Offload VPN responsibility from 2 ASUS routers to a Windows PC and a Raspberry PI?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

p3ter

Occasional Visitor
I have been using OpenVPN Split Tunnel Site to Site VPNs with an ASUS RT-AC88U and an ASUS RT87U to network 2 locations together for a few years, but after an upgrade to Gigabit Fiber at my home location I started getting a lot of router instability and packet loss, which I finally found to be due to the Routers simply not being up to the job of running a fast network connection and a VPN. After disabling the VPN's my routers are stable again - but what now..? I understand that I could invest a few hundred dollars in replacing these devices with up-to-date hardware (especially those with hardware encryption, to offload the CPU) but right now I was wondering if there are any cheaper solutions using existing hardware.

At my home location I have a fairly powerful windows 'server' (Running Window 10 Home) which is not too busy, and which is also running VirtualBox (so I could run another virtual server on it if needed). At the remote end I was wondering about using an existing Raspberry PI 4 as a VPN server. I would describe my Networking skills as 'intermediate' - I struggle with netmasks and I have never created a static route before, but I generally seem to figure stuff out in the end...

My 2 networks are 192.168.0.0 (home) and 192.168.1.0 (remote). I'm not looking for full name resolution, broadcast, netbios, or anything fancy, but I would like any IPv4 address on either network to be basically reachable from the other location. i.e. if I type https://192.168.1.1 from any computer at my home (192.168.0.0) location, I would expect to open the Web GUI of my remote router... However any traffic NOT destined for the other network will behave normally, i.e. it will take the most direct route, and will not be diverted via the VPN.

I was wondering if someone could point me in the direction of how I would do this... My guess is it is something like...
  1. Install some kind of vpn server at both locations (maybe PiVPN at the remote location?)
  2. Get the vpn connection working at both ends, and confirm the computers with the VPN software on are able to reach devices on the remote networks.
  3. Make sure the VPN servers have permanent DCHP leases or static IP addresses, so their IP Addresses don't change.
  4. (and this is where I get flaky...) Tell the VPN servers to accept incoming connections from other devices and pass them on to the remote network?
  5. Set up a static route on the ASUS routers, to say "all traffic for 192.168.n.0 255.255.255.0 should be routed to the static IP of the VPN Server?
All tips appreciated!

Peter
 

eibgrad

Very Senior Member
Doesn't really matter all that much *where* the OpenVPN client and server are running. Yes, on the router it's mighty convenient, but it's possible to have the OpenVPN client and server located behind their respective routers. The primary difference (beyond having to port forward from the router to the device hosting the OpenVPN server) is making sure the tunnel's IP network is *KNOWN* to the two networks. That's not a problem when you're only using the routers, since those routers are typically the default gateway for their respective networks (and LAN clients, on either side, will eventually be routed over the VPN because of it). But once you move the tunnel OFF the router, now you need to add static routes for those networks to the routers. IOW, tell each router the LAN ip of the device serving as the gateway to those networks. That really tends to be the biggest stumbling block for most ppl.

In short, you're pretty much on the right track.
 
Last edited:

p3ter

Occasional Visitor
A lot of other priorities came up but I finally got around to getting halfway on this!
I purchased a couple of Raspberry Pi's (Pi 4 Model B 4GB) and installed PiVPN from here: https://www.pivpn.io/
After a bit of reading I decided to give Wireguard a try instead of OpenVPN - it seems to be incredibly lightweight and high performance, and pretty simple to set up & configure.

The only thing needed to change to go from default full tunnel (all traffic is routed via the remote site) to split tunelling (only traffic destined for IP addresses at the remote location are routed to the remote location) is to change the 'AllowedIPs' setting in the config file from default 0.0.0.0/0 to only the IP range of the Tunnel network and the Remote network, e.g.
AllowedIPs = 192.168.1.0/24, 10.6.0.0/24

There is a client for most desktop and mobile OS'es (https://www.wireguard.com/install/), and for mobiles there is a nice command pivpn -qr which renders a QR Code on screen, which can be used to automatically set up a mobile client with zero typing!

So right now I have reached step 4 of 5 in my list in the first post. The VPN servers set up, and I have a number of configured clients, the most important one being my Blue Iris Server https://blueirissoftware.com/ which is pulling two live HD video feeds 24x7 from the remote location, currently via it's own locally installed Wireguard client software.

VPN is now disabled on both Routers, and the connection seems to be a lot stabler without the permanent 15% CPU load of OpenVPN, which regualrly spiked to 100%, causing packet loss.

The next step is to create a VPN client on each of the Servers to join them to each other, then add the static routes to my ASUS routers, so that all devices at both locations can any device at the other end of the VPN without the need for any locally installed VPN client software, and while still using the local Internet connection for everything else.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top