setup ac68U as bridge to eero network for vpn support

[Preskitt.man]

My daughter has a network using Eero mesh router system. For a variety of reasons, I would like to be able to vpn into her system for remote access as well use it as vpn node to the internet.
Eero does not support being configured as a vpn.
I have an unused AC68U that I can bring to her home.
So what I would like to do is
a) Have it be a wired (maybe wireless) node to her existing network
b) Be pretty much out of the way most of the time
c) Be able to VPN into her system (probably OpenVPN as I don't believe that the AC68U supports Wireguard)
d) After VPN'ing into her system, have access to her PC and for nodes local to me use her system as a vpn node to the internet
I know how to setup OpenVPN on ASUS. What I don't know is should I set this up as "normal" router; an AP; an Media bridge or in Repeater mode
An Eero faq suggested doing something like this, with the VPN node setup as a Bridge - main reason I suggested Media Bridge. But I'm not sure how convenient it will be to connect to her primary Eero node via a Wire.
i don't want her system double NAT'd, at least when she is using it normally.

BTW, in case any one cares, she is aware of this and good with it.

 

[ColinTaylor]

This is going to be a bit awkward.

I know how to setup OpenVPN on ASUS. What I don't know is should I set this up as "normal" router; an AP; an Media bridge or in Repeater mode

The VPN server option is only available in router mode. So that's your only choice without extensively customising the firmware.

Connect the Asus in router mode (with a different LAN subnet) to one of her Eero's LAN ports. Preferably assign a reserved/fixed IP address for the Asus' WAN port.

On the Eero router forward the VPN server port to the Asus' WAN IP address.

Configure the Asus VPN server for both internet and LAN access. You should now be able to VPN into the Asus network and the Eero network.

 

[Preskitt.man]

Ok - so I am guessing her Eero LAN is on subnet 192.168.1.x. I would setup the Asus to broadcast on 192.168.50.x as a regular router. I'm with you so far. Then I connect via cable from her LAN port to the ASUS WAN port. So, now the ASUS is on network with a base network address of (let's say) 192.168.1.100. I'm a bit dense, so apologize for asking this, but I'm not following your statement "on the Eero router, forward the VPN server port to the ASUS WAN IP address" Is this a correct interpretation, on the Eero, use port forwarding to forward all traffic on port 1194 to the ASUS router at 192.168.1.100 - which since it is setup as VPN server, will accept the incoming traffic, and either send traffic out on the internet (back on the Eero to (let's say) google.com or to another device on the 192.168.1.x network (such as my daughter's PC).

 

[ColinTaylor]

Correct.

 

[Preskitt.man]

So just found out something interesting. My daughters setup is consists of a T-Mobile Home Internet (TMHI) gateway front ending her Eero network. TMHI's use CG-NAT (this cannot be disabled) so I guess my question is in part how is this Eero network (which uses NAT) working at all for her? In any case CG-NATs' don't support port forwarding. So, even though Eero networks do support that, is CG-NAT going to get in way of this. Can't really find anything on point to this online, but closest thing is many users of Plex who try to setup their server behind a TMHI have serious issues at best.

 

[Tech9]

I guess my question is in part how is this Eero network (which uses NAT) working at all for her?

In multi-NAT behind the ISP data center, ISP provided modem/router and her own eero. Not a problem for Internet access, but port forwarding problem with no control - the ISP CG-NAT. In this case the only option is IPv6 access to your VPN server. The eero perhaps in IPv6 passthrough mode (if available), IPv6 enabled on the ISP modem/router, VPN server with IPv6 enabled, DDNS with IPv6 support (not sure if available on 386 firmware, check), whatever is connecting to the VPN server with IPv6 enabled, etc. Not familiar with specific settings on T-Mobile equipment though.

 

[ColinTaylor]

@Preskitt.man You said you wanted to do this for "a variety of reasons" without saying exactly what those were. It was also unclear how/why you were planning to "use her system as a vpn node to the internet". Perhaps it's time to re-evaluate those reasons and decide whether it's worth the effort or if there isn't a better way given the TMHI issue.

If you just wanted to manage her network through remote access it might be possible to do that by running a VPN client on her network that's connected to your VPN server. Or just get her to fire up TeamViewer when she needs it.

 

[Tech9]

Indeed. Tech support to her system - no issues. TeamViewer, AnyDesk, etc. Using her ISP as Internet exit node - more challenging to impossible. There are still IPv4 only networks around including mobile operators. If the client device is connected to one of those - no luck. Or someone has to explore tunneling services. Better call Saul... I mean @heysoundude. He is a hurricane electrified and certified.

 

[heysoundude]

Indeed. Tech support to her system - no issues. TeamViewer, AnyDesk, etc. Using her ISP as Internet exit node - more challenging to impossible. There are still IPv4 only networks around including mobile operators. If the client device is connected to one of those - no luck. Or someone has to explore tunneling services. Better call Saul... I mean @heysoundude. He is a hurricane electrified and certified.

HA!
Nice to see someone in a fun, playful mood today.

 

[Tech9]

You seems to know a lot when IPv6 is not needed. Let's see what do you know when IPv6 is needed.

 

[Preskitt.man]

Ok - so here's the use case for what I am (will be) trying to accomplish. My daughter and I have shared passwords for some streaming services. She has Netflix. It was actually only this past week that my access to her Netflix was turned off. So, the thought was, to setup an OpenVPN service on her network. When I wanted to watch Netflix, I would route my Netflix traffic through that VPN and to Netflix, just another user from her home address. My ability to access and assist her remotely was a side benefit,

 

[Tech9]

Your client to her server is going to be something like:

IPv6 enabled on your router connecting with IPv6 capable VPN client to her IPv6 VPN server with IPv6 DDNS service on the Asus, connected to her Amazon eero with IPv6 in perhaps Passthrough to T-Mobile IPv6 enabled modem/router. May be easier to get a second Netflix subscription...

 

[Preskitt.man]

Had a feeling we were moving in this direction. Before I knew details of her system - seemed relatively straight forward. Now it's turning into a science project. My ISP does not support IPv6, which I was (am) fine with. Great service over fiber. Just thought it would be "easy" to get VPN on her side - and then one hurdle after another. 1st: her router (eero) does not support VPN 2nd) She is already NAT'd behind TMHI gateway 3rd) TMHI is IPv6 4th) TMHI is CG-NAT. And I find all this out before I even get to her place for Thanksgiving. Think I will just enjoy the Turkey dinner and get a NetFlix sub. I'm on T-Mobile now - so if I switch from my Sprint Military Max plan to Go5G Plus, cost is the same and Netflix is included. But will be giving up Hulu. Oh well.

 

[heysoundude]

You seems to know a lot when IPv6 is not needed. Let's see what do you know when IPv6 is needed.

It's always needed.

 

[Tech9]

It's always needed.

My ISP does not support IPv6, which I was (am) fine with. Great service over fiber.

 

[heysoundude]

See? He needs it here. ;-p

I played with this kind of scenario when the streaming services threatened the password sharing crackdown, and what I came up with was a wireguard server in the cloud that both users logged into on their routers in their respective locations so that Netflix etc saw the IPs handed out by wireguard. The problem was the minimal VPN slowdowns were inconvenient for the party across the country from me. I went Pirate during the Actors and Writers strikes in support of them, and let my bro and his daughters have the real Netflix.

 

[Tech9]

I'm surprised Netflix didn't recognize the server and allowed you to do pass sharing. This is a temporary solution only until they blacklist the server.

 

[Preskitt.man]

I'm surprised that Netflix took so long to crack down on me. But then curiously, at least as of today, while they block my app on the TV, I can set do Netflix on the web.

 

[heysoundude]

I'm surprised Netflix didn't recognize the server and allowed you to do pass sharing. This is a temporary solution only until they blacklist the server.

From what I can tell, they really only care that the IPs are congruent.
This will become an issue again in the future. I will remain a scallywag pirate