I have an ASUS RT-ACRH17 that I'm working on setting up with OpenWrt for a friend's house. It's plenty capable for what they need in terms of WiFi, and according to this earlier topic, it should suffice for their current internet speed, but it's probably not capable of handling WireGuard for a privacy VPN at that speed.
I've already abandoned the idea of doing SQM (that can wait until my friend decides to splurge on a newer router) but I'd like to make use of a GL.iNet MT2500 that I have sitting here unused to deal with the VPN problem. It would also be running OpenWrt.
My question is this: Is it possible to do this with the MT2500 "to the side" rather than as a second router that would need to be "in between" the main router and the device(s) using the VPN/WG? So the MT2500 could be connected to one LAN port of the main router, and then traffic to VPN for another device connected to the main router could be routed through the MT2500?
I would swear that I've seen this mentioned as a way to use a dedicated VPN device, but when I Google it, all I seem to find are results using the two devices in series.
If the answer is "no", thank you, that saves me a lot of time and frustration.
If the answer is "yes", could you give me the very broad strokes of how I would need to set up the MT2500 (the VPN/WG device)? I think I could figure out the main router side, or at least get close enough to ask specific questions later.
Yes. Main router will need to forward the UDP port you plan to run on to the MT2500 which you will configure to use WG if the expectation is for devices on the WAN to come into the VPN. In the past, I had a RPi running WG in just such a setup.
Is the wg tunnel going to be used as an incoming vpn (i.e. remote access to the user’s network/road warrior), or is it to connect outbound to a remote endpoint like a commercial vpn service?
Does the user want all traffic through the tunnel, or just the traffic from certain devices? If the latter, it can be setup as a different network/ssid and it is easy.
What I'm unsure of (to start) is if there's anything "unusual" required for the setup of the MT2500. For example, now all of the ingress and egress traffic (both tunneled and not) is over one physical port (presumably). I don't know how that should look in terms of interfaces on the MT2500.
Maybe I'm misunderstanding, but isn't that more of a "in between" configuration? As in, clients to be VPN'd are connected directly to the MT2500 rather than connected to the main router and routed "through" the MT2500?
That is what I would prefer to do. The MT2500 doesn't have WiFi and only has two ethernet ports, so trying to configure it "in between" really limits my options based on the physical layout of the space.
I don't mind non-trivial as long as I can learn from it. If someone can start me out with an overview of what needs to happen, I'll puzzle away at it.
Both will be proper OpenWrt. 23.05.2 is installed on the main router already but I might start fresh; I haven't started on the MT2500 yet. It's fully supported and easy to install though (sysupgrade from factory web UI). The plan is to end up with both on 23.05.3 when that is released (hopefully not too far away).
Maybe a different strategy would be easier and more sensible…
What about configuring the mt2500 as your primary (wired-only) router and the RT-ACRH17 as dumb-AP and -in a second step- using its ports as managed switch? Once you've achieved that state, configure the VPN on the mt2500 and pass that through over a VLAN (trunk-) to some ports of the RT-ACRH17.
I'd still love to know how to go about the other way, if anyone feels like sketching out the broad strokes at some point, but I'll move forward with your idea and see how I make out.
With this new approach, I should be able to consider using SQM again, right? The MT2500 uses the same CPU as the MT3000 with double the RAM, minus WiFi, so it should easily handle cake at 300 Mbps...
MT3000 handles cake at 300 Mbps one way just fine. So should MT2500. If you throw Wireguard at it as well, max throughput will be definitely lower. Max real world Wireguard performance is somewhere above 300 Mbps: A Wireguard comparison DB. I’m guessing maybe 150-200 Mbps cake + Wireguard could be possible. fq_codel is less demanding, so could be considered instead of cake.
