain on the VPS via tunnel to my router and from the tunnel interface with port forward to my mail server
  • route any outgoing mail traffic through the tunnel to the VPS and to the correct receiver mail system
  • (host my own dns server on the VPS)
  • (tunnel Netflix access :wink: )

The big question now is: these would be three different setups and would require to define different firewall rules (full access for the road warrior, only outgoing traffic for the tunnel to my brother for offsite backups, and blocked anything but email for the VPS tunnel includig port forwarding).

I don't see how to do this with a single Wireguard interface with different peers. So I assume I need to set up three Wireguard interfaces with a single peer each (or more for the road warrior someday).

Would this be possible? Is Wireguard the option to choose?

And is this a good idea and if not, why not?

I would take them one at a time, as they each have different requirements. You may decide that Wireguard, OpenVPN, or SSH tunneling meets the needs of one better than for others.

a) Connect to brother's Fritzbox

What access do you need here? Is SSH tunneling sufficient?

b) Road warrior

This is "inbound" VPN -- your router runs the server

I have recently learned that Wireguard can't natively make a remote device appear as if it is on the internal LAN. If your access to your internal LAN can be routed and you are comfortable with its security, then Wireguard would be a viable choice for this. If you want to be able to use on-link broadcast services, such as mDNS or "Windows browsing" then it may be a challenge to use Wireguard.

c) Other public IP addresses

This is "outbound" VPN -- your router connects to another server

This should all be doable.

If only for mail, you might want to consider just running postfix on the VPS and forwarding to your internal server. I do this myself as Comcast blocks port 25 and I can forward mail to my local postfix instance over a different port, yet still have the outside world connect to it on port 25. I run my VPS on DigitalOcean on their smallest droplet.

Another option (that wouldn't solve everything you listed) would be to get an IPv6 tunnel from someone like Hurricane Electric. They have the ability to dynamically update your end-point IPv4 address when your ISP changes your lease. It won't encrypt the connection, if that is important to you.

AVM implements IPsec IKEv1 for their VPN solution, strongswan on OpenWrr should be able to connect to that.

1 Like

Thanks
For the Android devices (road warrior) I currently use openVpn on an internal device. This works fine with a tap interface.
But that's not really a requirement. Needed is access to the internal pi-hole, access to the internal cloud server and full tunnel traffic to the internet (vpn to hide traffic in public insecure networks).
All this should work with wireguard. And afaik wireguard uses less battery and is fast.

For the Fritzbox: it supports IPSec, so strongswan would be an option (but there is no gui for this).

But one main goal would be to not to deal with three different vpn solutions if one would fit for all.

A bit off-topic question; do you already have your own mail server up and running, or are you planning to do it? It's just that maintaining a mail server is a hard job

1 Like

you might consider running the infrastructure on the VPS, avoid connectivity, power, and reliability issues. then you could route all your VPN through the VPS, including roadwarrior if you like.

2 Likes

Yes I do.

It's kinda project I started to get away from windows (as Win 7 has ending lifetime), to get more control over network access (that's why i set up a pi-hole) and to get more privacy (that's why I set up a nextcloud server and an omv NAS).
I now switched to OpenWrt as my previous router (Fritzbox) lacks some basic network capabilities.

So far, I'm making progress .. I have a backgroud as software developer but haven't been really working with networking, system setups and so on.

Not as easy as expected ..

Can't get the wireguard to run, seems to be a connection problem.
https://forum.openwrt.org/t/no-connection-with-wireguard/35647/2

So I'll give strongswan a chance. Seems to more complex but I've found information on how to set it up (without OpenWrt) to connect to the Fritzbox. I'll see if I get it working ..

1 Like