Thank you for the great videos! I have used OpenVPN and Wireguard in the past, but this is the first time I use them on a router. Now I have installed OpenWrt on a Raspberry Pi 4, using Wireguard as a network wide VPN and following your video on split tunneling. I'm also experimenting with OPNSense on a virtual machine. I like the web interface of OPNSense more. Things like per-device bandwidth monitoring seem more intuitive there. I will see if I can install it on a Raspberry Pi.
Thanks for watching my videos @salshaaban! Happy to hear all the fun experimenting you're doing based on my videos. It's definitely fun when you get into it. I have to agree, I like OPNsense's web interface more. Let alone its firewall logging capabilities, and firewalling in general. Its much more powerful, and frankly its meant for small business or enterprise networking. OpenWrt doesn't have the same depth in firewall abilities due to the hardware its been made for, i.e. low power, low storage, low ram SBCs, which is fair and expected. OpenWrt will always be better in terms of hardware compatibility, but won't have the depth you'd want in a small business or enterprise network. Where I really struggled is troubleshooting firewall rules in OpenWrt, since not all rule hits are logged (again, by design). Basically, I use OpenWrt for my wireless access points, Cellular connectivity, and switching, and OPNsense for a strong network foundation. Best of luck in your network / IT journey, enjoy it!
hey really enjoyed your content. might i make a suggestion for a follow up video on setting up a mullvad with socks5 proxy on openwrt?! what do you think?
Thanks for watching and being a fan @tobiasholter1224. I do certainly appreciate the suggestion, and I have actually already done that, but not particularly with Mullvad. I have with IPRoyal but the concept should remain the same. th-cam.com/video/tjiMyuLrejA/w-d-xo.html
i have openwrt route which i have install openvpn and it is connecting and working very well, but i do have a problem. all my devices connected to my lan port and wireless are showing one vpn ip address, what is not good. I want each device that is connected to my router lan and vlan to have different vpn ip address. i hope you understand what i want to achieve.
Thanks for watching @emmanuelessien8184. Can you explain a bit more of what you’re trying to achieve? By VPN IP address you mean a public VPN endpoint that you pay for access? If you want that then you’ll need to pay for enough access to cover all your devices and set up separate tunnels for each other them to use. This probably would be a comment better for the policy based routing video I did which I see you wrote this same comment there too, if I’m understanding you correctly. If so you should follow that video but create separate tunnels for them each and policy route each of those lan devices to a different vpn interface.
@emmanuelessien8174 given what you described, it sounds like it’s what I expect. Given that, if they all must require a different VPN IP / location, then you must set the individual VMs with their own VPN software (WireGuard or OpenVPN client) or do the same thing on the firewall, but that means you’d have 300 interfaces for each VPN connection. You’re probably better off setting each VM with their own VPN client, as to not deal with significant performance issues on the firewall / router due to so many interfaces in it
@@DevOdyssey I have tried it out it's working using vlans but when i created upto 50 tunnels the router stuck and luci shutdown. I am using Linksys WRT3200ACM. What might be the problem. Does openwrt have limit on number of tunnel and vpn. What is your advice. Thank you
Short answer: 1 to 2 milliseconds if the VPN egress point is relatively close. I choose Atlanta GA because it's less than 200 miles away. If I choose Dallas, TX, it's further away and latency might go up another millisecond, but speeds will drop a little as well. On my workstation, running the VPN, I still maintain that 1ms loss, but maintain 875 Mbps download speeds. If I choose overseas for the VPN egress, well speeds will plummet and latency will shoot up VERY high. This latency is with Wireguard; I suspect latency with OpenVPN is much higher as speeds really PLUMMET with OpenVPN. Using Wireguard till something comes along better. Wireguard will use multiple cores, especially on routers, so wireguard is considerably FASTER. OpenVPN will use a single CPU on a router, thus is limited by the speed of a single core of the router (adding cores does not make it faster ). On a 4 core router, Wireguard might achieve 600 Mbps with +1 or +2 ms latency; on Openvpn, that same router barely eeked out 120 Mbps. My raw internet speed is 945 Mbps without VPN. These are ACTUAL numbers from a 4 core travel router. On a 8 core RK3588, my OpenVPN speeds were similar ( about 150 Mbps ) on OpenVPN, but wireguard was closer to 880 Mbps throughput . That's maintaining about 92% of my raw speed on Wireguard, but 13% on OpenVPN. So, if your VPN is running on the router, which VPN you use matters; as well as your core count, and processor speeds. Faster = Better; More cores = Better - with wireguard. With OpenVPN, be prepared for "SLOWER" .. because with OpenVPN, it only uses a single core at least in OpenWRT. When choosing a VPN provider, Mullvad and Proton are considered PREMIUM; I believe it's normal for a single person to have to protect 3 to 4 devices per person; so for two people, that's 6 to 8 devices ( 1 phone + 1 tablet + 1 computer per person, plus a couple of shared devices like an internet connected TV ). So, a family of 2 would typically have about 8 devices. Mullvad allows 5 client devices. (if put on a router, it protects all devices behind the router ). Proton allows 10 client devices. Surfshark allows unlimited devices. Running the VPN on the router is better as all devices can be protected /obfuscated regardless of the device. But core count and raw CPU are the limiting factors for Wireguard (especially on OpenWRT or OpnSense ) . Running OpenVPN really cuts down your speeds, especially on most routers as they're only 2 cores to begin with in most cases, and not typically powerful CPU's to begin with. I went back to OpnSense and running on a N100 processor mainly because the OpenWRT on that particular RK3588 was maintained by a lone guy in China. Not the best security consideration. I have tried and used Proton VPN (Wireguard), Surfshark ( OpenVPN and Wireguard ) and ExpressVPN (Openvpn only for its choices ) ; Each provider will have its pro's and con's. and each will have limits on the number of connected clients. Choose wisely. Likes /dislikes about each: Proton VPN ( Rated better; based in Sweden, I believe ) Speeds pretty good. Wireguard is possible. Simple client ExpressVPN- considered good for certain countries like Korea, but speeds seem to blow. OpenVPN only or their proprietary protocol. Meh. Surfhark - unlimited clients ( so can install on each and get good performance. ). Wireguard or OpenVPN if needed. Has a rotating client IP ( Egress IP changes every 5 minutes ) if desired. Has a good feature set as far as other things to help protect your device . The rotation thing ONLY works if you use their Windows Client on a Windows PC; does not work for router based VPN's. I also looked at Mullvad; it's supposedly not designed for streaming ( which is what I and the misses do mainly ) and is limited to 5 clients. Supposed to be one of the best, but the low client allowance makes it too expensive to consider. However, it's the most ANONYMOUS; as nothing is really linked to your email or credit card; you can send them a payment using a paper money order and apply it to your account or use bitcoin, or something else. If you want true anonymity - this is your service, but it is pricey..
@@MrPir84free thank you for the really I. Depth answer! Sounds like I would want wire guard with whatever provider for a general purpose home network security appliance, currently I’m just running a firewall appliance with DoT because we are a streaming family and don’t have a ton of sensitive information or hosted services
@@trevorcooper5488 Thanks for watching! @MrPir84free did a very great detailed breakdown. To his point, you probably want WireGuard over OpenVPN for less latency, i.e. better speeds. With your current setup, WireGuard would be perfect in my opinion. To add to the answer above, latency varies a lot, especially depending on where your destination is. By this I mean what endpoint you are trying to reach and not just the endpoint VPN server. For example, if the VPN server endpoint (node) used, has a better path, or is closer to your destination, (say a website) than your ISP, you could actually have less latency over the VPN, because your VPN node has a better means to get to the destination and or is closer. The opposite is also true, if you are trying to get to a destination that is closer to your ISP's servers than your VPN node, than your latency will be worse over the VPN. So it definitely depends on where you are going and where you are coming out from.
@@MrPir84free Very thorough answer! Thanks for taking the time to chime in and share your thoughts. I agree with your sentiments, and your experience matches with what you'd expect. WireGuard will be faster than OpenVPN in general, and thats what I've seen when comparing both. WireGuard will definitely perform better too as most implementations (can't speak for Windows), its now in the kernel, which therefore benefits from kernel resources, instead of user space resources. I generally use OPNsense and WireGuard as well, especially when I'm looking for more networking abilities / performance, while OpenWrt is great for me for compatibility reasons (especially device addons and wireless). To echo your point on Mullvad, I haven't used much of the other VPN providers, though I'd like to try, but definitely Mullvad does well with anonymity. With them you don't even get a username and password, no account setup with personal information, nothing. Just create an account ID, pay them, and you get service. Even paying them can be very anonymous like cash in the mail! While they prefer crypto, they take other payment methods too, but they try to offer ways to make the payment process anonymous as well so they really don't tie back to you. Let alone their implementation of their VPNs is private as well. You'll certainly pay for it, as you have noted, so if you don't need all the privacy features at that moment, it might be worth looking at another provider, and switching off depending on use case. Again, great reply and appreciate you sharing your knowledge!
Mullvad huh. Means Mole in Swedish. German police tried to raid them for data. Joke's on them since they actually have no way of COLLECTING data so they got absolutely nothing. xD The interesting one is to have a vpn SERVER that you can tunnel into like you quickly flashed in the video. My rpi openVPN server, or pivpn rather, has been running for years. :) Looking forward to see how you do it on openWRT.
Thanks for watching Marcus! Great to see your response. You know I never thought about it but given their logo is a mole, that would make perfect sense. And what do moles do? They tunnel! So a very appropriate logo for a VPN company. I didn't hear about the German police going after them, but I bet they left very empty handed. Running RAM only servers, the German police don't even know theres no medium to store logs! Definitely interesting to have a VPN server running in your home so you can connect back anywhere you are. I've always liked that idea, to have your own home network services no matter where you are, especially accessing local media. I used pivpn with OpenVPN for awhile until WireGuard came out and I went down that rabbit hole. It served me well, and that was before I had any other home lab infrastructure. It should be more / less straight forward with the sample configs provided by OpenWrt in their OpenVPN plugin. I just have to tweak them, try them out, and review what the options mean. I plan to do the same here with OPNsense too! And tailscale! Lots of VPN options on different systems, and while I don't know if I'll get to them all, I'd at least get to the ones I like.
@@DevOdyssey Yeah, I listened to what you said about the protocols, ovpn vs wireguard. The reason I use ovpn is because of the simlicity with there being an application to "just install" (if you disregard you have to configure everything down to the bit) and is something I was familiar with. But your comment made me think that it might be time to move over to wireguard. Any recomendations where to gather my knowledge? I want to still have my vpn server on a raspberry pi, it is just so convenient keeping it separate from my router, "just in case"...
@@marcusjohansson668 Thats fair enough. My journey to WireGuard started with OpenVPN. Since pivpn basically set it all up for me, it was a very easy start with OpenVPN not having to worry about minutia of config. Most tooling simplifies the config for you anyway, so I haven't had too much difficulty becoming familiar with it. I've also not used it to the fullest potential, for example creating a Layer 2 Bridge, so I haven't really had to dive deep, but this something I look forward to trying out. After OpenVPN I was exploring other technologies and discovered fwknop - Firewall Knock Operator. It was really cool, something I really enjoyed setting up, albeit a bit difficult. www.cipherdyne.org/fwknop/ What it did was an improved version of port knocking (Single Packet Authorization), using packets encrypted with GnuPG keys. I thought it was awesome, but then the developer said he was throwing his support behind WireGuard, which is then where I discovered it roughly 5 years ago, and have enjoyed and grown in using it since then, because of its simplicity, speed, and security. It can't do Layer 2 Bridging, but just needing to connect to endpoints together, its quick and easy and thats usually what I'm using it VPNs for anyway. I did always wish they had some authentication features, but thats tailscale comes in, another solution I look forward to trying. Anyway, other than my VPN history there, Id say start on their website. Sounds like you have a good understanding of networking, so you should be able to pick it up quickly. www.wireguard.com/quickstart/ I think it would still be good to have your VPN server on your Pi as a reliable means to get access to your network, but maybe use a WireGuard instance as an out of band access to your network.
@@DevOdyssey Have to retype my entire post, because youtube in their wisdom, does not inform me typing an ip address creates a LINK, therefore just removing my comment without letting me know. The only reason I noticed is because I tired to edit my post for typos afteward, and was just presented with an unspecified error. TH-cam is SUCH A GREAT PLATFORM! Sigh... But being the seasoned online person I am, I ALWAYS copy my posts to my clipboard before pressing "post", so here goes, with edited ip addresses (I am sooooooooo sorry for the scary links youtube)... :( --------------------------------------------------------- I have honestly not looked in to it at all since setting it up many years ago, other than keeping it updated it has been running flawlessly. Only problem I had was to be on the same subnet on both client network and vpn network, if it is, problems occur reaching stuff via ip, or I need to bridge it.. Easiest solution was to move my home network to a "non standard subnet", ie something like (NOT MY IP) 192 168 234 0, since most public networks usually use 192 168 1 0. xD Wake on lan, ssh works. I even have a script ready to be run that activates VNC so I can literally get my GUI desktop running from anywhere if I ever wanted. So there is a wireguard for rpi now? Or do you mean using pivpn but choose the wireguard protocol instead of openvpn at installation? If wireguard is as you say safer, I should def look into changing my setup... I just thought my key files (AND using a complicated password for them) is secure enough...? I looked into tailscale a few years ago, when looking into letting my plex be available from the internet for my mom. I was thinking of using tailscale for something in combination to that, but ended up using another method instead (can't remember how now), but then ended up removing the "over internet" method anyway and let her tunnel into my network instead. :)
@@marcusjohansson668 Haha oh been there before, at times where my post was wiped and I didn't have a backup! For some reason, their protection systems found IP addresses bad, and automatically links them, even when thats obviously not your intent. I always try to format them in such a way that doesn't make them link, and haven't had a problem since, but its a strange occurrence. Anyway, good to hear about its reliability, IIRC, thats what my experience was with OpenVPN as well when mine was running, though I've been running WireGuard for longer and have had great reliability. Any problems I encountered were user error, or issues on the network, but not with WireGuard itself. NATting should help you in those situations, but also a non standard consumer subnet works too. I like the sounds of your setup with automation! I did the same thing before too with VNC after SSHing into my PC and then tunneling VNC over SSH. Correct, there should be WireGuard for Raspberry Pi, and really any Linux Distro after 6.x kernel version, somewhere in that range. It was merged into the Linux Kernel, and therefore should be in really any distribution. Pivpn probably uses the userspace version, which should also be fine for most use cases. Either way works fine. PiVPN is probably easier to set up, but WireGuard in of itself is not difficult at all once you get it down. WireGuard uses more secure and faster cryptography than OpenVPN, so inherently we can say its "safer", though that could be broken down even more. WireGuard has a small footprint in terms of its code base so its also very much less likely to have vulnerabilities, its intentionally light weight. At the end of the day, if you are trying to just connect Point A to Point B securely and fast, WireGuard works perfectly. Don't get me wrong, its not like you're at risk with your existing set up of OpenVPN with your key files and certs, those are probably fine. Where you'll see more improvement is really with the speed of WireGuard, and ease of implementation. Yea definitely no reason to expose Plex directly over the internet. Over VPN is just way better and reduces the attack surface significantly. The performance over a WireGuard tunnel would be close enough to just direct access over the internet. All I'll say is nice job on education your mother how to tunnel into your network! Thats a feat to behold in of itself haha.
What did you use to set up your first VPN? Is this your first time setting up a personal VPN?
Thank you for the great videos!
I have used OpenVPN and Wireguard in the past, but this is the first time I use them on a router.
Now I have installed OpenWrt on a Raspberry Pi 4, using Wireguard as a network wide VPN and following your video on split tunneling.
I'm also experimenting with OPNSense on a virtual machine. I like the web interface of OPNSense more. Things like per-device bandwidth monitoring seem more intuitive there. I will see if I can install it on a Raspberry Pi.
Thanks for watching my videos @salshaaban!
Happy to hear all the fun experimenting you're doing based on my videos. It's definitely fun when you get into it.
I have to agree, I like OPNsense's web interface more. Let alone its firewall logging capabilities, and firewalling in general. Its much more powerful, and frankly its meant for small business or enterprise networking. OpenWrt doesn't have the same depth in firewall abilities due to the hardware its been made for, i.e. low power, low storage, low ram SBCs, which is fair and expected. OpenWrt will always be better in terms of hardware compatibility, but won't have the depth you'd want in a small business or enterprise network.
Where I really struggled is troubleshooting firewall rules in OpenWrt, since not all rule hits are logged (again, by design). Basically, I use OpenWrt for my wireless access points, Cellular connectivity, and switching, and OPNsense for a strong network foundation.
Best of luck in your network / IT journey, enjoy it!
hey really enjoyed your content. might i make a suggestion for a follow up video on setting up a mullvad with socks5 proxy on openwrt?! what do you think?
Thanks for watching and being a fan @tobiasholter1224.
I do certainly appreciate the suggestion, and I have actually already done that, but not particularly with Mullvad. I have with IPRoyal but the concept should remain the same.
th-cam.com/video/tjiMyuLrejA/w-d-xo.html
Thank you for your great video🤩😍❤️
You're welcome @ARMINJB, thanks for watching!
i have openwrt route which i have install openvpn and it is connecting and working very well, but i do have a problem.
all my devices connected to my lan port and wireless are showing one vpn ip address,
what is not good. I want each device that is connected to my router lan and vlan to have different vpn ip address. i hope you understand what i want to achieve.
Thanks for watching @emmanuelessien8184. Can you explain a bit more of what you’re trying to achieve? By VPN IP address you mean a public VPN endpoint that you pay for access? If you want that then you’ll need to pay for enough access to cover all your devices and set up separate tunnels for each other them to use. This probably would be a comment better for the policy based routing video I did which I see you wrote this same comment there too, if I’m understanding you correctly. If so you should follow that video but create separate tunnels for them each and policy route each of those lan devices to a different vpn interface.
@@DevOdyssey i have 30 servers with 300 vms on it and each of the server will be using different vpn locations and ip address.
@emmanuelessien8174 given what you described, it sounds like it’s what I expect. Given that, if they all must require a different VPN IP / location, then you must set the individual VMs with their own VPN software (WireGuard or OpenVPN client) or do the same thing on the firewall, but that means you’d have 300 interfaces for each VPN connection. You’re probably better off setting each VM with their own VPN client, as to not deal with significant performance issues on the firewall / router due to so many interfaces in it
@@DevOdyssey I have tried it out it's working using vlans but when i created upto 50 tunnels the router stuck and luci shutdown. I am using Linksys WRT3200ACM. What might be the problem. Does openwrt have limit on number of tunnel and vpn. What is your advice. Thank you
@@DevOdysseywhat is the maximum firewalls it breaks at 50. What do you advice
What is the expected latency increase using a vpn?
Oh hey! First!
Short answer: 1 to 2 milliseconds if the VPN egress point is relatively close. I choose Atlanta GA because it's less than 200 miles away. If I choose Dallas, TX, it's further away and latency might go up another millisecond, but speeds will drop a little as well. On my workstation, running the VPN, I still maintain that 1ms loss, but maintain 875 Mbps download speeds. If I choose overseas for the VPN egress, well speeds will plummet and latency will shoot up VERY high. This latency is with Wireguard; I suspect latency with OpenVPN is much higher as speeds really PLUMMET with OpenVPN.
Using Wireguard till something comes along better. Wireguard will use multiple cores, especially on routers, so wireguard is considerably FASTER. OpenVPN will use a single CPU on a router, thus is limited by the speed of a single core of the router (adding cores does not make it faster ). On a 4 core router, Wireguard might achieve 600 Mbps with +1 or +2 ms latency; on Openvpn, that same router barely eeked out 120 Mbps. My raw internet speed is 945 Mbps without VPN. These are ACTUAL numbers from a 4 core travel router.
On a 8 core RK3588, my OpenVPN speeds were similar ( about 150 Mbps ) on OpenVPN, but wireguard was closer to 880 Mbps throughput . That's maintaining about 92% of my raw speed on Wireguard, but 13% on OpenVPN.
So, if your VPN is running on the router, which VPN you use matters; as well as your core count, and processor speeds. Faster = Better; More cores = Better - with wireguard. With OpenVPN, be prepared for "SLOWER" .. because with OpenVPN, it only uses a single core at least in OpenWRT.
When choosing a VPN provider, Mullvad and Proton are considered PREMIUM; I believe it's normal for a single person to have to protect 3 to 4 devices per person; so for two people, that's 6 to 8 devices ( 1 phone + 1 tablet + 1 computer per person, plus a couple of shared devices like an internet connected TV ). So, a family of 2 would typically have about 8 devices.
Mullvad allows 5 client devices. (if put on a router, it protects all devices behind the router ). Proton allows 10 client devices. Surfshark allows unlimited devices.
Running the VPN on the router is better as all devices can be protected /obfuscated regardless of the device. But core count and raw CPU are the limiting factors for Wireguard (especially on OpenWRT or OpnSense ) . Running OpenVPN really cuts down your speeds, especially on most routers as they're only 2 cores to begin with in most cases, and not typically powerful CPU's to begin with. I went back to OpnSense and running on a N100 processor mainly because the OpenWRT on that particular RK3588 was maintained by a lone guy in China. Not the best security consideration.
I have tried and used Proton VPN (Wireguard), Surfshark ( OpenVPN and Wireguard ) and ExpressVPN (Openvpn only for its choices ) ; Each provider will have its pro's and con's. and each will have limits on the number of connected clients. Choose wisely.
Likes /dislikes about each:
Proton VPN ( Rated better; based in Sweden, I believe ) Speeds pretty good. Wireguard is possible. Simple client
ExpressVPN- considered good for certain countries like Korea, but speeds seem to blow. OpenVPN only or their proprietary protocol. Meh.
Surfhark - unlimited clients ( so can install on each and get good performance. ). Wireguard or OpenVPN if needed. Has a rotating client IP ( Egress IP changes every 5 minutes ) if desired. Has a good feature set as far as other things to help protect your device . The rotation thing ONLY works if you use their Windows Client on a Windows PC; does not work for router based VPN's.
I also looked at Mullvad; it's supposedly not designed for streaming ( which is what I and the misses do mainly ) and is limited to 5 clients. Supposed to be one of the best, but the low client allowance makes it too expensive to consider. However, it's the most ANONYMOUS; as nothing is really linked to your email or credit card; you can send them a payment using a paper money order and apply it to your account or use bitcoin, or something else. If you want true anonymity - this is your service, but it is pricey..
@@MrPir84free thank you for the really I. Depth answer! Sounds like I would want wire guard with whatever provider for a general purpose home network security appliance, currently I’m just running a firewall appliance with DoT because we are a streaming family and don’t have a ton of sensitive information or hosted services
@@trevorcooper5488 Thanks for watching! @MrPir84free did a very great detailed breakdown. To his point, you probably want WireGuard over OpenVPN for less latency, i.e. better speeds. With your current setup, WireGuard would be perfect in my opinion.
To add to the answer above, latency varies a lot, especially depending on where your destination is. By this I mean what endpoint you are trying to reach and not just the endpoint VPN server. For example, if the VPN server endpoint (node) used, has a better path, or is closer to your destination, (say a website) than your ISP, you could actually have less latency over the VPN, because your VPN node has a better means to get to the destination and or is closer.
The opposite is also true, if you are trying to get to a destination that is closer to your ISP's servers than your VPN node, than your latency will be worse over the VPN.
So it definitely depends on where you are going and where you are coming out from.
@@MrPir84free Very thorough answer! Thanks for taking the time to chime in and share your thoughts. I agree with your sentiments, and your experience matches with what you'd expect. WireGuard will be faster than OpenVPN in general, and thats what I've seen when comparing both.
WireGuard will definitely perform better too as most implementations (can't speak for Windows), its now in the kernel, which therefore benefits from kernel resources, instead of user space resources.
I generally use OPNsense and WireGuard as well, especially when I'm looking for more networking abilities / performance, while OpenWrt is great for me for compatibility reasons (especially device addons and wireless).
To echo your point on Mullvad, I haven't used much of the other VPN providers, though I'd like to try, but definitely Mullvad does well with anonymity. With them you don't even get a username and password, no account setup with personal information, nothing. Just create an account ID, pay them, and you get service. Even paying them can be very anonymous like cash in the mail! While they prefer crypto, they take other payment methods too, but they try to offer ways to make the payment process anonymous as well so they really don't tie back to you. Let alone their implementation of their VPNs is private as well. You'll certainly pay for it, as you have noted, so if you don't need all the privacy features at that moment, it might be worth looking at another provider, and switching off depending on use case.
Again, great reply and appreciate you sharing your knowledge!
👍
Mullvad huh. Means Mole in Swedish. German police tried to raid them for data. Joke's on them since they actually have no way of COLLECTING data so they got absolutely nothing. xD
The interesting one is to have a vpn SERVER that you can tunnel into like you quickly flashed in the video.
My rpi openVPN server, or pivpn rather, has been running for years. :)
Looking forward to see how you do it on openWRT.
Thanks for watching Marcus! Great to see your response.
You know I never thought about it but given their logo is a mole, that would make perfect sense. And what do moles do? They tunnel! So a very appropriate logo for a VPN company.
I didn't hear about the German police going after them, but I bet they left very empty handed. Running RAM only servers, the German police don't even know theres no medium to store logs!
Definitely interesting to have a VPN server running in your home so you can connect back anywhere you are. I've always liked that idea, to have your own home network services no matter where you are, especially accessing local media. I used pivpn with OpenVPN for awhile until WireGuard came out and I went down that rabbit hole. It served me well, and that was before I had any other home lab infrastructure.
It should be more / less straight forward with the sample configs provided by OpenWrt in their OpenVPN plugin. I just have to tweak them, try them out, and review what the options mean. I plan to do the same here with OPNsense too! And tailscale! Lots of VPN options on different systems, and while I don't know if I'll get to them all, I'd at least get to the ones I like.
@@DevOdyssey Yeah, I listened to what you said about the protocols, ovpn vs wireguard.
The reason I use ovpn is because of the simlicity with there being an application to "just install" (if you disregard you have to configure everything down to the bit) and is something I was familiar with.
But your comment made me think that it might be time to move over to wireguard.
Any recomendations where to gather my knowledge? I want to still have my vpn server on a raspberry pi, it is just so convenient keeping it separate from my router, "just in case"...
@@marcusjohansson668 Thats fair enough. My journey to WireGuard started with OpenVPN. Since pivpn basically set it all up for me, it was a very easy start with OpenVPN not having to worry about minutia of config. Most tooling simplifies the config for you anyway, so I haven't had too much difficulty becoming familiar with it. I've also not used it to the fullest potential, for example creating a Layer 2 Bridge, so I haven't really had to dive deep, but this something I look forward to trying out.
After OpenVPN I was exploring other technologies and discovered fwknop - Firewall Knock Operator. It was really cool, something I really enjoyed setting up, albeit a bit difficult.
www.cipherdyne.org/fwknop/
What it did was an improved version of port knocking (Single Packet Authorization), using packets encrypted with GnuPG keys. I thought it was awesome, but then the developer said he was throwing his support behind WireGuard, which is then where I discovered it roughly 5 years ago, and have enjoyed and grown in using it since then, because of its simplicity, speed, and security. It can't do Layer 2 Bridging, but just needing to connect to endpoints together, its quick and easy and thats usually what I'm using it VPNs for anyway. I did always wish they had some authentication features, but thats tailscale comes in, another solution I look forward to trying.
Anyway, other than my VPN history there, Id say start on their website. Sounds like you have a good understanding of networking, so you should be able to pick it up quickly.
www.wireguard.com/quickstart/
I think it would still be good to have your VPN server on your Pi as a reliable means to get access to your network, but maybe use a WireGuard instance as an out of band access to your network.
@@DevOdyssey Have to retype my entire post, because youtube in their wisdom, does not inform me typing an ip address creates a LINK, therefore just removing my comment without letting me know.
The only reason I noticed is because I tired to edit my post for typos afteward, and was just presented with an unspecified error.
TH-cam is SUCH A GREAT PLATFORM! Sigh...
But being the seasoned online person I am, I ALWAYS copy my posts to my clipboard before pressing "post", so here goes, with edited ip addresses (I am sooooooooo sorry for the scary links youtube)... :(
---------------------------------------------------------
I have honestly not looked in to it at all since setting it up many years ago, other than keeping it updated it has been running flawlessly. Only problem I had was to be on the same subnet on both client network and vpn network, if it is, problems occur reaching stuff via ip, or I need to bridge it..
Easiest solution was to move my home network to a "non standard subnet", ie something like (NOT MY IP) 192 168 234 0, since most public networks usually use 192 168 1 0. xD
Wake on lan, ssh works. I even have a script ready to be run that activates VNC so I can literally get my GUI desktop running from anywhere if I ever wanted.
So there is a wireguard for rpi now? Or do you mean using pivpn but choose the wireguard protocol instead of openvpn at installation?
If wireguard is as you say safer, I should def look into changing my setup... I just thought my key files (AND using a complicated password for them) is secure enough...?
I looked into tailscale a few years ago, when looking into letting my plex be available from the internet for my mom. I was thinking of using tailscale for something in combination to that, but ended up using another method instead (can't remember how now), but then ended up removing the "over internet" method anyway and let her tunnel into my network instead. :)
@@marcusjohansson668 Haha oh been there before, at times where my post was wiped and I didn't have a backup! For some reason, their protection systems found IP addresses bad, and automatically links them, even when thats obviously not your intent. I always try to format them in such a way that doesn't make them link, and haven't had a problem since, but its a strange occurrence.
Anyway, good to hear about its reliability, IIRC, thats what my experience was with OpenVPN as well when mine was running, though I've been running WireGuard for longer and have had great reliability. Any problems I encountered were user error, or issues on the network, but not with WireGuard itself.
NATting should help you in those situations, but also a non standard consumer subnet works too. I like the sounds of your setup with automation! I did the same thing before too with VNC after SSHing into my PC and then tunneling VNC over SSH.
Correct, there should be WireGuard for Raspberry Pi, and really any Linux Distro after 6.x kernel version, somewhere in that range. It was merged into the Linux Kernel, and therefore should be in really any distribution. Pivpn probably uses the userspace version, which should also be fine for most use cases. Either way works fine. PiVPN is probably easier to set up, but WireGuard in of itself is not difficult at all once you get it down.
WireGuard uses more secure and faster cryptography than OpenVPN, so inherently we can say its "safer", though that could be broken down even more. WireGuard has a small footprint in terms of its code base so its also very much less likely to have vulnerabilities, its intentionally light weight. At the end of the day, if you are trying to just connect Point A to Point B securely and fast, WireGuard works perfectly. Don't get me wrong, its not like you're at risk with your existing set up of OpenVPN with your key files and certs, those are probably fine. Where you'll see more improvement is really with the speed of WireGuard, and ease of implementation.
Yea definitely no reason to expose Plex directly over the internet. Over VPN is just way better and reduces the attack surface significantly. The performance over a WireGuard tunnel would be close enough to just direct access over the internet. All I'll say is nice job on education your mother how to tunnel into your network! Thats a feat to behold in of itself haha.