1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Tuning data usage - Help please

Discussion in 'ASUSWRT - Official' started by Pej5, Jan 21, 2020.

  1. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    10
    I am trying to set up basic data access at my cottage during the winter months when I am not there often so I can monitor the place (temp, motion detector, door open, etc) and control the heat pump. I have made some progress. I have an AC68u at the cottage, USB Hotspot connected to a smartphone with a low end data plan.

    The AC68u connects via OpenVPN client to an AC66u-B1 with VPN server at home using TAP protocol. The AC66u has no other devices connected to it, just the WAN port connected to the home network for Internet. I connect to the AC66u WiFi when I want to connect to the cottage devices (why I am using TAP). The cottage monitor device alerts me via email if something is wrong.

    Even with only two devices at the cottage that do not connect to the Internet (except to alert) the data usage is higher than hoped - 75 to 100MB per day.

    I am looking for advice to reduce the LAN chatter which I suspect is from OpenVPN. Suggestions? Maybe there is a better approach or setup. I am open to any ideas.

    Thanks

    Peter

    Sent from my Pixel using Tapatalk
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,630
    Location:
    UK
    This is the primary disadvantage of using a TAP interface. Because you are creating an Ethernet bridge all broadcast traffic (e.g. ARP, SSDP, etc.) on your home LAN is being sent over the VPN tunnel (and vice versa). That is why TAP is not recommended for low bandwidth or high cost connections.

    Try to reconfigure your cottage network so that you can use a TUN connection instead.
     
  3. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    10
    That was the issue with my first attempt so I dedicated a separate router at home (AC66u) to accept the VPN connection specifically so there is no regular home LAN traffic going through it and leaking across the TAP link.

    Also, TUN did not allow me the 'reach' out, through the VPN server side to the VPN client side to cottage devices. I doubt there is a way to do that.

    The smartphone/cottage end has to be the client side because Cell Carriers do not allow incoming connections.

    Sent from my Pixel using Tapatalk
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,630
    Location:
    UK
    It might be worth revisiting that. I've never had a problem connecting back to a VPN client from the server side, although I've only ever tried it with a single client and not LAN to LAN.

    This ability was even highlighted recently as a security concern which prompted a change in Merlin's custom firmware:
    Code:
    384.12 (22-June-2019)
      - CHANGED: Inbound traffic sent to you through an OpenVPN client
                 will now be dropped by default.  This can be changed
                 through the new "Inbound Firewall" parameter found
                 on the OpenVPN client page.  You should only change
                 this to "Allow" if running a site2site tunnel with
                 a trusted remote server, or if you do expect
                 traffic to be forwarded to you through the tunnel.

    This might be relevant (I haven't read it all myself):
    https://www.snbforums.com/threads/u...o-asus-routers-via-openvpn-in-tun-mode.54868/
     
    indark likes this.
  5. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    10
    I cannot find the "inbound firewall" parameter under the VPN section or the firewall section. anyone know how to configure it?

    I tried the LAN to LAN via an OpenVPN TUN connection and I did not have any success. I did not find a way to confirm that the routers has set up to routes to each other's LAN. Any advice accepted.

    I'll also reach out through the other discussion you pointed to.

    Thanks for any advice someone can provide.


    Sent from my Pixel using Tapatalk
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,630
    Location:
    UK
    That change was only added to Merlin's firmware, it's not present in the stock Asus firmware.

    If you look at the client's and router's syslog (System Log - General Log) you should see what's happening when the client connects. You can see the routes at System Log > Routing Table.
     
  7. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    10
    Thanks for the suggestions. Should I consider Merlin? Are there advantages? Is it straight forward to install AND configure?

    Sent from my Pixel using Tapatalk
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,630
    Location:
    UK
    It's definitely worth considering. It's essentially an enhanced version of the standard firmware. You can always ignore any of the extras you're not interested in or don't understand. Read about it here: https://www.snbforums.com/threads/about-asuswrt-merlin-custom-firmware-for-asus-routers.7846/

    Merlin's OpenVPN implementation is generally regarded as being "better" than Asus'.

    The advantage of Merlin's firmware is that it allows a huge amount of customisation. So if there's something in the stock firmware that doesn't work the way you want you can usually change that in Merlin's firmware.
     
  9. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    10
    Colin:

    Thanks for the help. I installed Merlin on both of my routers and managed to figure out how to establish a true bidirectional tunnel using TUN. (I added comments to https://www.snbforums.com/threads/u...o-asus-routers-via-openvpn-in-tun-mode.54868/).

    It is still chatty and will consume more data on my data plan than I had hoped. (see my first post above). Does anyone have ideas how to reduce the overhead? Maybe reduce the encryption selection?

    Thanks for the help so far and THANKS for AsusWRT-Merlin. I'll have to make a donation ;-)
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,630
    Location:
    UK
    Thanks for the update, glad to hear you got it working.

    You say the connection is still chatty. Do you have any idea yet how much difference data-wise switching from TAP to TUN has made?

    If you SSH into the local router and issue an "ifconfig tun21" command (for VPN server #1) you can see how much data has flowed through the tunnel. If you keep issuing that command you might be able to get an idea of how much of your data consumption is LAN to LAN traffic (i.e. going through the tunnel) and how much of it is actually the tunnel overhead. There's no point playing around with things like encryption if the majority of the data is actually LAN traffic. On the other hand if your mobile connection is consuming large amounts of data but there is negligible tunnel traffic it might be worth looking at the VPN settings.
     
  11. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    10
    I wanted to provide an update related to my original post.

    I upgraded to Merlin and this provided a number of extra features such as two VPN servers, multiple clients and more tools to display the state of things.

    Creating a router-to-router tunnel with TUN reduced chatter on the connection by 10 fold...about 10MB of traffic per day as compared to 75MB to 100MB per day with TAP. My actual usage traffic count is in these numbers but actual data transfer is low.

    My heat pump WIFI interface will only communicate with devices on the same subnet so TUN did not allow remote control because of routed subnets. The environmental/building monitor device worked fine.

    I changed mobile phone providers to a company that offered 5GB of 3G data at a more acceptable price so switching plans allowed me to go back to TAP and all is well. (I am in Canada where we are gouged for data.)

    Thanks for the suggestions.

    Peter

    Sent from my Pixel using Tapatalk