Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


snowfly

473 posts

Ultimate Geek


#250664 20-May-2019 23:16
Send private message

I've got an OpenVPN site-to-site setup working ok, but unable to access any devices connected to the client side LAN.

 

This is between HOME (fibre connection) and a remote house (connected via 2degrees 4g, so CGNAT). Remote location has a bunch of IoT sensors, etc

 

Take this very simplified network diagram below, which highlights the key setup. (I've not included all the dozens of other home/remote devices to not confuse things)

 

 

Summary of setup:

 

  • OpenVPN server pushes routes to client
  • OpenVPN server has client-config-dir, and file containing iroute for client
  • Remote site is always connected to Home via OpenVPN
  • Mobile phone can connect to home network as required

What works:

 

     

  1. Remote site connected via OpenVPN

     

       

    1. Raspberry Pi can ping and access all HOME devices

     

  2. Mobile connected via OpenVPN

     

       

    1. Mobile can access HOME devices, plus access REMOTE raspberry pi

     

  3. OpenVPN Server & Home devices (e.g. Desktop) can:

     

       

    1. Ping all REMOTE devices (e.g. Raspberry pi, remote huawei modem, and wemos d1 minis)
      These work:

       

         

      1. ping 192.168.10.1
      2. ping 192.168.10.2
      3. ping 192.168.10.10

       

    2. Access Raspberry Pi via SSH, VNCserver, web, etc

     

 

What does not work:

 

     

  1. Home devices (OpenVPN server or desktop) cannot access anything at REMOTE apart from raspberry pi.
    e.g. Home device cannot access web interface of Huawei modem, OR access Wemos d1 minis

     

       

    1. Accessing this fails: http://192.168.10.1, or http://192.168.10.10

     

 

When running tcpdump for tun0 on the Raspberry Pi at REMOTE:

 

  • Ping from HOME to any REMOTE IP shows packets transmitted/received, OK
  • HTTP web request from HOME to REMOTE Raspberry Pi, shows packets transmitted/received, OK
  • HTTP web request from HOME to other REMOTE device (192.168.10.1), shows packets transmitted, nothing received, FAILED

Suspect this is a routing issue, but it's doing my head in!

 

Wondering if I need a better 4g modem/router at the REMOTE location, that will allow to set a static route in the router, telling remote LAN devices to route openvpn requests back via the raspberry pi???

 

At the moment the only way I can access the web interface of other devices at REMOTE, is to VNC into the Raspberry Pi, and then use the Raspberry Pi desktop and browser remotely to access those devices.


Create new topic
Affiliate link
 
 
 

Affiliate link: Find your next Lenovo laptop, desktop, workstation or tablet now.
snowfly

473 posts

Ultimate Geek


  #2241954 21-May-2019 00:00
Send private message

Well after much head scratching, I added this to the UFW firewall on the raspberry pi, and now it all works:

 

ufw default allow FORWARD

 

So now from home I can successfully access the web interface of the remote huawei 4g modem, plus access all the wemos d1 mini sensors remotely, all done over a nice openvpn connection!
:)

 

This may or may not be of interest to anyone.


JessieB
35 posts

Geek


  #2244283 23-May-2019 22:17
Send private message

I too, have been playing around with OpenVPN. I primarily wanted my parents to access an old HDHomerun tuner located on my network, as they don't get aerial TV and their old Vodafone box had stopped working. I use a Ubiquiti Edgerouter Lite, and a Ubiquiti switch that enables VLAN subnets. The tuner is plugged into one of the ports on the switch configured with a dedicated VLAN. On the router, I have used the built in OpenVPN, configured in server mode. Also on the router, I have configured a software bridge between the VLAN and the OpenVPN interface. This allows all the multicast/broadcast traffic of the HDHomerun to pass through. On my parent's side, I run Tunnelblick (a client version of OpenVPN) on their HTPC (an old Mac Mini). The Mini still has an address on my parents' network, but also has an address on the VLAN hosted back on my network. It works well.


fe31nz
815 posts

Ultimate Geek


  #2244307 24-May-2019 00:13
Send private message

JessieB:

 

I too, have been playing around with OpenVPN. I primarily wanted my parents to access an old HDHomerun tuner located on my network, as they don't get aerial TV and their old Vodafone box had stopped working. I use a Ubiquiti Edgerouter Lite, and a Ubiquiti switch that enables VLAN subnets. The tuner is plugged into one of the ports on the switch configured with a dedicated VLAN. On the router, I have used the built in OpenVPN, configured in server mode. Also on the router, I have configured a software bridge between the VLAN and the OpenVPN interface. This allows all the multicast/broadcast traffic of the HDHomerun to pass through. On my parent's side, I run Tunnelblick (a client version of OpenVPN) on their HTPC (an old Mac Mini). The Mini still has an address on my parents' network, but also has an address on the VLAN hosted back on my network. It works well.

 

 

If you do bridging in an Edgerouter Lite, that will disable hardware offloading, and cut your maximum speeds to well below gigabit.  So it may work fine if your connection is 100 Mbit/s or less, but I think that would depend on the packet sizes and the traffic mix.  Also, OpenVPN encryption is unable to be offloaded in an Edgerouter, so again you are relying in the (small) CPU for doing that - I would expect that the limit for the encryption speed will be well less than your connection speed.  I do my OpenVPN connection (with bridging) on my MythTV PC (Ubuntu 18.04).  That has a pretty decent CPU (AMD FX-4100 3.6 GHz quad core) which is much more up to the job, and my ERL is able to do full hardware offloading for my gigabit fibre connection.  I was able to play all but the highest bit rate HD TV programmes from my MythTV box over my OpenVPN connection when I tried from a holiday home that had a good VDSL connection - it looked like the limit was the VDSL speed, rather than the OpenVPN speed, but without access to the holiday home's router settings I could not determine that for sure.  The OpenVPN client was an older Intel i7 CPU (hex core, hyperthreaded) so again it should have been good at doing the decryption.

 

You might consider setting up OpenVPN to just send authentication and not encrypt the traffic.  I think it can be set up that way.  TV streams hardly need encryption, but you do want the access to your network to be fully secure.




JessieB
35 posts

Geek


  #2244567 24-May-2019 13:26
Send private message

'show ubnt offload' is showing forwarding, vlan and pppoe to be all offloaded, and cpu use is negligible with OpenVPN active, but no streaming. 

 

When watching TV One, 'top' shows the OpenVPN cpu process jumping around the 30-40% mark. The stream is about 5-6 Mbps. That is with encryption off. I'll probably turn it back on, as I don't think it made that much difference. 


fe31nz
815 posts

Ultimate Geek


  #2245090 25-May-2019 00:12
Send private message

Unfortunately "show ubnt offload" only shows the settings, not whether offloading is actually working.  So it depends on how OpenVPN works in an ERL.  I have never used it in my ERL so I can not say for sure that telling it to bridge is the same as bridging in the normal routing setup, which definitely disables offloading.  The easiest way I know of to see if offloading is working is to use tshark or tcpdump on the ERL.  I think tcpdump is installed by default, but you need to use apt-get to install tshark.  I prefer tshark myself.  Make sure if you are storing the packets you do it to a RAM directory, not flash, or you can kill the ERL flash pretty easily.  What I do is log in to my ERL via ssh, then:

 

sudo su

 

cd /var/log

 

tshark -tad -P -w eth2.pcap -i eth2 host 10.0.2.12

 

where 10.0.2.12 is a Linux box I have that is not too busy on the network at most times.  Then I go to that box and do some traffic that will do TCP connections (eg download a file) that will take quite a few packets.  The eth2.pcap file can be copied to another PC where you can analyse it using Wireshark - use scp to copy it via ssh.  If offloading is happening, you only see the non-offloaded packets at the start of each connection.  If offloading is not happening, tshark will see all the packets for each connection.  The way this works is that tshark, as software running on the CPU, can only see packets that are processed by the CPU.  Offloaded packets are handled in hardware outside the CPU and are never seen on the CPU's Ethernet ports.

 

Thinking about how OpenVPN works, it has to see all the packets, to encrypt or decrypt them.  So unless the ERL has OpenVPN offloading capability (which no-one has ever mentioned it as having, even though it does have a hardware encryption unit it uses for IPSEC), then it must disable offloading for the VLAN it is getting packets from.  Otherwise it would only see the handshake packets at the start of TCP connections.  And it will also need to see all the OpenVPN packets received from the WAN port.  So at the very least, the offloading has to be disabled for the VLAN it is connected to, and for the WAN port.  More likely, it will be completely disabled.  And if OpenVPN is only using a single CPU core, as is likely, you will not see the CPU load shown by top go much above 50% + the normal CPU load when OpenVPN is maxed out.  I have installed htop and it displays the per core CPU usage - it would be interesting to see what that shows when OpenVPN is busy.  My bet is that one core will be at 100% all the time.

 

Here are a couple of links I found for OpenVPN performance on an ERL:

 

https://community.ubnt.com/t5/EdgeRouter/OpenVPN-Performance-Throughput/td-p/567901

 

https://blog.voina.org/edgerouter-openvpn-site-to-site-performance/

 

So I would think that currently one DVB-T TV programme being streamed would be fine, until the bit rate goes above 6 Mbit/s, which it only does momentarily with the so-called HD programmes on TVNZ and Three.  But if you wanted to have two programmes streaming at the same time (eg the software at the remote site recording one HD programme from TVNZ 1 and another one from TVNZ 2 on the same multiplex), then you would run out of bandwidth.  And if you want to stream the entire multiplex at once, as is done by most TV software when it is tuning in the channels, then it would not work.  Have you tried an HD programme from the Maori channel?  They have only two channels on their multiplex, so it may well be that their HD programmes will be real HD bandwidth and will be peaking above 10 Mbit/s.  That used to happen with TVNZ 1 and Three back when they were TV One and TV3 before they had to be reduced in bandwidth to accommodate more channels on the same multiplex.


JessieB
35 posts

Geek


  #2245162 25-May-2019 08:47
Send private message

Those links are for older firmware. I am on v2.0.1, and more recent discussions show that 25Mbps is possible - still very slow for linking office environments etc, but for a single HD stream or two it is okay. In any case I am only on an ordinary 200/20 Mbps plan, and that 20Mbps is the limit I got when I did a file transfer test thru' openvpn.


Create new topic





News and reviews »

D-Link G415 4G Smart Router Review
Posted 27-Jun-2022 17:24


New Zealand Video Game Sales Reaches $540 Million
Posted 26-Jun-2022 14:49


Github Copilot Generally Available to All Developers
Posted 26-Jun-2022 14:37


Logitech G Introduces the New Astro A10 Headset
Posted 26-Jun-2022 14:20


Fitbit introduces Sleep Profiles
Posted 26-Jun-2022 14:11


Synology Introduces FlashStation FS3410
Posted 26-Jun-2022 14:04


Intel Arc A380 Graphics First Available in China
Posted 15-Jun-2022 17:08


JBL Introduces PartyBox Encore Essential Speaker
Posted 15-Jun-2022 17:05


New TVNZ+ streaming brand launches
Posted 13-Jun-2022 08:35


Chromecast With Google TV Review
Posted 10-Jun-2022 17:10


Xbox Gaming on Your Samsung Smart TV No Console Required
Posted 10-Jun-2022 00:01


Xbox Cloud Gaming Now Available in New Zealand
Posted 10-Jun-2022 00:01


HP Envy Inspire 7900e Review
Posted 9-Jun-2022 20:31


Philips Hue Starter Kit Review
Posted 4-Jun-2022 11:10


Sony Expands Its Wireless Speaker X-series Range
Posted 4-Jun-2022 10:25









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.