Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




36 posts

Geek


# 258594 11-Oct-2019 17:57
Send private message

Today I got an Edgerouter X and Unifi AP AC Lite so that I could set up a proper VPN router for myself. 
I have no background knowledge in networking and have just been stumbling around in the dark until now, getting a lot of help from some great people here and from doing some online research. 
I've got both set up and now I think I've gotten to the tricky part where I really don't know what I'm doing, I know it's possible to do but doing it is proving challenging for me. 

 

I effectively want to have 2, maybe 3 SSIDs

 

1: VPN - US
2: No VPN - regular connection
3: VPN - NZ (would be nice to have this but if a third one is too complicated I can leave it). 

 

I was just planning on using this guide here - https://nordvpn.com/tutorials/edgerouter/openvpn/
But after reading through, I'm pretty sure it's just going to route all my traffic through the VPN I choose.
I don't know how to go about splitting up to 3 networks/SSIDs and then applying this to each individually. 

 

I've tried looking up a guide but can't seem to find exactly what I need, just pieces and I don't feel confident enough at this stage to be able to piece together the information to make it work. 

 

Does anyone know any guides or have any advice I can use? 

 

 


Create new topic
497 posts

Ultimate Geek


  # 2335857 12-Oct-2019 00:23
Send private message

The NordVPN setup creates a vtun0 interface.  You set up the traffic to and from the vtun0 interface to be via a VLAN you set up, say VLAN 100.  In the AP, you set it up so that the VPN SSID connects to VLAN 100 only.  To do a second VPN, you would create a vtun1 interface for that VPN, and send the traffic on VLAN 101 on your network.  Depending on where you send the VLAN traffic (which Ethernet ports on the ER-X), you could also make it so that Ethernet connected devices could change their settings to use one of the VLANs when they wanted to use the VPN.  That might require an Ethernet card that could do VLANs in Windows, I think, but for Linux boxes VLANs can be handled in software.

 

I have not read through this web page thoroughly, but it looks like it is a HowTo for what you want to do:

 

https://tech.michaelaltfield.net/2017/08/20/howto-guide-whole-house-vpn-with-ubiquiti-cryptostorm-netflix-safe/


4326 posts

Uber Geek


  # 2335886 12-Oct-2019 10:04
Send private message

Follow the nordvpn guide up to step 8.

In step 8 just run:
 
configure
set interfaces openvpn vtun0 config-file /config/openvpn/uk180.nordvpn.com.udp1194.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit


So now you have an interface that is connect to nordvpn.

Now go and set up your internal 'vpn lan'. Give it an address, dhcp, etc. The DHCP server should assign the new vpn tunnel IP address as the gateway.

Then just source nat rule to nat the new 'vpn lan' network out the tunnel interface you made.

Edit: sorry just to add. You set up the new 'vpn lan' on a VLAN interface...like VLAN 500 or something.
Then on your unifi, you just set up the vpn ssid to be on VLAN 500.

 
 
 
 




36 posts

Geek


  # 2335983 12-Oct-2019 15:34
Send private message

fe31nz:

 

The NordVPN setup creates a vtun0 interface.  You set up the traffic to and from the vtun0 interface to be via a VLAN you set up, say VLAN 100.  In the AP, you set it up so that the VPN SSID connects to VLAN 100 only.  To do a second VPN, you would create a vtun1 interface for that VPN, and send the traffic on VLAN 101 on your network.  Depending on where you send the VLAN traffic (which Ethernet ports on the ER-X), you could also make it so that Ethernet connected devices could change their settings to use one of the VLANs when they wanted to use the VPN.  That might require an Ethernet card that could do VLANs in Windows, I think, but for Linux boxes VLANs can be handled in software.

 

I have not read through this web page thoroughly, but it looks like it is a HowTo for what you want to do:

 

https://tech.michaelaltfield.net/2017/08/20/howto-guide-whole-house-vpn-with-ubiquiti-cryptostorm-netflix-safe/

 

 

Ok, I think I'm getting there. Thanks for the explanation and guide, they're both very helpful. 

 

I managed to set up an NZ VPN so far on my router as per the guide, but it's applying the VPN to all my traffic including the PC I connect over ethernet to the router which I'd rather have using no VPN and then just connect via different VLANs like you explained or the Nord App. Is there anything glaringly obvious that would've caused that to happen?

 

 




36 posts

Geek


  # 2336011 12-Oct-2019 16:08
Send private message

chevrolux: Follow the nordvpn guide up to step 8.

In step 8 just run:

configure
set interfaces openvpn vtun0 config-file /config/openvpn/uk180.nordvpn.com.udp1194.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit


So now you have an interface that is connect to nordvpn.

Now go and set up your internal 'vpn lan'. Give it an address, dhcp, etc. The DHCP server should assign the new vpn tunnel IP address as the gateway.

Then just source nat rule to nat the new 'vpn lan' network out the tunnel interface you made.

Edit: sorry just to add. You set up the new 'vpn lan' on a VLAN interface...like VLAN 500 or something.
Then on your unifi, you just set up the vpn ssid to be on VLAN 500.

 

I think I'm having troubles with source nat rules, I can't seem to make these work. 

 

I followed a guide and managed to get an NZ VPN set up across my whole router with a second vlan (id 30) for 'clean' traffic with no VPN. This isn't quite what I wanted but pressed on and tried to set up a third VLAN (id 50) but can't figure out how to make the source nat rules work (I could pretty easily copy from a guide when setting up VLAN30 with vtun0 but setting up VLAN50 with vtun1 didn't quite work for me. 


4326 posts

Uber Geek


  # 2336030 12-Oct-2019 17:31
Send private message

If you are wanting the entire lan subnet in your 'vpn lan' to go over the vpn tunnel the nat rule is very simple.

It's just 'source address' = 'vpn lan subnet', out interface = vpn tunnel interface, and the action is masquerade.



36 posts

Geek


  # 2336041 12-Oct-2019 18:32
Send private message

I've tried setting up the NAT rule but it doesn't seem to be working. I've got the vtun0 up and running, vlan (id 30) with DHCP and an SSID with the right vlan id. I can connect to the SSID but the traffic doesn't appear to be routed through VPN. 

 

This is effectively what my total config looks like. Is there any obvious mistakes in there?

 

 

 

set interfaces openvpn vtun0 config-file /config/openvpn/nz58.nordvpn.com.udp.ovpn
set interfaces openvpn vtun0 description 'VPN NZ'
set interfaces openvpn vtun0 enable

 

set service nat rule 5000 description 'VPN NZ'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 source address 192.168.30.0/24
set service nat rule 5000 type masquerade

 

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

 

set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.30.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.30.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1

 

set interfaces switch switch0 firewall in modify SOURCE_ROUTE


2417 posts

Uber Geek

Lifetime subscriber

  # 2336328 13-Oct-2019 16:20
Send private message

set interfaces switch switch0.30 firewall in modify SOURCE_ROUTE


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26


New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25


N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22


Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30


JBL launches headphones range designed for gaming
Posted 13-Jan-2020 09:59


Withings introduces ScanWatch wearable combining ECG and sleep apnea detection
Posted 9-Jan-2020 18:34


NZ Police releases public app
Posted 8-Jan-2020 11:43


Suunto 7 combine sports and smart features on new smartwatch generation
Posted 7-Jan-2020 16:06


Intel brings innovation with technology spanning the cloud, network, edge and PC
Posted 7-Jan-2020 15:54


AMD announces high performance desktop and ultrathin laptop processors
Posted 7-Jan-2020 15:42


AMD unveils four new desktop and mobile GPUs including AMD Radeon RX 5600
Posted 7-Jan-2020 15:32


Consolidation in video streaming market with Spark selling Lightbox to Sky
Posted 19-Dec-2019 09:09


Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.