VPN Routers and/or DD-WRT Question

Factual Questions
1

I’m out of the country a lot. As such, lots of stuff that I use from the internet at home don’t work on the road due to IP sniffing (say, Pandora radio, ESPN Sports sometimes, Netflix, etc.)

I know there are commercial VPN services (even some free ones), but sometimes those are blacklisted, and I have a nice, wide pipe I’m paying for at home anyway. Also sometimes I do this with an ssh tunnel and proxy settings, but that doesn’t have a very good Wife Acceptance Factor.

Would a VPN router or a router flashed to DD-WRT (using a VPN) route my home’s internet traffic to my VPN clients (a Mac, an XP box, an iPhone) without need for another server behind the router? Everything I’ve read about router-based VPN solutions seem to confirm what I already know: I have access to my home network behind the router, which to me means that I’d need to set up a server behind the router to serve web traffic. I do have a full time server, but I’d prefer to count on a hardware router for power failure recovery without dependencies on other equipment (otherwise my server computer already has a built-in VPN server I would turn on).

Thanks for any comments/suggestions.

2

The easiest way is to use DD-WRT or OpenWRT with a PPTP server. This will give you an IP on the local network. I use OpenWRT, and all I had to do was configure the VPN zone (ie the ppp interface used by pptpd) to masquerade. I can PPTP in from my phone, for instance, and whatismyip.com will show my home IP.

3

You specifically mention iphone, so I’ll chime in and mention that I use DD-WRT’s PPTP implementation successfully with my ipad. While connected, I can access devices on my home network and on external networks, including the Internet. All traffic is routed through the DD-WRT router, with no need for any proxy or server on the home network.

4

That’s exactly what I want to do. So, just confirming that the VPN router is acting as a full-fledged internet server in its own right, without any help required from computers within your LAN?

And thanks for the tip about OpenWRT… I didn’t know about that one!

5

Yes, you can do this. I use Tomato on my router, and putty on my clients. Open an ssh tunnel using putty to my router, put in the correct proxy to Firefox, and whammo, I’m surfing using my home Internet instead of my workplace Internet. I only jump on a computer at home if I need sometime, generally I’m just wanting the unrestricted browsing and access to IRC.

6

What do you mean by internet server? It will translate requests from the LAN to the WAN just like for any other device on your LAN.

7

Yeah, that’s what I mean. And when you phrase it like that, I feel pretty dumb (because of me, not you!). I’m pretty tech/computer/networking savvy. I was getting the impression that the VPN would only get me onto my home network, which all well and good, but I had the lingering doubt that it wouldn’t serve me stuff from out of the network (i.e., the WAN).

I’m looking for a shortcut to the method that diku mentioned, because that’s what I already do (except ssh into the server, not the router). But, that’s not wife friendly, and for some reason my iPhone apps won’t work with ssh tunnels. I tried that route when the Apple Store banned my account for using it out of the country.

8

A useful bit of advice for the casual VPN experimenter:

Set up your home network with a different base IP address than the default. Specifically, set it up so that the router’s address is something like “192.168.25.1” and not the default “192.168.1.1”

The reason for this is that when you VPN into your home network, you might just happen to be at a friend’s house or at a Starbucks, where the local network is on the default “192.168.1.1” network. Things get sticky when the “back home” network address space overlaps the “out of town” network address space.

The easiest way to avoid this is to pick an odd address range (and I mean to change the third number in the address). If you don’t know how, look it up; it’s sometimes not obvious.

My own VPN efforts…
(The OP can stop reading at this point. DD-WRT on a home router will do the job perfectly)

I have set up a small school and a small nonprofit organization with networks. Each had a different networking challenge: at the school, there are about fifty computers; at the nonprofit, there are two small offices, in different towns, that needed to share a network.

In both cases, I decided to use a hardware firewall between the Ethernet cable and the LAN, rather than use a home router for this.
The reason is because, after a few clients, home routers tend to flake out since each client might spawn hundreds of open sockets. The VPN was a second motivation: home routers don’t have enough horsepower to do the math needed for a fat VPN pipe.

Since money was very tight, we used an open-source firewall called m0n0wall (with zeros instead of O’s) installed on Soekris net4801 boxes. The net4801 is a fanless single-board computer, with a 266MHz processor and 256MB RAM, far more than a Linksys router has. You install whatever Linux-based network wizardry you want on it by plugging in a compact flash card.

These units are indestructible. They keep running for months without a hiccup.

A nice plus from m0n0wall was the fact that it provides a captive portal. You can easily set up a login page or clickthrough page, like they have in hotspots and hotels, to limit who can get on to the network.

m0n0wall is free and installs on Soekris hardware (Around $220), though it also will install on PC Engines ALIX boards that cost half the price.

ETA: Note that VPN has lots of weird issues. Things like Windows shares don’t work properly since broadcast traffic is not sent over the VPN. The pipe will definitely not handle huge file transfers nicely. In addition, NAT routers sometimes cause VPN indigestion. That’s why there are fifty different little fussy settings in a VPN device.

9

This is something else that’s been concerning me, because one of the prime motivators for the VPN is to stream video from my US IP address to whereever I am in the world. I see lots of references in VPN router reviews that indicate I’d only get about 24 Mb/s. I’m not sure what to expect with DD-WRT, since it seems that it’s only installable on older model routers.

That looks like a really attractive option!

I use a Cisco VPN all the time to get into work, and although I can’t browse for CIFS shares, I’m always able to access them from both my PC and Mac. In fact, that’s the only reason I have to VPN into work.

10

A prime example of the weirdness. I can’t browse shares either, but I can mount them.

Usually there are workarounds, as you have found. I deal with a Canon office copier/printer that has its own admin web page, but I cannot access it over VPN no matter how hard I try. Canon is of little use in resolving this because their documentation is all super secret, only accessible to the Canon techs.

Another area where VPN has trouble is in domain name resolution. If you have a DNS at the remote site that has such things as “wiki.fluffykitten.org” indicating your internal Wiki server, then you need to play games to get that to work correctly.

One point worth mentioning: not all VPN implementations are equal. The VPN solutions used by big business work well because they are fancy, full of bells and whistles, and very expensive—that may explain why your Cisco VPN does more things than a home-brew solution.

I have found that my day-job VPN is far more transparent than my home-brew one, but it is still pretty awesome to be able to VPN to the two small non-profit organization networks and tweak stuff from the comfort of my home.

11

I’m running DD-WRT on a Netgear WNR3500L and it can easily handle multiple VPN clients. Realize though that all you’re going to get from your fat pipe to your remote machine is going to be limited to your (presumably) slower uplink speed. The same uplink that’s also going to be sending packet received messages to wherever you’re downloading from.

If you’re not looking to just have fun (using the term loosely) with networking I’d recommend Witopia :wink: