What's new

Looking for a scalable/simple/inexpensive psuedo VPN appliance...

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

aex.perez

Senior Member
Doing a favor for a group of Nurses, looking for an approach that scales up and is easier than what I did for my son's Nurse...

Looking for any way to make this work, consistently and simple to both configure and use.

Background:
My son's Nurse has a Chromebook where I installed OpenVPN and have a profile configured to connect to the OpenVPN running on my AX88. She has an application that she uses to clock in and out. I have Localization disabled so that it uses the Internet facing IP address of my router when accessing the application to log her hours for localization. Works like a champ, whether here or anywhere she can access the app, when away from my network she uses the OpenVPN client, to for all paractical purposes pretend she is on site.

Going forward:
Now I need to ramp this up and account for all sorts of situations. My initial thoughts are to have an inexpensive router and leverage OpenVPN cloud so as not to mess with the patients router or network settings. The thought being that the router connects to the OpenVpn cloud sitting behind the customer/patients router basically an outbound connection, the OpenVPN client on the Nurses device connects to the OpenVpn cloud also an outbound connection and the connection is made across the OpenVPN cloud, without modifying the customer's firewalls or the customer/patient equipment, their in. In essence the VPN router they would plug that into the patients router, would configure it with an obscure LAN and hidden SSID so they could use it for WiFi connectivity when in the patients home, and as the VPN termination point so to speak even though the termination is actally in the cloud and both the client and router are outbond conections.

In this way they would also have a common SSID across all their patients and a common way to access them remotely and launch the time logging app from their device which will collect/log the customer's Internet facing IP when the application is accessed for its localization. With the consistent SSID I'm also solving a second issue where they have many network profiles on their devices based on the patients they each have and whether they have access to the patients WiFi network.

Ask:
At least this is my initial thought, one hurdle (yet to verify but OpenVPN server comes up automatically on my AX88) is that the OpenVPN cloud doesn't automatically start when the router is rebooted/restarted. Second hurdle is, what router, it has to be inexpensive because there's not a lot of margin in this business and it has to scale but it have to have WiFi and be able to run a VPN client. Another hurdle is making this goof proof easy and consistent so simple that they can set this up themselves going forward after I walk them through and document the first 2 or 3 set ups... Performance is not a KPI as the app is http: based and fairly light on the communications so bandwidth/performance is not a huge concern. Also not forgetting the customer concern for Privacy and Security and concern for devices they have no management over.

I'll take any other suggesstions on ways I can accomplish this more easily, inexpensively and scalable. Note the time logging application is exposed via http: in a far off datacenter and accesses over the Internet so I can't install anything on a server. What is key is that we can't touch the customer/patients router other than to plug in a device. Most of the Nurses devices are IPhones/IPads/Android Tablets/Android Phones/Chromebooks whether on mobile data or WiFi as the application is lightweight from a network perspective.

Open to any other thoughts, ideas to develop a workable/manageable (light weight)/simple and scable solutions....
 
Learn to use wireguard, its faster, better (instant reconnection)

Ditch openvpn. I don't really understand what your trying to do though, but just wanted to give my two cents about wireguard, I was a looong time user of openvpn with some advanced configs that took me forever to figure out. Wireguard is different and a bit simpler.
 
Basically I need a VPN that I can or load or loaded on a device of some type that sits on a customers network, that I won't need to touch the customers network/router/firewall.
If that devices is also a WiFi router its a bonus, but not needed. Inexpensive and easy to both use and setup to the point I can demo and document the setup and walk away.
 
I'm using both (ovpn and wg) on my router with no issues. Our household is dominated with iOS devices. I remember during setup there was a toggle option to restart vpn with reboot, as well the option is available under the vpn client tab.
I recommend the GT-AX6000, since it runs RMerlin fw, has updated hardware, and the price is dropping significantly with the anouncements of wifi 7 routers being released this year. Absolutely no reason to get a wifi 7 router.
 
I'm using both (ovpn and wg) on my router with no issues. Our household is dominated with iOS devices. I remember during setup there was a toggle option to restart vpn with reboot, as well the option is available under the vpn client tab.
I recommend the GT-AX6000, since it runs RMerlin fw, has updated hardware, and the price is dropping significantly with the anouncements of wifi 7 routers being released this year. Absolutely no reason to get a wifi 7 router.
Actually even an AX router is overkill. This is what I was thinking but it misses the mark from a $$$ perspective. Also needs to be easy enough that an inexperienced person can set it up. Even with me documenting it I doubt the nurses could deploy it ‍♂️
 
Doing a favor for a group of Nurses, looking for an approach that scales up and is easier than what I did for my son's Nurse...

Looking for any way to make this work, consistently and simple to both configure and use.

Background:
My son's Nurse has a Chromebook where I installed OpenVPN and have a profile configured to connect to the OpenVPN running on my AX88. She has an application that she uses to clock in and out. I have Localization disabled so that it uses the Internet facing IP address of my router when accessing the application to log her hours for localization. Works like a champ, whether here or anywhere she can access the app, when away from my network she uses the OpenVPN client, to for all paractical purposes pretend she is on site.

Going forward:
Now I need to ramp this up and account for all sorts of situations. My initial thoughts are to have an inexpensive router and leverage OpenVPN cloud so as not to mess with the patients router or network settings. The thought being that the router connects to the OpenVpn cloud sitting behind the customer/patients router basically an outbound connection, the OpenVPN client on the Nurses device connects to the OpenVpn cloud also an outbound connection and the connection is made across the OpenVPN cloud, without modifying the customer's firewalls or the customer/patient equipment, their in. In essence the VPN router they would plug that into the patients router, would configure it with an obscure LAN and hidden SSID so they could use it for WiFi connectivity when in the patients home, and as the VPN termination point so to speak even though the termination is actally in the cloud and both the client and router are outbond conections.

In this way they would also have a common SSID across all their patients and a common way to access them remotely and launch the time logging app from their device which will collect/log the customer's Internet facing IP when the application is accessed for its localization. With the consistent SSID I'm also solving a second issue where they have many network profiles on their devices based on the patients they each have and whether they have access to the patients WiFi network.

Ask:
At least this is my initial thought, one hurdle (yet to verify but OpenVPN server comes up automatically on my AX88) is that the OpenVPN cloud doesn't automatically start when the router is rebooted/restarted. Second hurdle is, what router, it has to be inexpensive because there's not a lot of margin in this business and it has to scale but it have to have WiFi and be able to run a VPN client. Another hurdle is making this goof proof easy and consistent so simple that they can set this up themselves going forward after I walk them through and document the first 2 or 3 set ups... Performance is not a KPI as the app is http: based and fairly light on the communications so bandwidth/performance is not a huge concern. Also not forgetting the customer concern for Privacy and Security and concern for devices they have no management over.

I'll take any other suggesstions on ways I can accomplish this more easily, inexpensively and scalable. Note the time logging application is exposed via http: in a far off datacenter and accesses over the Internet so I can't install anything on a server. What is key is that we can't touch the customer/patients router other than to plug in a device. Most of the Nurses devices are IPhones/IPads/Android Tablets/Android Phones/Chromebooks whether on mobile data or WiFi as the application is lightweight from a network perspective..

Open to any other thoughts, ideas to develop a workable/manageable (light weight)/simple and scable solutions....
Look at the travel routers from GLi-Net. They are inexpensive, they can run either OpenVPN or WireGuard which starts automatically at startup and they can either be connected to the patients router/network using either an Ethernet cable or using WiFi. The latest model which costs $129 is advertised to run a WireGuard client at 550Mbps and I believe an OpenVPN client at 150 Mbps. Other models at lower prices offer slower WAN throughput and slower VPN.

Easy to setup as there are limited settings.
 
I'd be looking to use an SBC or a secondhand thin client (probably what I'd go for) that you could use as a VPN gateway. So, the devices could be set up with a common SSID that the nurses would connect to rather than to the service user's wifi, and then the VPN gateway would connect to the service user's router over a cable - needs to be 6 foot or more from the router.
Set up properly it'd be secure, and pretty transparent, speeds might not be great, but then you said they didn't mean to be. Setting up an SBC using DietPi would be the easiest way, but re-purposing a thin client could be cheaper and tidier!
 
Travel router may do it all as suggested by @CaptainSTX above.
That's were my head was originally at, but never hurts to reaffirm and get opinions. As the travel router would be behind whatever brand of main router the patient/customer has. I read in the docs that I would likely/may need to enable port forwarding on the main/customers/patient router for the configured port for WG server. That's not that difficult to document around.

I need to test it out, at ~$30 it's affordable, it's fairly simple to setup, has remote management, that it has WiFi is a bonus so the Nurses don't have to get the SSID of the customer/patient's WiFi. I can bulid these to be almost mirrors of each other, basically only the WG server setup changes a bit and they'll have a WG Profile per patient. Have all the QR codes printed out and in each patients file for the client/patient side WG setup.

Think that pretty much solves it, but for due diligence going to look into the thin client route too but at ~$30 and options to connect it with cloud management of all the deployed routers. It'll be hard to beat this little travel router (running OpenWRT)
 
Well, so far so good. Pretty simple setup.

A couple of gotchas,

I had to use virtual server/port forwarding to make it work, so I will need to document how to use a static IP (to not get fancy with DHCP - remember lowest common denominator) for the port forwarding rule.

1677706511789.png


Wireguard server was a snap, so was OpenVPN server, it was a little bit of a nuissance setting up the Wireguard client but only because of how I was testing, and I didn't want to print the QR code. But evetually got creatively around that using a text editor on the iPhone and some copy / paste shennanigans.

The other nuissance is that I had to uninstall Skynet as there is no way to permit a port through it and as a result it kept blocking the VPN tunnel from establishing. Temporarily disabling Skynet, is just that, temporary. Drove me nuts, one minute working fine, the next not. I have no way of knowing what the client IP will be of the device that connects and it's connectivity method, so no real good way to effectively whitelist IPs or ranges. Would be nice if Skynet would take into consideration the configured virtual server/port forwarding rules but that's not something it's geared up for and not really designed for. But I don't anticipate running into Skynet in the wild, but if I do, well that means the patient/customer is likely on Merlin and at that point, they can upgrade the firmware if needed and can do Wireguard at their router and the customer can setup a guest network (not extended across the mesh if they have one). In short, problem solved.

WiFi on the router is a snap, not the fastest but workable. If at the patients location, it'll be easier to use the travel routers SSID than it will be to manage all the different patient SSID profiles on the nurses device(s) and more secure for the patient. What would be ideal, is that if the configurable button/toggle/slider on the side could be used to enable/disable wireless instead of just either VPN client (on/off). Something elese that would be nice is if I could disable 802.11b without also taking down 802.11n. Removing 802.11 b/g/n only allows you to select 802.11b or g but not n and neither g/n.

The only thing left is to test/document adding and managing the travel router their cloud service and being able to get to the web interface via the WAN (LAN side of Internet facing router). Getting HTTP / SSH access requires enabling DDNS, even though it sits behind a router. Right now I have most of it on while I play with it, before going live I will be clamping it down significantly.

1677709369823.png
1677708873404.png


Mistakingly I thought Goodcloud enablement is where you turn on being able to manage the router via a browser/ssh via the WAN (LAN side of Internet facing router). So need to determine if I need to do some more port forwarding to make this work, and how secure that is. That's for tomorrow when the nurses bring me one of their tablets to try the connectivity and application access on.

1677709190318.png


Lastly, VPN policy - I have it setup so that router operations (like DNS and Goodcloud management framework) do not use the VPN tunnel. Which if it did would cause the cloud management to drop everytime someone connected to it. But also toying with the idea of only allowing the domain(s) the web apps the nurses use, to use the VPN just to see how much or less of a load that creates and the practicality of that.

All in all, for $34 for the external antennae version delivered over night and a few hours work this AM, not bad at all. Will be passing on some of the observations (some made here) to GLI.net for possible inclusion in a future firmware release, but not complaining, not at all, so far... ;)

Thank you for the recommendation, @CaptainSTX
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top