VPN: How to route all cell data to my home router and use its external VPN instead of WAN?

[DarnellG]

I have setup an openVPN server on my router and it works great so I have access to my local lan and I can use the router WAN.

I also have setup a VPN client set up on my router and presently using this VPN for one computer on my lan, all other devices on my local local use the WAN.

I want to connect to my router with my cell phone using OpenVPN like I mentioned above but instead of using the router's WAN and want to use the VPN client. I tried adding a rule in VPN director for 10.x.x.2 ip (the ip that the router uses) to the "client1 VPN" but it doesn't work. What am I doing wrong?

I'm using 386.4 on a RT-AX88U

 

[DarnellG]

Ok I figured it out the router was assigning a different 10.x.x.x number when I was disconnected and reconnecting my cell through the openVPN server. I put 10.x.x0/24 and it works now.

 

[DarnellG]

Just one question to make sure I did this right.

The OpenVPN server on the router is set to use the 10.8.0.0 255.255.255.0 subnet and when cell phone connects it gets assigned a random 10.8.0.x address. usually it uses a low IP like 10.8.0.2 or 10.8.0.3 but if I connect and disconnect quickly it will choose the next higher IP address available.

I've also have 2 VPN clients set up on the router pointing to different external VPN servers. There doesn't seem to be a way to specify a specify a IP subnet and when both clients are connected they are assigned IPs in the same 10.8.0.0 subnet as specified in the OpenVPN server config but seem to use IPs in the higher range of 10.8.0.20, 22, 23 ... for client 1 VPN and client 2 VPN will get a higher IP still 10.8.0.55, 56, 57 ....

Will the VPN director rule that I made forwarding all 10.8.0.0/24 to use the VPN client1 screw up anything because the client1 and client2 VPN IPs are included in that rule? Or should I create a VPN director rule to only specify only 10.8.0.1 - 10.8.0.10 range so that it doesn't encompass the client1 and client2 VPN IPs in the rule? Everything seems to work but just wanted to make sure I didn't break something I'm not aware of.

 

[eibgrad]

Just one question to make sure I did this right.

The OpenVPN server on the router is set to use the 10.8.0.0 255.255.255.0 subnet and when cell phone connects it gets assigned a random 10.8.0.x address. usually it uses a low IP like 10.8.0.2 or 10.8.0.3 but if I connect and disconnect quickly it will choose the next higher IP address available.

I've also have 2 VPN clients set up on the router pointing to different external VPN servers. There doesn't seem to be a way to specify a specify a IP subnet and when both clients are connected they are assigned IPs in the same 10.8.0.0 subnet as specified in the OpenVPN server config but seem to use IPs in the higher range of 10.8.0.20, 22, 23 ... for client 1 VPN and client 2 VPN will get a higher IP still 10.8.0.55, 56, 57 ....

Will the VPN director rule that I made forwarding all 10.8.0.0/24 to use the VPN client1 screw up anything because the client1 and client2 VPN IPs are included in that rule? Or should I create a VPN director rule to only specify only 10.8.0.1 - 10.8.0.10 range so that it doesn't encompass the client1 and client2 VPN IPs in the rule? Everything seems to work but just wanted to make sure I didn't break something I'm not aware of.

You started to lose me by paragraph three.

Let's back up a second. All your OpenVPN clients and the servers should be using *different* IP networks on their respective tunnels. Otherwise you end up w/ ambiguous routing. The routing system is then left to decide which network interface should be used, which may NOT be to your liking or comport w/ your intentions.

To see how things can go wrong, consider the following link.

VPN Director not applying rules to right VPN profile

Hi, I'm running into a routing issue when configuring multiple VPN profiles using VPN Director on my LINKSYS (base model: RT-AC68U) firmware version 386.3_2. I have 2 VPN profiles with the following external addresses: OVPN1) Connected (Local: 10.16.0.43 - Public: 185.240.246.99) OVPN3)...

www.snbforums.com

Now as it turns out, and as I recommended to Merlin, 386.4 now adds the OpenVPN client's network interface to its respective alternate routing table. Nonetheless, having multiple OpenVPN clients use the same IP network should be avoided, and certainly if it conflicts w/ the OpenVPN server too.

So despite my getting a bit lost in your description, the part that got my attention and generated this response was the impression that you were in fact creating ambiguous routing w/ these OpenVPN clients and servers.

 

[DarnellG]

Just to clear things up (hopefully), the OpenVPN server running on my router is used to connect my cell phone to my router when I'm away from home so I can get access to my local lan. It's configured to use 10.8.0.0 255.255.255.0

I purchased a VPN subscription from a company and created 2 clients on my router using the ovpn file provided. The VPN company has many available servers to use so I chose to setup two 'clients', one 'client' is the main one used and is enabled. The second one I configured as a spare and is inactive and will not be active while the first client is used and is manually disabled while the main one is in use. During the setup of these clients there is no way to set which subnet to use and it automatically uses the same subnet as my router's VPN server.

 

[L&LD]

Why did you purchase a subscription?

OpenVPN is built-in (and free).

 

[eibgrad]

During the setup of these clients there is no way to set which subnet to use and it automatically uses the same subnet as my router's VPN server.

I understand that. The OpenVPN server always determine the IP network to be established on the tunnel. But you *do* control the IP network used by your own OpenVPN server. That's the one you should make sure doesn't conflict w/ either of the OpenVPN clients on the router.

 

[DarnellG]

Why did you purchase a subscription?

OpenVPN is built-in (and free).

I purchased a VPN subscription so that my Router's WAN IP would be hidden. Are you suggesting that the internal OpenVPN server is able to hide the WAN IP from being exposed?

My goal is to have my cell phone connect to my router's internal open VPN server securely and access the internet through the VPN service provider I paid for thus preventing my router's IP from being exposed.

 

[DarnellG]

I understand that. The OpenVPN server always determine the IP network to be established on the tunnel. But you *do* control the IP network used by your own OpenVPN server. That's the one you should make sure doesn't conflict w/ either of the OpenVPN clients on the router.

I selected the subnet randomly for my internal OpenVPN server and setup my clients after. Are you saying that its just random that when I setup the 2 clients that is just happened to chose to use the same subnet? I can try changing the subnet of the internal server but just I assumed the clients would just use the new subnet too. I'll try tonight. Funny everything seems to work.

 

[L&LD]

You want your router's WAN IP hidden from whom?

VPN (paid or not) isn't the end-all and be-all of online anonymity and/or security.

At the least, the paid VPN service still knows what you're doing (and where).

 

[DarnellG]

Hidden might have been a bad choice of words. I'm from Canada and I am becoming increasingly concerned with the actions of our Totalitarian government vis a vis its citizens. IMO it wouldn't surprise me if they started limited access to sites and apps that encourage freedom of speech. Hopefully I'm wrong but i am just trying to protect myself by encrypting all my traffic and staying as hidden as possible.

 

[Tech9]

All three of us live in the same country. I personally have no such concerns.

 

[DarnellG]

That's fine, I do

 

[Tech9]

You only limit yourself. VPN servers are well known, increasing number of sites refuse services when VPN is detected. You will be forced to identify your location, login more often, or disable VPN altogether. You can't even purchase lottery tickets online, for example. Your Internet speed on a home router will be limited, your latency is going to be much higher. On top of everything you are paying for the inconvenience. Your choice.

 

[DarnellG]

My network devices for the most part don't use the VPN and go directly to WAN (~750Mbit), I just enable VPN on my desktop and my cell phone. I've been on on vpn on both my desktop computer and my phone all day and used all the apps and programs that I use on a daily basis and have not experienced any of the issues you mentioned. The only difference I did notice was I have slightly more delay in loading web sites but its just a couple seconds more and acceptable. On VPN I get 49ms ping and 100Mbit down and my ISP limits my upload to 20Mbit so I have plenty for what I do.

I also have a friend in the states and eventually we are both going to run OpenVPN servers on our routers and be able to log in to each others routers through VPN and use the WAN so instead of using an IP shared by potentially hundreds of other users I'll have access to a unique US IP which will be much harder to be blacklisted by webites sites.

 

[Tech9]

This is fake sense of security. Your ISP knows where you connect. Your VPN provider knows what you do. If the VPN provider is registered in five/nine/fourteen eyes countries, a court order is enough. The rest limit VPN service by terms and conditions. If your online activity is outside of the agreement, you're on your own. If you are person of interest, constant use of VPN or Tor just draws more attention to you. As I said above - your choice.

The friend deal - his online activity going out of you WAN becomes your responsibility and vice versa. Are you sure you want this?

 

[DarnellG]

The ISP knows where I connect but its encrypted and the VPN is in the US so they would have to go to greater lengths to get this info. I'm doing nothing illegal but exercising my right to privacy. I agree that they only have to get a court order to get that information from the VPN but AT LEAST they would HAVE TO get that court order, not like they are doing now seizing peoples bank accounts without due process and threatening to go after their own citizens for having "unacceptable views". At least this way if they want to infringe upon my rights they will be forced to do it legally and get court order.

I've known my friend for over 15 years and trust him as I would a member of my family.

 

[L&LD]

I wouldn't trust any paid-for-VPN as much as you seem to be able to. No court orders are needed from someone in as high enough power as you're fearing (government).

If you want to be as invisible as possible, online, you need to stop having your own ISP. You need a 'burner' device that you only use once over a coffee shop's free WiFi, and you need to stop using your 'smartphone' (no matter how 'dumb' the model you use, is).

Anything else is wishful thinking, expensive and just gives you a false sense of security where none exists.

And for your friend, you may trust him. But you have no idea what his ISP is doing, either.

 

[Tech9]

not like they are doing now seizing peoples bank accounts without due process and threatening to go after their own citizens for having "unacceptable views".

This is what happens when the views are expressed in unacceptable way.

 

[DarnellG]

This is Canada not some banana republic where a peaceful protest is considered a terrorist act. We have a PM who took a knee with antifa and blm while they were burning buildings and killing people. Anyways we can continue this in private if you'd like othwise this is getting way off topic, I think we should end this here. Peace out

Have a good day.