VPN with PPPoE

Hi !
I am not really understanding how this firmware works after reading a couple of topics, but here ia my question.

I have a router Huawey from my ISP with fiber optic and uses Pppoe as login. Obviously i can barely make any setting on it.

I also have an old router TP-WR1043ND which I saw is compatible with OpenWRT and I want to install on it. It does not have fiber optic port.

I will assume the installation works smoothly, but there is a problem in my mind.

I want to use the tplink with openwrt and make a VPN server. Due to port limitation, it should be behind huawey connected with a cable LAN>Wan port.

All other devicea in house should connect to tplink first to acces internet.
Also I would like to acces the VPN server from outside such as work etc.

Is this setup possible to secure/encrypt my connection and hide as much personal info as possible ?


Do you know what IP address you get when you connect over PPPoE?
Important thing is are there any ports blocked on the Huawey router? Maybe you can enable "passthrough", that is tell your ISP router to forward all traffic to the TP-WR1043ND. Then you will have a full control by configuring the TP-Link.
You will need at least one port forwarded to TP-WR1043ND so you can use it to connect over VPN.

You should be able to put the Huawei router in "bridge mode". Then you let your TP-Link make the PPPoE connecting, so you have in insert your login user/password for the PPPoE connecting into the WAN settings on the TP-Link. All your devices should then connect to the TP-Link and not to your Huawei anymore. Just make sure the Huawei router and the TP-Link are not on the same IP address. No port forwarding required.

After that any setup your want, like VPN, needs the appropriate firewall and port settings as "normal".

You neither mention the hardware revision of your "old TL-WR1043ND" router, nor the WAN speed you're getting, both being rather important aspects here.

If your old router is a TL-WR1043NDv1, https://openwrt.org/supported_devices/432_warning will seriously affect your options (not enough RAM (32 MB) for your desired services).

While hardware revisions v2 and newer should have enough RAM (64 MB) for modest expectations, "fiber optics" implies a rather high WAN speed (presumably >100 MBit/s, probably quite significantly so) - and this is something no hardware revision of the TL-WR1043ND lineup can cope with so far (v1 being the worst, v2 and newer probably up to ~100-120 MBit/s without SQM). You do need a quite capable router based on a modern SOC for routing above 100 MBit/s (mt7621, ipq40xx, ipq806x, mvebu, x86).

VPN usage in particular is pretty CPU intensive, something the ar71xx has not to offer in relation to contemporary WAN speeds. If you want to achieve VPN throughput above ~16-25 MBit/s, you need to shift your focus to highend routers (ipq806x, mvebu, x86).

Thank you all for answering !

The IP is dynamic if the power goes down.
That ia not a problem because my ISP provides automatic DNS.
In Huawei I have acces to security settings wih port forward, dhcp etc so no. Also my ISP blocks port 25 by default but can be unblocked on request.
There ia no need for that passrhrough I think.
There are home users who use another router behind the ISP router.
Simply connect a cable from Huawei Lan to Tplink Wan.
Of course on tplink + openwrt i will have full control and security settings.

I know what you are saying but I doubt I can.
I cannot configure the connectivity mode i think due to ISP firmware modification.
Huawei serves as a PON and i think it can be enabled as a simple switch by ISP.
But this is just another hassle i guess.

It is v2 or v3 (i will receive it from home this weekend and see) and i checked the compatible devicea with openwrt.
Speed is 500 mb/s so..no problem i guess :slight_smile:
I use only cable to connect to my routers becauae I also have an DIY eGPU setup and wireless mPCIE is in use by the eGPU.
I usually download with 40 mb/s due to HDD limitations.
The network connectivity is 1Gbps and Tplink has these kind of ports.
Also,my friends and I won't use VPN for the speed.
We need for privacy purpose.
So you say that the Tplink +VPN will be slow on encrypting traffic ?

But the main question remains : will my friends (out of my local network), connecting through Huawei to Tplink VPN will have their privacy hidden ?

Will I have this kind of privacy considering that the Huawei might give away info about me ?
Or itself might get spoofed for incoming connectiona, right ?

First understand that when you run a VPN server at your house, and let your friends be VPN clients of it, whatever your friends do through the VPN will appear to be from you. Your public IP will be the source of their connections. When someone goes to investigate, they will trace it to your ISP and then your ISP may reveal your identity.

On your OpenWrt main status page, does the WAN show a public IP address? This is the first thing that has to work so you can take incoming connections, the Internet has to be truly bridged through your modem to your OpenWrt router.

You could also run your VPN server on another device in the house such as a desktop PC (which must be always switched on of course), and attain very fast encryption performance. In that case your OpenWrt router would forward the VPN port to that PC on your LAN.

Thank you for information.
I did not setup up.
Maybe in 3-4 days when I receive my old router.

You guess wrong, while >=v2 is significantly faster than v1, it's still way too slow for routing 500 MBit/s. You are dealing with a 720-750 MHz mips single core SOC, and this CPU needs to route the packets from WAN to LAN, handle PPPoE, the firewall, NAT tables, etc. Your router CPU probably can do that up to 100-150 MBit/s, beyond that will not be possible with the hardware. Yes, it has 1 GBit/s ports and you can achieve that between its LAN ports (the CPU isn't involved in this traffic, which is solely handled in the router's switch hardware), but anything that needs to go through the CPU is severely affected by this.

Another topic is your desired VPN functionality. As mentioned, VPN is highly CPU intensive (the popular OpenVPN dæmon much more than IPsec or wireguard, but I'm using the faster IPsec as basis here), your CPU might manage somewhere between 25 MBit/s to perhaps 35 MBit/s (the later would be very optimistic) of encrypted VPN throughput. While this might look sufficient for you, it means the CPU is taxed to the maximum, 100% CPU load flat out - but the CPU still needs to handle the PPPoE session, routing, firewalling, NAT table, etc. - remember your CPU is only a single core...

So assume your friend is connecting from a 50 MBit/s connection (one tenth of your own WAN speed), his client is a notebook which is much faster than your tl-wr1043ndv2's mips SOC and has no problem maxing out these 50 MBit/s, so it will try to get that through the VPN, pushing your router CPU over its limits - leaving to starvation on the router's CPU, which no longer has capacity to fullfil its tasks. That means your friend's performance is affected (you can ignore this), but given that your router's attempts to do the best it can to serve your friend's VPN tunnel, it also no longer has enough capacity to serve your own (non-VPN routing) as well (and your router can't even do that without an active VPN). Multi-core routers would be in a better situation here, while the VPN might peg one core, there's at least a second to keep track of the WAN connection (routing/ firewall/ NAT/ wlan).

That doesn't mean your router won't 'work' (v2 or newer of the tl-wr1043nd should be fine for several more years to come with current OpenWrt), it's just not fast enough to cope with your WAN connection, meaning you won't achieve your expected throughput and might experience "stuttering" under load. For performance expectations above 100-150 MBit/s you do require relatively recent and pretty high-end routers; ar71xx can not cope with those speeds.

1 Like

I am spechhless..
Thanks a lot for this information.

All in all, this is just a personal experiment and will see how it works.
Sadly I don't have a separate laptop to use instead of router as VPN.

Again, thank you all guys for this help.
I will provide feedback as soon as I can.

Just to put this into perspective, you will require something like highend mvebu (2*1.8 GHz ARMv7, e.g. Linksys WRT3200ACM/ WRT32X, Turris Omnia, Solidrun ClearFog) or (at least-) dual-core x86 with (hardware-) AES-NI support (e.g. something from the PCengines APU2 range of routers or one of the cheap mini-PCs with at least two 1 GBit/s ethernet ports) to cope with this level of performance (no, that won't give you 500 MBit/s VPN throughput either, but at least decent performance and routing at wirespeed).

In fact I thought of something like this. And for some other DIY projects.
FYI, I'm a medic and the IT part has remain a hobby all in all :slight_smile:

Sadly, i couldn't find mini-PCs on my country market and I think I should see some reviews about them. Also some were a bit expensive if i recall and a PC or laptop would've been a better price.
We will see.
Thanks again !
I will come back with feedback