Offload VPN responsibility from 2 ASUS routers to a Windows PC and a Raspberry PI?

[p3ter]

I have been using OpenVPN Split Tunnel Site to Site VPNs with an ASUS RT-AC88U and an ASUS RT87U to network 2 locations together for a few years, but after an upgrade to Gigabit Fiber at my home location I started getting a lot of router instability and packet loss, which I finally found to be due to the Routers simply not being up to the job of running a fast network connection and a VPN. After disabling the VPN's my routers are stable again - but what now..? I understand that I could invest a few hundred dollars in replacing these devices with up-to-date hardware (especially those with hardware encryption, to offload the CPU) but right now I was wondering if there are any cheaper solutions using existing hardware.

At my home location I have a fairly powerful windows 'server' (Running Window 10 Home) which is not too busy, and which is also running VirtualBox (so I could run another virtual server on it if needed). At the remote end I was wondering about using an existing Raspberry PI 4 as a VPN server. I would describe my Networking skills as 'intermediate' - I struggle with netmasks and I have never created a static route before, but I generally seem to figure stuff out in the end...

My 2 networks are 192.168.0.0 (home) and 192.168.1.0 (remote). I'm not looking for full name resolution, broadcast, netbios, or anything fancy, but I would like any IPv4 address on either network to be basically reachable from the other location. i.e. if I type https://192.168.1.1 from any computer at my home (192.168.0.0) location, I would expect to open the Web GUI of my remote router... However any traffic NOT destined for the other network will behave normally, i.e. it will take the most direct route, and will not be diverted via the VPN.

I was wondering if someone could point me in the direction of how I would do this... My guess is it is something like...

1. Install some kind of vpn server at both locations (maybe PiVPN at the remote location?)
2. Get the vpn connection working at both ends, and confirm the computers with the VPN software on are able to reach devices on the remote networks.
3. Make sure the VPN servers have permanent DCHP leases or static IP addresses, so their IP Addresses don't change.
4. (and this is where I get flaky...) Tell the VPN servers to accept incoming connections from other devices and pass them on to the remote network?
5. Set up a static route on the ASUS routers, to say "all traffic for 192.168.n.0 255.255.255.0 should be routed to the static IP of the VPN Server?

All tips appreciated!

Peter

 

[eibgrad]

Doesn't really matter all that much *where* the OpenVPN client and server are running. Yes, on the router it's mighty convenient, but it's possible to have the OpenVPN client and server located behind their respective routers. The primary difference (beyond having to port forward from the router to the device hosting the OpenVPN server) is making sure the tunnel's IP network is *KNOWN* to the two networks. That's not a problem when you're only using the routers, since those routers are typically the default gateway for their respective networks (and LAN clients, on either side, will eventually be routed over the VPN because of it). But once you move the tunnel OFF the router, now you need to add static routes for those networks to the routers. IOW, tell each router the LAN ip of the device serving as the gateway to those networks. That really tends to be the biggest stumbling block for most ppl.

In short, you're pretty much on the right track.

 

[p3ter]

A lot of other priorities came up but I finally got around to getting halfway on this!
I purchased a couple of Raspberry Pi's (Pi 4 Model B 4GB) and installed PiVPN from here: https://www.pivpn.io/
After a bit of reading I decided to give Wireguard a try instead of OpenVPN - it seems to be incredibly lightweight and high performance, and pretty simple to set up & configure.

The only thing needed to change to go from default full tunnel (all traffic is routed via the remote site) to split tunelling (only traffic destined for IP addresses at the remote location are routed to the remote location) is to change the 'AllowedIPs' setting in the config file from default 0.0.0.0/0 to only the IP range of the Tunnel network and the Remote network, e.g.
AllowedIPs = 192.168.1.0/24, 10.6.0.0/24

There is a client for most desktop and mobile OS'es (https://www.wireguard.com/install/), and for mobiles there is a nice command pivpn -qr which renders a QR Code on screen, which can be used to automatically set up a mobile client with zero typing!

So right now I have reached step 4 of 5 in my list in the first post. The VPN servers set up, and I have a number of configured clients, the most important one being my Blue Iris Server https://blueirissoftware.com/ which is pulling two live HD video feeds 24x7 from the remote location, currently via it's own locally installed Wireguard client software.

VPN is now disabled on both Routers, and the connection seems to be a lot stabler without the permanent 15% CPU load of OpenVPN, which regualrly spiked to 100%, causing packet loss.

The next step is to create a VPN client on each of the Servers to join them to each other, then add the static routes to my ASUS routers, so that all devices at both locations can any device at the other end of the VPN without the need for any locally installed VPN client software, and while still using the local Internet connection for everything else.

 

[rage77]

A lot of other priorities came up but I finally got around to getting halfway on this!
I purchased a couple of Raspberry Pi's (Pi 4 Model B 4GB) and installed PiVPN from here: https://www.pivpn.io/
After a bit of reading I decided to give Wireguard a try instead of OpenVPN - it seems to be incredibly lightweight and high performance, and pretty simple to set up & configure.

The only thing needed to change to go from default full tunnel (all traffic is routed via the remote site) to split tunelling (only traffic destined for IP addresses at the remote location are routed to the remote location) is to change the 'AllowedIPs' setting in the config file from default 0.0.0.0/0 to only the IP range of the Tunnel network and the Remote network, e.g.
AllowedIPs = 192.168.1.0/24, 10.6.0.0/24

There is a client for most desktop and mobile OS'es (https://www.wireguard.com/install/), and for mobiles there is a nice command pivpn -qr which renders a QR Code on screen, which can be used to automatically set up a mobile client with zero typing!

So right now I have reached step 4 of 5 in my list in the first post. The VPN servers set up, and I have a number of configured clients, the most important one being my Blue Iris Server https://blueirissoftware.com/ which is pulling two live HD video feeds 24x7 from the remote location, currently via it's own locally installed Wireguard client software.

VPN is now disabled on both Routers, and the connection seems to be a lot stabler without the permanent 15% CPU load of OpenVPN, which regualrly spiked to 100%, causing packet loss.

The next step is to create a VPN client on each of the Servers to join them to each other, then add the static routes to my ASUS routers, so that all devices at both locations can any device at the other end of the VPN without the need for any locally installed VPN client software, and while still using the local Internet connection for everything else.

This is an interesting journey to follow!
I'm looking to do something similar, but yet different, maybe you have come across something that might help me?
I want to have all my devices in my home network use my external VPN-provider for all traffic without having to set up unique keys on each device.

I used the entware wireguard service from here: https://www.snbforums.com/threads/experimental-wireguard-for-hnd-platform-4-1-x-kernels.46164/
And that worked exactly as I wanted it to!
Until now.
Summer is here, ambient temps are up and the new Asus (and Merlin) firmware overheats my router CPU causing throttling, speeds with Wireguard enabled are around 30-50% of what it's supposed to be.
So I want to offload all this Wireguard business to my Raspberry Pi instead. But alas every single guide I find ends with having to set up unique keys on every connected device at home. Not one guide talks about how to gateway(?) everything through one and the same Wireguard connection with my VPN-provider.

- ipv4-forwarding is set up on the Pi since I'm using it with Pi-Hole as a global ad-blocking service and unbound as DNS service.
- The router can route the traffic (I'm pretty sure) but isn't now since I don't have a gateway up on the Pi.

The rest is a mystery to set up for me, have actually not found anyone that does this.
Have you come across anything that might help?

 

[p3ter]

I wish I had the time, the patience, the Linux knowledge and the steady supply of Ritalin to finish this, but I really struggled to get 'site to site split tunnel' working, and I have been so impressed with ease-of-use of the Wireguard client software, I have not been motivated enough to keep at it... I found at least that while Wireguard DOES support Site-to-Site split tunnel, PiVPN is NOT the right tool to make that happen.

You can read more on my experiments here:

https://www.reddit.com/r/pivpn/comments/mf16pe

https://www.reddit.com/r/WireGuard/comments/mgqhjp

My feel is that in Step 4 above we are looking for some 'MASQUERADE' setting that tells the Pi to forward packets. And I got close... but ultimately I got fed up of fumbling in the dark and didn't pursue it.