Home VPN - architecture?

mdredmond · August 16, 2019, 1:56pm

I would like to set up a VPN service - probably NordVPN - at home and I’m not sure what the best setup would look like.

Right now I have Fios with a Ubiquiti router serving both 2GHz and 5GHz wifi networks. I have a spare Asus RT68U router I can put in service for this purpose.

My primary concerns are (a) privacy for browser-type devices, (b) performance for streaming devices (Fire Sticks, TVs, stereo, etc.) and © continued remote access to devices like Ring cameras and Nest thermostats.

I really like the management interface on the Ubiquiti router and all is working great there - I would prefer to keep it as the sole connection point for all of my wifi devices.

My thought was to install DD-WRT on the Asus router, install the NordVPN OpenVPN client, disable its wifi and and route all traffic through it using a wired connection:

Ubiquiti --wire–> Asuys RT68U --wire–> Fios Router --> Internet

But I don’t really care about privacy for the TVs and Fire Sticks and I’m not sure what, if any, problems might arise by routing them through the VPN. Is there a way, in DD-WRT, to only route some devices through the VPN? Like this:

Ubiquiti --wire–> Asus RT68U (Non-VPN) --> Fios Router --> Internet
-----------------------Asus RT68U (VPN) —>

Or is there a better way to approach this? I’d kind of like to avoid ebabling the WiFi on the Asus router because it’s just another thing to manage and like I said, I like the interface in the Ubiquiti.

Thanks!

denzuko · August 16, 2019, 4:03pm

Best approach would be to setup either vlans or seperate subnets (and firewall filtering at the router). Both do effectively the same thing of segmenting network devices.

From there given one has the vpn configured on the edge device then your routing should redirect default from your subnets/vlans to the ip address provided by your vpn connection. Best to look into ipsec site to site configuration than openvpn:

https://nordvpn.com/tutorials/windows-8/ikev2ipsec/

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=27988

One gets better performance since ipsec is at layer 3 encryption and openvpn is layer 5 encryption from the OSI model.

A good model to use is things that are attempting to manage services internal to your network (ie laptops, tablets that roam) could connect via an openvpn server running internal (either in ddwrt or over a raspberry pi).









                                                                   +--------------------------+
                                                                   |                          |
                                                                   |                          |
                                                                   |                          |
                    +----------------------------------+           |      Cloud               |
                    |                                  |           |                          |
                    |    Network Clients (External)    +---NAT----->                          |
                    |                                  |           |                          |
                    +----------------------------------+           +-----------^-------^------+
                                                                               |       |
                                                                               |       |
                                                                               |       |
                                                                 ASN Traffic (isp)     | VPN/IPsec (internal to default)
                                                                               |       |
                                                                               |       |
                                                                               |       |
                                                                               |       |
                                                           +---------------------------------------------+
                       +-------------------------------+   |                                             |
                       |                               |   |                                             |
                       |   OpenVPN Server              +---+   DD-WRT / RouterOS Box                     |
                       |                               |   |                                             |
                       |                               |   |                                             |
                       +-------------------------------+   |                                             |
                                                           +---------------------------------------------+
                                                               |                 |
                                                               |                 |
                                                               |                 |
                                                               |                 |
                                                               |                 |
                        +----------------------------------+   | subnet or vlan  |
                        |                                  |   |                 |
                        |    Network Clients (internal)    +---|                 |
                        |                                  |                     |
                        +----------------------------------+                     | subnet or vlan
                                                                                 |
                          +----------------------------------+                   |
                          |                                  |                   |
                          |    Network Clients (internal)    +-------------------+
                          |                                  |
                          +----------------------------------+

As one can see from the diagram above; connection to internal devices from external would have to go over the ASN traffic (isp) via nat. This gives them an internal IP address and routing behind the firewall (ddwrt). Everything else can be configured to forward packets from Network Clients (internal) the VPN/IPsec port as the gateway to ASN (ISP) traffic from within DD-WRT via iptables.

mdredmond · August 17, 2019, 5:11pm

Thanks! I’m going to start digging into it. Unfortunately I’m not a network guy so it’s going to take a bit to decipher all that

denzuko · August 20, 2019, 8:20pm

I’m not a “network guy” either just understand networking.

if there’s anything that one has questions on, feel free to ask. It’s why we’re here.