NOW offer a static IP for a one off cost. Or at least they did when I was last with them. 

michaelmurfy:

 

@SmurfHk Just note - these days you don't need a public IP if you're just wanting to remotely access stuff. The better option is to use Tailscale (https://tailscale.com) for this which works fine behind CG-NAT and is totally free for most use-cases.

 

DO NOT (and I mean this) forward RDP to your PC. This is one of the most exploited services out there.

 

It sounds like to me you actually don't need a public IP and to be honest in your case I wouldn't as it adds a security layer. Just use Tailscale and be done with it.

 

Thank you for the comments on this, interesting. 

i did look very briefly at Tailscale when I saw GLiNET devices have it natively. I have a Beryl AX for travel.

But my ASUS Merlin router doesn’t do it natively so I gave up on it, I spent so long learning how to implement OVPN and Wireguard (Tailscale based on that I understand) on my Asus I just wanted to replicate the setup.

k. 

cisconz:

 

NOW offer a static IP for a one off cost. 

 

that would be good but the email I got from them two days ago said $5 per month. Which is doable, just not one off.

But my ASUS Merlin router doesn’t do it natively so I gave up on it, I spent so long learning how to implement OVPN and Wireguard (Tailscale based on that I understand) on my Asus I just wanted to replicate the setup.

You don't need to run it on your router. It is a client service so install on your PC and job done. If you need wider access to your network then set it up as a relay so you can tunnel all your traffic over it. It doesn't require a Public IP or any port forwards.

It also runs on basically any Linux device (eg - Raspberry Pi)

michaelmurfy:

 

You don't need to run it on your router. It is a client service so install on your PC and job done. If you need wider access to your network then set it up as a relay so you can tunnel all your traffic over it. It doesn't require a Public IP or any port forwards.

 

It also runs on basically any Linux device (eg - Raspberry Pi)

 

Thanks and apologies if this is veering off topic but I did as much reading as I could and am still not clear on the implementation of Tailscale in this particular environment.

The place is a bach essentially,where this router is located, and I would like to VPN INTO it, remotely, from other devices.

i setup Tailscale on one of my devices (an iPad) and started looking at what next. So it said copy paste this link and add your other devices. I can do this for windows clients, iOS devices and the like - just not the Router in the bach, to add it as a device to my tailnet. It had a Linux option and I’ve seen forums showing packages installed over entware (getting beyond my comfort zone) but not inbuilt on Asus Merlin. Sorry but I am not clear on your comment that I “don't need to run it on your router“. How do I tell Tailnet it’s one if my devices so clients can access it?

thanks,

k.

michaelmurfy:

Just note also - if you install Tailscale on a device that is on this network (eg, PC) then you can use that as an exit node and that is just like having a VPN in every way. You can access the network, internet via this network and all.

This is exactly what I do with my Tailscale instance except this is on my TrueNAS box(which is on 24/7) so I can access it's drives and basically everything internally(including my OPNSense which has proven to be useful at times whilst I'm at work and I have to troubleshoot from a smartphone ;) ) and it's blazing fast. +1 for Tailscale. 

SmurfHk:

 

 Sorry but I am not clear on your comment that I “don't need to run it on your router“. How do I tell Tailnet it’s one if my devices so clients can access it?

 

thanks,

 

k.

 

https://tailscale.com/kb/1019/subnets/

michaelmurfy: Do not forward to the router ever! This is a substantial security risk!

Tailscale is blatantly easy to set up so not sure why you put that in the too hard basket, you didn’t need to go the subnet router way but instead install Tailscale on a Pi or heck even your PC as it runs on Windows then put it in relay mode. When you port forward the device you’re forwarded to has a service open directly to the internet - this is no longer secure, one vulnerability and you’re screwed.

Things you should never forward to are RDP, router interfaces, IoT, cameras etc. You put your entire network at risk and on top of this could be a part of an attack if one of your devices has a vulnerability.

Personally, as a security person what you’ve done here is a security nightmare where the better solution would have taken (not kidding) about 10mins to set up and worked fine for your needs without any extra expense or risk.

So I just read this and assumed, especially from the "not a VPN" part you were exposing the router interface to the internet - you've otherwise been pretty light on details considering several members asked you for more information:

SmurfHk: tested it to the Router WebAdmin only from overseas; it’s pretty slow as upload is slower than I’m used to my normal upload is close to the download at around 900 (not on VPN).

As you're running Merlin it can be a little better than the stock Asus firmware but it is also important to note that router are not updated as much security patch wise as something more dedicated to the task. Forwarding just VPN is lower risk (you setting up VPN on the router exposes the ports required). It is also important to note that if you're connecting this router also to a third party VPN service you're also exposing that, and normally your network to that service too. If you are also using third party VPN services then this is a very good read: https://overengineer.dev/blog/2019/04/08/very-precarious-narrative.html 

As stated by several members above you don't need a static IP for your use-case. Tailscale is simple to install: https://pimylifeup.com/raspberry-pi-tailscale/ and activating it as an exit node is one command (sudo tailscale up --advertise-exit-node): https://tailscale.com/kb/1103/exit-nodes/ - from here you can essentially dump that Raspberry Pi on any network and you can VPN through it, to the network with zero router configuration via the Tailscale app.

That message however was more of a warning. It seemed you were forwarding services through your router like the router web interface and remote desktop. The problem here is remote desktop is not designed to be exposed to the internet and routers are one of the top things to get compromised and used as part of botnets to be a part of a DDOS attack etc. Unfortunately, time and time again they've been proven to not be secure. While you should be OK in the interim to operate a VPN in this manner it is important to also understand the risks in exposing services on your router to the internet. Just ensure your firmware is up to date and if you can use Wireguard or OpenVPN over the other protocols your router may offer (like PPTP or IPSEC).

If you did want to do the tailscale route the service will automatically start as part of its default install. Basically it is install, run the login command, run the command to put it in exit node mode and that is it - nothing else to really do. I'm not kidding when I say it takes ~10mins to install, configure and be up and running.

There are more advanced features but you don't need to worry about them. The exit node mode basically turns it into a VPN where you can select it in the Tailscale app as your exit node then suddenly you're on that network.