VPN in a Dual Tomato Router Setup

Discussion in 'privacy technology' started by MisterB, Sep 4, 2014.

  1. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I've been thinking lot about the best way to use a VPN and was intrigued by the idea of setting up a VPN connection in a router. The advantages are pretty obvious: Everything connected to the router is automatically VPNed without installing any client software on individual computers. The main problem is that there are a lot of instances where I want to use my real IP, mainly for business purposes. After reading up about it a bit, the simplest solution that came to me was to cascade two routers with the second one connected to a VPN and the first connected to my ISP. I've been using Tomato as my preferred firmware in my home router and had a couple of spare Linksys WRT54G routers that support Tomato lying around so I just had to find a version of Tomato with OpenVpn support and a VPN provider that supported Tomato. I downloaded a version with VPN support from TomatoUSB.org and flashed it into my spare router. There are several VPNs that support router connections with DDWRT and Tomato and I ended up choosing Torguard, mainly because I didn't have to put up much money for and experiment that I wasn't sure would work that well. After just a couple of hours of putting things together I got it working. The second router was set up with the VPN following the instructions on the Torguard website. I set its local IP to a different IP from the first router and set it on a different wifi channel, set it up for a DHCP WAN connection and connected one of the LAN ports of the main router to the LAN port of the VPNed router. I first tested it for basic internet connectivity and the LAN to WAN connection worked and I couldn't access the setup page of the main router from the second which was one of the things I wanted. I started the VPN and without any hangups it started working. I wasn't expecting it to be that easy.

    And now that I've got it working, I have to say this really rocks. The configuration is flexible. I can have wifi completely shutoff on the main router so all wifi connections are automatically VPNed and the only way to connect with my real IP is through an ethernet cable. This is a great setup for anyone who has teenagers or house guests using the wifi. I can also turn on the wifi on the main router anytime I want to and have two wifi channels with one VPNed and one not. The TomatoUSB firmware lets me have two different VPN client connections stored in the router that I can switch on the fly. Changing the servers stored in the router is a simple copy and paste of the server IP.
     
  2. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Following up a year and a half later, I've moved to Shibby Tomato which is actively maintained and much more sophisticated than earlier versions of Tomato USB. My current setup is still two daisy chained routers but I've upgraded both of them so I could install the the newer and larger builds of Shibby and take advantage of their many features, subnetting and multiple Virtual Wireless SSIDs in particular. I have three VPN tunnels from three different providers on the two routers. I've added some custom routing tables via scripting so I have different VPN tunnels on different subnets and different Wifi SSIDs so I just have to connect to a particular SSID to connect to either my ISP connection or one of three VPNs, two of which are two hop connections.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    That setup sounds really slick. I haven't even played with tomato in any form yet. My DDWRT is running slick but I don't have it anywhere near as sophisticated as your setup.

    I am curious. On a complete power loss or totally broken connection such as ISP complete temporary system loss: is the re-start seamless and sure fire or do you need to manually re-connect and supervise all the tunnels coming back up?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Very cool! Subnets and WiFi :thumb: Are you chaining VPNs?
     
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Good work - my feeling is the multiple ssids with different postures is getting to be essential - one for guests, maybe one for Iot, webcams, gaming, and the other for "normal" computing. I also like the multiple boxes/interface idea to link to the VPN. I think what I'm doing with a single pfsense box with 4 ethernets plus a vlan wifi is pretty similar to what you've achieved - and probably a lot cheaper!
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    @deBoetie - What NIC card did you use? About how much did it cost?
     
  7. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Any VPN on router 2 is chained to router 1's VPN and I can chain 2 more by adding a VPN client connection to a host PC and adding another one in a VM.
    I just need to switch off the routers and switch on 1 and 2 in that order. Occasionally a VPN fails to connect at startup and I have to check for that when I turn them on but once the tunnel is established, a failure will result in a dead connection, not a bypass to the ISP. I don't know if that is by design or accident.

    The hardest part of getting this going was learning iptables prerouting and fwmark functions well enough to customize the routing script to my needs. One VPN on a router is easy but getting two to function at the same time on different subnets took some trial and error work.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    @MisterB - Very nice! That's what I figured. It's a sweet setup. You could add a Tor router too.

    The only aspect that troubles me is having all that networking out in the open. I do similar stuff. I have a VPN chain in pfSense VMs in one host, and an ethernet link to another host, which is running a pfSense VM with my IPv6 VPN client. But still, both hosts use LUKS, so they're pretty secure when powered down. How well can routers be locked down from unauthorized bootup?
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    It's a Supermicro server board, mATX profile, A1SRM-2558F, with 4 Intel GigE ports onboard.

    http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-2558F.cfm

    Processor's a fanless 15W 4 core 2.4G Atom C2558 SoC (there's also an 8-core version but that needs a fan and is significantly more $), this one is about $250. Has AES-NI.

    There are 4 x GigE C2000 SoC I354 Intel NICs, with some I/O overhead reduction. pfSense/BSD sees these as an igb driver type, and these are not officially supported for VLAN but do work (I've increased the mbufs to avoid some reported issues).

    Loads of memory (to 64G) & 2 pcie2 NIC card expansion (if more Ethernet ports become needed, I'll pop in a cheap 2-port intel board, or the 1350-T4).

    The VLAN Multi-ssid Wireless access point is a TP-Link TL-WA901ND.

    Reason for the additional ports is that I don't want to completely rely on VLANs for segregation, it's OK for the wireless traffic, but I like physical...
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    No way to do that. The security is centered on administrative access when they are on and that can be locked down so that only one authorized computer can access the configuration page from a wired ethernet connection and telnet an SSH can be disabled when not needed as well. Encrypting the whole file system doesn't make that much sense because it consists of around 10mbs, at most, of Linux firmware which is stored in non volatile ram that is always going to be the same. When the router boots up, the working directories with the user configuration are copied into the /tmp directory which is where all the action happens and any changes made there won't survive reboot. The user configuration file is only around 16kb. I looked at the backup and nothing in it is in plain text. Exporting the configuration, or parts of it, in plain text format would require more custom scripting according to a forum I checked so it looks like there has been some thought put into securing user configuration files.

    Even the most complicated router is a much simpler device than anything capable of running PFsense. When I upgraded, I just looked at the list of compatible routers for the build of Shibby I wanted to use. The most expensive ones were less than $100 US and I found a used Linksys A/G/N router with enough memory and storage for less than $20.

    Shibby also has built in TOR but I haven't gotten it to work fully. I get recognized as a TOR exit node when I do a DNS test but I can't get onto any .onion sites. I could add another subnet and SSID for it and play around with it some more but so far it hasn't been reliable for anything other than making my DNS profile even more complicated. A Whonix VM is my preferred method of using TOR these days so I haven't bothered much with the Shibby TOR. Next is beefing up the firewall with more custom scripting. As @deBoetie mentioned, it is a good idea to isolate internet devices from computers on a network. I've already done that with the media devices I have and most of them don't give me any clue at all to what goes on inside them. The one that does, a Linux satellite/IPTV receiver that is fully open source, has insanely bad security. Full root access with no password to anything that gets inside of it basically, and the built in firewall doesn't work so the firewalling depends on the router.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    @deBoetie - Thanks. I use a cheap Atom box with a four-port Intel gigabit server NIC. I ended up paying ~$300 for just the NIC, plus another ~$200 for the box. I picked the NIC because it had been blessed in the pfSense forums. But your setup is much less expensive, more elegant, and probably uses less power.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    I suspect the elegance/price equation is only a result of timing or product releases, and I know the 4-port server NIC boards are very solid and well supported (as well as wallet depleting!). I don't think the i354s are as comprehensive, but they appear to do the job and should become well supported if only because of their ubiquity. The electrical power consumption & noise are important - I nearly resurrected an old q6600 processor for the purpose, but held back because of the power & fans required.

    I think @MisterB 's approach is excellent, the only reason I wanted the more configurable box with extra power & interfaces was for high-speed LAN-LAN and stuff like snort/pfsenseng. Otherwise, stock routers that will support Tomato or other open source could be made to work nicely including the integrated Wifi.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    @MisterB - Thanks. Yes, someone would need to dump the flash, I guess. That's easier than hosing a LUKS box to capture the passphrase. But ultimately, it comes down to physical security. And as long as your VPNs are only accessible by authorized devices, you can't easily be outed (as in, "he's using XYZ VPN exit a.b.c.d").
     
  14. Starlights

    Starlights Registered Member

    Joined:
    May 2, 2016
    Posts:
    10
    @MisterB, thanks for your initial write up. I actually found this website searching for instructions to accomplish just this (the write up in your first post). I am trying to set up two routers similarly, but not being a network person, I am not completely clear. Perhaps you could help.

    I plan to set up two routers, with the second router on VPN (airvpn). The first router will continue to be on a ISP (non VPN) connection. For the first router I am using a Securifi Almond and for the second router, a Tmobile Cellspot, which is basically an ASUS 1900. This router has open VPN (both, client or server). I plan to use the openvpn client configuration file generated from airvpn.org to configure this router so it tunnels through the first router and devices connected to this second router will be on VPN, but devices connected to the first router will not be. I may place these routers in different locations within my house by using devices such as TP Link power line adapters. I would like to have two different SSID's to separate these networks. The non VPN router would be used by home devices such as TVs etc and will also have a separate guest network. The VPN network will be for personal computer usage.

    Here are some questions:
    Which is a better way to connect, LAN to WAN or LAN to LAN?
    Is there any advantage of using one over the other? (I am thinking LAN to LAN will allow for easy printer access from both networks - but then what about security issues?)
    Which network should the printers use to keep them secure?
    Is there anything in specific that I should watch out for?

    FYI, I believe that the Securifi Almond (1st router), can be configured for VPN Passthrough but does not have any additional FW to use that as a VPN router. The second router, Tmobile Cellspot (Specs) supports Open VPN (Client and Server). I am thinking these should do just fine....

    Thanks in advance for your response.
     
    Last edited: May 2, 2016
  15. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Lan to WAN is more secure. The second router uses a DHCP connection. If the second router can establish a VPN connection, it won't care if it is on the LAN in router A or directly connected to the ISPs DHCP server. Different subnets for each router of course. With a LAN to WAN connection from A to B, the Tomato firmware lets the second router see a printer or devices on the first but not the other way around. I keep all non computer media devices on the VPNed subnet. They are not trusted. My printers are not networked at all. All printing is done from one dedicated computer.

    I'm not familiar with the routers or firmware you're using but the basic setup sounds ok as long as the OpenVPN works correctly on the second router. The weak point I've found is when the router is turned on. Always verify that it is working and the VPN connection is established and then test it for leaks once the tunnel is started.
     
    Last edited: May 2, 2016
  16. Starlights

    Starlights Registered Member

    Joined:
    May 2, 2016
    Posts:
    10
    Perfect! Thank you. I may go ahead with LAN to WAN first and see where it gets me. Are there any double NAT problems that can occur with LAN to WAN? Additionally, do you turn off the VPN router when its not being used? (Apologize if this is a basic question, I am just getting started in networking and VPN)

    The second router that I mentioned uses a flavor of AsusWRT. I can go through flashing a different fw on it, but i don't want to take on additional tasks that are not super essential. Thank you for your response. I will msg again if i run into any specific problems.

    This setup of for my own experimentation and learning. I would like to make it as secure as possible, but there is no critical need to do so from the very start. Eventually I would love to master the IPTables and other related scripts.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Connecting two LANs will confuse things, no?
     
  18. Starlights

    Starlights Registered Member

    Joined:
    May 2, 2016
    Posts:
    10
    Did you mean in general, or specifically for the setup I mentioned above with VPN on 2nd router? If your question was directed specifically at my intended setup, then I don't know the right answer.

    However, in general, its one way to cascade two routers if one wants to have all devices on both networks to be able to see all other devices on those networks. Here is a link explaining it in a simplistic manner

    Router to Router Cascading
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    OK, I see. You disable DHCP on one of the routers.
     
  20. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    That is taken care of by the subnetting. Router A gets something like a default 192.168.0.0 as its IP and that IP is the gateway for router B which is set on another subnet by changing its IP to something like 192.168.48.0. The DHCP will have a range over the last part of the IP address, usually 192.168.X.0-256. Each router will be serving DHCP address on a different subnet and there will be no conflicts.
     
  21. Starlights

    Starlights Registered Member

    Joined:
    May 2, 2016
    Posts:
    10
    Thank you! Now time to get my hands dirty :D

    I am hoping that keeping the VPN router "on" at all times should not be a problem.
     
Loading...