VPN server and client (possibly) on the same machine

Question

What I'm trying to achieve is:

• Connect to a VPN as client and route all my internal network's traffic over the VPN.

• Run a VPN server, so that people from outside can connect to my internal network and get routed over the a.m. VPN client.

I'm trying to achieve that with a router running dd-wrt (netgear D6200), and / or a raspberry pi.

Can someone tell me if this can be achieved, and if, direct me to what would be a possible solution?

(I'm not looking for a tutorial, just a direction)

Thanks!

Answer 1

Yes this is possible with dd-wrt on Netgear. There is no need of Raspberry (unless you meant to run the remote VPN server on it).

1. Configure and run VPN server on dd-wrt - and try connectivity by connecting clients. Both tun/tap should work in general (with VPN client running). I tested with tun.

2. Configure and run VPN client on dd-wrt and try connecting to your VPN server. By default, the router should start directing all traffic (for its own LAN clients) via the VPN server. So far so good.

The problem comes when you want dd-wrt's VPN clients (and not just LAN clients) to take the same route. With a VPN client running on dd-wrt, dd-wrt's own VPN clients will not be able to connect to the VPN server running on dd-wrt as such. To make it work, see below.

3. This is only possible via PBR - i.e. you run VPN client on dd-wrt, but take the router itself off this client, and route only specific clients through this VPN client running on dd-wrt.

With some tweaks using subnet masks, it is possible to include all your LAN and VPN IPs in the PBR policy so that everything (except the router itself) routes through the remote VPN server.

The key is to include dd-wrt's VPN clients' virtual IPs in the PBR. While configuring VPN server on dd-wrt, there is a field for specifying the clients' network and netmask. If you use this network IP and netmask in client process's PBR policy, your (dd-wrt's) VPN clients will be able to connect to the VPN server running on dd-wrt, and will in turn be routed through the remote VPN server to which dd-wrt is connected as a client.

Answer 2

This thread probably does not belong here.

Consider using OpenWRT instead of dd-wrt. OpenWRT gives you a usable build system and easier to customize and build. I am not advocating OpenWRT. This can be a stop gap measure.

1. You can setup a OpenVPN server and OpenVPN client using the standard documentation available on OpenWRT Wiki and also OpenVPN site.

2. Add to OpenVPN server.conf the following directive redirect-gateway def1. This will push the default gateway to clients connecting to OpenVPN server. Further, make sure you are using a unique network IP pool for VPN clients and does not clash with the remove VPN server.

3. Make sure you are masquerading the VPN traffic (Clients of local VPN server) before forwarding to remove VPN server. This can be tricky as this interface does not exist at boot time. It needs to be configured using up and down scripts

4. Make sure you are allowing traffic (clients of local VPN Server) on VPN interface to be forwarded in your firewall rules

Before setting up the OpenVPN server, make sure

1. The remove VPN server is pushing the default gateway to your VPN client

2. You have setup the firewall correctly

3. You are able to reach the cloud through the Remote VPN Server. Checking with some site like www.whatismyip.com will help