What's new

Tuning data usage - Help please

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Pej5

Occasional Visitor
I am trying to set up basic data access at my cottage during the winter months when I am not there often so I can monitor the place (temp, motion detector, door open, etc) and control the heat pump. I have made some progress. I have an AC68u at the cottage, USB Hotspot connected to a smartphone with a low end data plan.

The AC68u connects via OpenVPN client to an AC66u-B1 with VPN server at home using TAP protocol. The AC66u has no other devices connected to it, just the WAN port connected to the home network for Internet. I connect to the AC66u WiFi when I want to connect to the cottage devices (why I am using TAP). The cottage monitor device alerts me via email if something is wrong.

Even with only two devices at the cottage that do not connect to the Internet (except to alert) the data usage is higher than hoped - 75 to 100MB per day.

I am looking for advice to reduce the LAN chatter which I suspect is from OpenVPN. Suggestions? Maybe there is a better approach or setup. I am open to any ideas.

Thanks

Peter

Sent from my Pixel using Tapatalk
 
This is the primary disadvantage of using a TAP interface. Because you are creating an Ethernet bridge all broadcast traffic (e.g. ARP, SSDP, etc.) on your home LAN is being sent over the VPN tunnel (and vice versa). That is why TAP is not recommended for low bandwidth or high cost connections.

Try to reconfigure your cottage network so that you can use a TUN connection instead.
 
This is the primary disadvantage of using a TAP interface. Because you are creating an Ethernet bridge all broadcast traffic (e.g. ARP, SSDP, etc.) on your home LAN is being sent over the VPN tunnel (and vice versa). That is why TAP is not recommended for low bandwidth or high cost connections.

Try to reconfigure your cottage network so that you can use a TUN connection instead.
That was the issue with my first attempt so I dedicated a separate router at home (AC66u) to accept the VPN connection specifically so there is no regular home LAN traffic going through it and leaking across the TAP link.

Also, TUN did not allow me the 'reach' out, through the VPN server side to the VPN client side to cottage devices. I doubt there is a way to do that.

The smartphone/cottage end has to be the client side because Cell Carriers do not allow incoming connections.

Sent from my Pixel using Tapatalk
 
Also, TUN did not allow me the 'reach' out, through the VPN server side to the VPN client side to cottage devices. I doubt there is a way to do that.
It might be worth revisiting that. I've never had a problem connecting back to a VPN client from the server side, although I've only ever tried it with a single client and not LAN to LAN.

This ability was even highlighted recently as a security concern which prompted a change in Merlin's custom firmware:
Code:
384.12 (22-June-2019)
  - CHANGED: Inbound traffic sent to you through an OpenVPN client
             will now be dropped by default.  This can be changed
             through the new "Inbound Firewall" parameter found
             on the OpenVPN client page.  You should only change
             this to "Allow" if running a site2site tunnel with
             a trusted remote server, or if you do expect
             traffic to be forwarded to you through the tunnel.


This might be relevant (I haven't read it all myself):
https://www.snbforums.com/threads/u...o-asus-routers-via-openvpn-in-tun-mode.54868/
 
It might be worth revisiting that. I've never had a problem connecting back to a VPN client from the server side, although I've only ever tried it with a single client and not LAN to LAN.

This ability was even highlighted recently as a security concern which prompted a change in Merlin's custom firmware:
Code:
384.12 (22-June-2019)
  - CHANGED: Inbound traffic sent to you through an OpenVPN client
             will now be dropped by default.  This can be changed
             through the new "Inbound Firewall" parameter found
             on the OpenVPN client page.  You should only change
             this to "Allow" if running a site2site tunnel with
             a trusted remote server, or if you do expect
             traffic to be forwarded to you through the tunnel.


This might be relevant (I haven't read it all myself):ultimate-guide-to-setting-up-bi-directional-vpn-using-two-asus-routers-via-openvpn-in-tun-mode

I cannot find the "inbound firewall" parameter under the VPN section or the firewall section. anyone know how to configure it?

I tried the LAN to LAN via an OpenVPN TUN connection and I did not have any success. I did not find a way to confirm that the routers has set up to routes to each other's LAN. Any advice accepted.

I'll also reach out through the other discussion you pointed to.

Thanks for any advice someone can provide.


Sent from my Pixel using Tapatalk
 
I cannot find the "inbound firewall" parameter under the VPN section or the firewall section. anyone know how to configure it?
That change was only added to Merlin's firmware, it's not present in the stock Asus firmware.

I tried the LAN to LAN via an OpenVPN TUN connection and I did not have any success. I did not find a way to confirm that the routers has set up to routes to each other's LAN. Any advice accepted.
If you look at the client's and router's syslog (System Log - General Log) you should see what's happening when the client connects. You can see the routes at System Log > Routing Table.
 
Thanks for the suggestions. Should I consider Merlin? Are there advantages? Is it straight forward to install AND configure?

Sent from my Pixel using Tapatalk
 
Thanks for the suggestions. Should I consider Merlin? Are there advantages? Is it straight forward to install AND configure?
It's definitely worth considering. It's essentially an enhanced version of the standard firmware. You can always ignore any of the extras you're not interested in or don't understand. Read about it here: https://www.snbforums.com/threads/about-asuswrt-merlin-custom-firmware-for-asus-routers.7846/

Merlin's OpenVPN implementation is generally regarded as being "better" than Asus'.

The advantage of Merlin's firmware is that it allows a huge amount of customisation. So if there's something in the stock firmware that doesn't work the way you want you can usually change that in Merlin's firmware.
 
It's definitely worth considering. It's essentially an enhanced version of the standard firmware. You can always ignore any of the extras you're not interested in or don't understand. Read about it here: https://www.snbforums.com/threads/about-asuswrt-merlin-custom-firmware-for-asus-routers.7846/

Merlin's OpenVPN implementation is generally regarded as being "better" than Asus'.

The advantage of Merlin's firmware is that it allows a huge amount of customisation. So if there's something in the stock firmware that doesn't work the way you want you can usually change that in Merlin's firmware.

Colin:

Thanks for the help. I installed Merlin on both of my routers and managed to figure out how to establish a true bidirectional tunnel using TUN. (I added comments to https://www.snbforums.com/threads/u...o-asus-routers-via-openvpn-in-tun-mode.54868/).

It is still chatty and will consume more data on my data plan than I had hoped. (see my first post above). Does anyone have ideas how to reduce the overhead? Maybe reduce the encryption selection?

Thanks for the help so far and THANKS for AsusWRT-Merlin. I'll have to make a donation ;-)
 
Thanks for the update, glad to hear you got it working.

You say the connection is still chatty. Do you have any idea yet how much difference data-wise switching from TAP to TUN has made?

If you SSH into the local router and issue an "ifconfig tun21" command (for VPN server #1) you can see how much data has flowed through the tunnel. If you keep issuing that command you might be able to get an idea of how much of your data consumption is LAN to LAN traffic (i.e. going through the tunnel) and how much of it is actually the tunnel overhead. There's no point playing around with things like encryption if the majority of the data is actually LAN traffic. On the other hand if your mobile connection is consuming large amounts of data but there is negligible tunnel traffic it might be worth looking at the VPN settings.
 
I wanted to provide an update related to my original post.

I upgraded to Merlin and this provided a number of extra features such as two VPN servers, multiple clients and more tools to display the state of things.

Creating a router-to-router tunnel with TUN reduced chatter on the connection by 10 fold...about 10MB of traffic per day as compared to 75MB to 100MB per day with TAP. My actual usage traffic count is in these numbers but actual data transfer is low.

My heat pump WIFI interface will only communicate with devices on the same subnet so TUN did not allow remote control because of routed subnets. The environmental/building monitor device worked fine.

I changed mobile phone providers to a company that offered 5GB of 3G data at a more acceptable price so switching plans allowed me to go back to TAP and all is well. (I am in Canada where we are gouged for data.)

Thanks for the suggestions.

Peter

Sent from my Pixel using Tapatalk
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top