Connecting home networks using VPNs

[VintageGamer]

I want to connect my home network with the home networks of family members living in different cities. Splitting the VPN tunnel is a requirement so that they use their local internet instead of redirecting through my gateway. The VPN would access resources on our networks, including our file and backup servers, vintage game consoles that had IP connectivity such as the original XBox, gaming computers, Apple TVs, Chromecasts and other connected devices.Each network will have it's own local IP range, such as 192.168.1.x, 192.168.2.x, etc. Free or inexpensive options are required. Asus routers do have VPN options built in yet they are either older, insecure PPTP or they use OpenVPN and there isn't an easy way to split the VPN tunnel with their implementations.

 

What recommendations do you have? Vendors, do not spam this post.

[VintageGamer]

I am also looking for options for file servers replicate to eachother automatically so that the file server at each family member's house is their primary file server, then it replicates to the vault backup server at my house for archiving and disaster recovery.

[Applefreak]

Are you an experienced linux admin? Otherwise that will be difficult (file servers syncing).

You are not looking for a VPN, what you need is called "Intranet", this is something commonly used between company branches but it is not that popular because setting it up right is painful and you need very high upload speeds with low latency. So fiberglass and 1 Gbit up is kind of a must have on both ends. Basically you are creating another network between the two networks like a virtual ethernet cable. 

Last time I've played around with that stuff, windows server 2003 was brand new.

[VintageGamer]

9 minutes ago, Applefreak said:

Are you an experienced linux admin? Otherwise that will be difficult (file servers syncing).

You are not looking for a VPN, what you need is called "Intranet", this is something commonly used between company branches but it is not that popular because setting it up right is painful and you need very high upload speeds with low latency. So fiberglass and 1 Gbit up is kind of a must have on both ends. Basically you are creating another network between the two networks like a virtual ethernet cable. 

Last time I've played around with that stuff, windows server 2003 was brand new.

I work in the IT industry. I am experienced with the expensive corporate options and looking for lower cost options for home.

[Applefreak]

Back in the day we used a thing called "Hamachi" to setup a virtual network over the internet. We used it to play games that had not TCP support. I am not sure if this stuff is still around. If I remember correctly it could be used to share files and folders as well as show pcs as local network computers. There might be other solutions as well but I haven't looked into it lately. As for server syncing, I use "Nextcloud". The only problem here is that it still does not support multiple servers. Currently it can only run on one server. Each client will retain data even if the server looses the connection but if the server needs to be setup again, you would have to re-sync all the files. In my case, I backup the entire directory to another server (both are in a server housing facility) over QSFP28 cables at 25 gbps. With RAM caching that takes about 14 hours to back up several tb of data.

In terms of price I would advice against such a solution. If each location had a local nas running, you could sync them in linux. Ideally you would have two directories on each server, each containing your own and the other ones data separately so if one set of data is corrupted or changed somehow, it will only affect the files on that server but both servers would have duplicates so you could more easily get the good stuff copied over.

 

If someone had a more elegant solution, I'd be really interested in that.

[kirashi]

58 minutes ago, VintageGamer said:

I want to connect my home network with the home networks of family members living in different cities.

What recommendations do you have? Vendors, do not spam this post.

While the process and options used by 8-bit Guy's brother in the video below are not exactly free, they're about as close to a low-cost solution as you can get.

 

[VintageGamer]

On 9/19/2020 at 6:09 PM, kirashi said:

While the process and options used by 8-bit Guy's brother in the video below are not exactly free, they're about as close to a low-cost solution as you can get.

 

Thanks for the video link. This is exactly what I am looking to do, specifically with the Synology NAS file replication over the VPN.

[VintageGamer]

Has anyone used Asus routers with the AsusWRT software to setup an OpenVPN on the router, then an OpenVPN client on another router? The AsusWRT OpenVPN setting of "Direct clients to redirect Internet traffic" in the Advanced settings screen might be an option to split the tunnel.

[Darren]

If you just want to network a bunch of devices you own on different networks then Tailscale is by far the simplest way to do this. If you want to interconnect entire networks then yeah, IPSec VPNs is probably the way to go.

[VintageGamer]

On 9/26/2020 at 11:04 PM, Darren said:

If you just want to network a bunch of devices you own on different networks then Tailscale is by far the simplest way to do this. If you want to interconnect entire networks then yeah, IPSec VPNs is probably the way to go.

Tailscale looks interesting. This would not be a good solution for my use case as I am trying to connect multiple family networks, yet I can see the benefit to this for single user networks. I would research more of their security and data tracking and mining practices before I would install this since I have not heard of it.

[Maverick38344]

This is easy with Linux, I have done this very thing (with a bit more stacked on top of it) between my apartment, and a few family members.

For clarification, I do have symmetrical gigabit fiber and one of the remote connections does as well. I do maintain a self-managed centralized connection point in the cloud to avoid messing with dynamic IPs that the WireGuard VPN connects to. Adding a few entries to the routing table on the edge routers allow for the machines to create a VPN link between each connecting device that is shared seamlessly with the LAN connections on the opposite side of the edge routers. Both sides of the network can access anything that is included in the routing tables of the edge and VPN (hub) in order to allow communication across the bridged networks. I restrict this via VLAN tagging through Linux, smart switches for end devices, and firewall rules on the edge routers.

 

Even mobile devices can become elements of this network as well by connecting to the VPN.

 

EDIT:

I added a rough diagram, it doesn't include mobile devices but they can be added easily by connecting to the VPN Router in the cloud.

 

Software and hardware used for this. Granted, you can use DD-WRT to handle the role of the router as well, but configuration and performance will vary.

 

Hardware:

 

Edge routers:

ODroid H2+: Each device supports up to 2.5Gig Ethernet on two ports and operates on a x86 Intel Celeron J4115.

Feel free to use PFSense or Linux.I have partnered with it a Samsung 970 EVO Plus and 8GB of RAM.

https://ameridroid.com/products/odroid-h2

 

Smart Switches:

Each side has a TP-Link TL-SG1016PE

Not the best option in the world, but they are cheap and support tagged and port assigned VLANs.

 

VPN:

Wireguard VPN - A fast and flexible VPN that runs as a Linux kernel module

https://www.wireguard.com/

 

DNS:

Pi-Hole Caching DNS Server/Proxy -- Also supports DNS blacklists and can be run inside docker containers easily.

https://pi-hole.net/

 

Cloud Services:

Amazon AWS EC2 Instance

Free Tier is available for the Amazon t3.micro and t3.nano instances. t3.micro will allow you to run an instance with a dual core vCPU, 1GB of ram, and 30gb of block storage and you can deploy any Linux OS image that you wish for free. 1GB of ram is well suited for a VPN gateway, I wouldn't want to rely on it for much more than that.

 

(Amazon limits instance time to 750hrs/month for free, which means the 750 hours is split between the number of the EC2 instances that you have assigned to Free Tier, any additional usage is billed (Current cost is $0.0104/hr (https://aws.amazon.com/ec2/instance-types/t3/) .)

 

Other software - Included with most Linux distros for free.:

Shorewall Firewall - Easy management of IPTables for zone based network management.

DNSMasq - Used for address management (DHCP and reservations)

 

 

Edited September 28, 2020 by Maverick38344
Added more information

[eece_ret]

To me this very much sounds like a candidate for pfSense Site to Site IPsec.

Utilizing IPsec and simple static routing you can create a HUB/Spoke design with your home as the hub.  This will allow for your use cases without need for remote client configuration (form the IPSEC on teh router, connected devices have access to teh tunnel without software or config)

 

If you want a mesh style network where all nodes can route to each other AND your place, then you woudl probably want to look at some dynamic routing protocol on all the routers so when the ipsec tunnels come up the remote site subnet will automatically become available over that tunnel link.  Also static routes with mesh gets really nasty really quick (NXN static routes where N is number of sites)...

 

pfSense.  Its free, it works.  Just needs an old x86-64 capable PC>

 

At your remote sites, DD-WRT/Tomato etc, would work as well as the IPSEC and BGP stack is there and would work with pfSense on the other end.

[Maverick38344]

PFSense isn't a bad idea. However I would rely on something different than IPsec. Configuring IPsec for any additional clients isn't straightforward for additional clients that may want to connect to the session (mobile, laptop, etc.. for example). Additionally, the security of IPsec has come into question in recent years regarding key exchange with multiple vulnerabilities discovered in IKEv1 and IKEv2. IPsec also focuses on a single pre-configured encryption method, which makes it easier to target. This said, Wireguard uses the Noise Protocol for choosing an encryption method and uses public key authentication which is accepted as a more secure form of authentication, in addition a secondary symmetric key can be used as a form of secondary authentication. Wireguard is also much more efficient, which results in higher bandwidth utilization for data transfers due to a lower overhead and a lower latency. Also, similar to IPsec, Wireguard can establish multiple connections to different instances at once, which means you can bridge multiple networks together easily, however

 

Wireguard is supported through a third party module in PFSense and is also natively supported in recent builds of DD-WRT.

 

Wireguard support will natively exist within the Linux Kernel beginning with v5.6 and has received the endorsement of Linus Torvalds

https://arstechnica.com/gadgets/2020/01/linus-torvalds-pulled-wireguard-vpn-into-the-5-6-kernel-source-tree/

https://www.theregister.com/2020/01/29/wireguard_vpn_will_be_in_linux_56_kernel/

 

Still may have to overcome the dynamic IP problem as well. Using dynamic domain names is a possibility.

 

 

 

Edited September 28, 2020 by Maverick38344

[eece_ret]

IPSEC is prety straight forward.  Create your phase 1 phase 2 configs on all the routers.  Create your VTI tunnel interfaces, setup all teh static routes.  Once complete, all devices in remote subnets will be able to talk over teh IPSEC overlay network back to your place.  If you create the static routes on teh remote sites to include the other remote sites you can transitively route between teh remote sites.  

 

[VintageGamer]

  

I like the idea of PFSense and Wiregaurd as Maverick38344 described. LInus Tip Tips also has done videos before on creating a PFsense router, though they are outdated.

 

IPSec has been vulnerable for years, so I won't be considering that in my implementation. The remote locations also do not have static IP addresses, and they would prefer no to have dynamicDNS solutions installed since they want all the networking overhead and maintenance to be handled on my end.

 

DynamicDNS options will be implented in this solution. There are free DDNS solutions available.

 

 

 

[Maverick38344]

Just a quick thought. If you currently have residential routers that support DD-WRT, you can use them instead of PFSense. Wireguard is pretty light weight and isn't normally all that taxing. I chose Linux (Debian or Ubuntu, mostly due to package availability and update frequency.)

 

That said, these routers won't give you the same performance as PFSense, but they are cheaper than x86 hardware.

 

However, x86 is a good choice and my closet has a 6" deep wiring cabinet in it and I found the H2+ to be a great option to tuck inside.

 

Device: https://www.hardkernel.com/shop/odroid-h2plus/

Case: https://www.hardkernel.com/shop/odroid-h2-case-type-2/

 

EDIT:

Nevermind, the 2.5gigabit NICs are not supported by PFSense at this time. The RTL8125B driver isn't included in the PFSense releases yet. You would have to use Linux instead.

 

Alternative to ODroid H2+ for PFSense: Fully Supported

 

The Odyssey X86J4105: https://www.seeedstudio.com/ODYSSEY-X86J4105800-p-4445.html  --- Comes with 8GB of Ram

PFSense install:https://wiki.seeedstudio.com/ODYSSEY-X86J4105-pfSense/

 

[VintageGamer]

So far this network is using the following existing equipment at our homes

• My own router using AsusWRT as the OpenVPN server, configured to where clients do not route their internet traffic through my router

• an ECS LIva X running five USB hard drives configured as a two way mirror in Windows 10 Storage Spaces

• The offsite NAS's will be either an Intel NUC running USB drives, either mirrored in storages spaces or not, or a Raspberry Pi configured as a NAS depending on the computer skill level of the family at the remote location
  since none of the remote users wanted to pay the extra cost for a commercially built home NAS
• The client locations are currently using OpenVPN software clients on the computers to connect to my router

• Oracle VirtualBox on the ECS Liva X is running a DNS server to easily find computers on the network, all DHCP requests are configured to have the clients use this DNS server as a secondary DNS host

Future state

• Move as many remote computers from individual remote computers using software OpenVPN clients to a mix of Wiregaurd VPN using OpenVPN at my home as the host/primary location and the remote locations will use a mix of Wireguard devices or Asus routers running AsusWRT and OpenVPN to connect the entire home networks at the remote locations to my home network

• Continue to use the mix of Windows and Raspberry Pi NAS's at the remote locations

• Build a dedicated virtual machine system at my house possibly using VMware or Unraid for near bare metal virtualization using VMware or Unraid with a shared drive pool for the NAS services, a Windows VM for the DNS server, Minecraft Windows servers, and my current Windows dedicated servers, and a Linux VM for Minecraft Java servers and my current dedicated services running on Linux
• Moving all of my equipment to a server rack built into my home arcade machine cabinet for reduced space usage at my house and better server cooling as described in my post at https://linustechtips.com/topic/1265155-arcade-cabinets-as-server-racks/
• The remote routers and NAS’s might also be built into arcade cabinets
• We would use the Parsec service or the multiplayer features built into Steam, GOG, or the games themselves to play multiplayer games over the internet
• Install Parsec on all systems that to not have Windows RDP or Linux XRDP services installed to enable remote access from any system on the LAN or connected over the OpenVPN
• Some of the remote locations may still use the software OpenVPN client since they don't want a NAS at their house, and some of those remotes systems may use the Windows Storage Spaces mirrored across at least two drives on their systems for redundancy on their computer

[VintageGamer]

OpenVPN is almost 10 times faster that PPTP on the AsusWRT routers on this network. I now have the PPTP clients migrated to OpenVPN for increased security, easier splitting of the VPN tunnel and better performance.

 

OpenVPN client software

https://openvpn.net/community-downloads-2/