OpenVPN server with no public IP [options]

Software SW help
#1

Dear Turris community,

I would like to operate with my Turris Omnia (access applications, manage virtual machines) remotely.

My first Turris Omnia has public IPv4 address and OpenVPN works perfectly.

My second Turris Omnia elsewhere doesn’t have a public IPv4.

My question is simple: What are the options to bypass this limitation?

Some possible solutions (I have no idea if this going to work, please, correct me if not):

Port redirections

  • Server usually sits on port 1194, but it can be changed in reForis web interface.
  • You can forward traffic for certain port to whatever port is used by OpenVPN server on your Omnia.
  • You need to update the line remote ISP_public_IP Port_forwared_by_ISP, e.g., 11.22.33.44 54321.
  • Not tested by me, theoretically it should work.

IPv6 public IP

  • My ISP should have enough IPv6 addresses.
  • Does OpenVPN server works with IPv6 only? Is the connection somehow limited?

1st party VPN with public IP via OpenVPN

  • If you have an access to another Turris Omnia with public IP, you can connect it via OpenVPN.
  • Omnia with public IP will be a server.
  • Omnia with non-public IP will be a client.
  • Be aware of traffic setup. Server could dictate to route all client traffic to VPN, so all client of non-public Omnia could be redirected to VPN. This can be address with WireGuard.

3rd party DDNS service + CLI client for LXC

  • Maybe there is a DDNS service that has a CLI client that could be automatically connected after start and accessed from outside and used as an access point for LAN operated by Omnia.
  • Maybe this is a complete nonsense.
  • Possible security risk.

Reverse SSH tunnel

#2

If you don’t have a public IP, DDNS won’t really help you (by itself at least). That helps for people who do have a public IP all the time but that IP can change over time unpredictably.

#3

Install the OpenVPN client on all computers behind Turris with a non-public IP address.

Connect the computers to the OpenVPN server on Turris with the public IP.

Now, when you use OpenVPN to connect to Turris with a public IP address, the other PCs so connected will also be accessible.

#4

Thanks for clarification. I have updated my first topic.

#5

A nice trick.

I see one problem. If I want to operate my second Omnia, I need to connect the Omnia to a VPN that means redirect all the traffic to the VPN. Based on my experience (with my setup), this creates more problems than solutions.

Note: I don’t want to keep some PC turned on just because of possibility to operate the second Omnia. LXC container would be OK, but this will not work (most likely).

Is there any OpenVPN client for TurrisOS? Any client that would work with inside LXC?

#6

You don’t have to route all your traffic to the VPN.

Yes, one turris can be a server and the other turris can be a client. I think it’s easy to set it up through the reForis interface.

Clients for virtual machines are available. If you have linux-arm in your LXC container, then download and install the client for linux-arm.

OpenVPN linux

#7

Is there any tutorial how to setup avoid redirecting the traffic to the VPN and isolate it just for the incoming traffic (aka management from the server)?

I’m not that skilled with networking possibilities of Omnia & TurrisOS.

#8

Snímek obrazovky 2023-04-13 v 13.53.21
Snímek obrazovky 2023-04-13 v 13.53.21743×573 96 KB

#9

This is the server settings, but I guess that client settings would have the same checkbox?

#10

No, the client follows what is set on the server.
Pictures from my phone, which is connected via OpenVPN to my Turris router.

1nd picture - Route all traffic via VPN - ON

IMG_0724
IMG_0724640×630 49.3 KB

2nd picture Route all traffic via VPN - OFF

IMG_0725
IMG_0725640×594 58.1 KB

I have an optical connection from T-Mobile, LTE connection also from T-mobile. That’s why it jumps to the same IP 89.24.28.9

Určitě máte chytrý mobil, tak si to sám vyzkoušejte. Nastavení OpenVPN přes reForris je opravdu primitivní.

#11

Documentation does specify if TurrisOS supports multiple server configuration.

A configuration without routing traffic would work for my case of hooking the second Omnia (but doesn’t solve the problem of absence of public IPv4), but I also need that server (and route the traffic from the client to it) when I’m abroad.

I’m not sure if this scenario is supported.

#12

I don’t know how to explain it to you anymore.

Assignment: you have one turris with a public address and a second router with a non-public IP. You want to manage virtual machines on the second router.

On the router with the public address you run the openVPN server. You generate a client configuration file.

On the non-public router, you run the openvpn client, configure it with the configuration file.

Your second router will now have a non-public IP address towards the WAN, plus a tunnel to the first router. The tunnel will have an address such as 10.111.111.2

You connect from your computer to the first router with the public address. You then connect from the router to the router with the non-public IP using the tunnel. And then you can manage your virtual lxc computers.

For example:
user@myadminPC ~% ssh root@publicIP_1_router
root@my1router’s password: *****
root@my1router ~% ssh root@10.111.111.2
root@10.111.111.2’s password: *****
root@my2router ~% ssh admin@virtual1-lxc

PS: On the first router, when you set up the openVPN server, if you set: Route all traffic via VPN - OFF

Then all traffic from the second router will go through the non-public IP address. Only what is needed will go through the tunnel.

#13

If you want to access turris omnia without public ip from internet you will need reverse tunnel or vpn with something that have public ip.

For example:
client —ssh tunel—> something with public ip(vps, or other device <—reverse tunnel-- omnia with non public ip
or
client —vpn—> private vpn server with public ip <–vpn-- omnia with non public ip

edit: another option is to use cloudflare tunnel (zero trust) but you will have to have domain, but its cheaper option than vps with public ip.

#14

Dear Jiří, don’t get frustrated by me. :slight_smile:

You are very helpful, I got your trick and how to setup it.

Unfortunately, I also need to support routing client traffic into the VPN on the same server. If this can’t be setup on the client side, I can’t use it.

#15

OK then there is the solution of having OpenVPN for clients with full VPN traffic. Use Wireguard to connect a second router without a public IP. Both are supported on turris routers and can run at the same time.

The principle will then be the same, the adminPC will connect to the router with the public IP and then the tunnel will connect to the router with the non-public IP.

https://wiki.turris.cz/doc/en/public/wireguard

1 Like
#16

In that case, keep the option on the OpenVPN server to route all traffic through the tunnel enabled and just edit the configuration file for the client to not replace the default route.

#17

Dear @hagrid could you give me a hint how to override it in the config file?

I tried to consult it with ChatGPT, but it gives me an invalid setting (fails upon upload in reForis administration).

route 192.168.1.0 255.255.255.0 192.168.2.1

// 1.1 :arrow_right: Omnia with Public IP
// 2.1 :arrow_right: Omnia with non-public IP that I’m trying to manage.

When remove my change :arrow_up:, the config file is accepted.

ChatGPT mentioned these possible settings but I’m not sure which should I use for my case
(Omnia 2.1 should be accessible from any client in the VPN, but the traffic of that Omnia clients should not be routed to VPN).

route-nopull
redirect-gateway def1
redirect-gateway -autolocal

Edit

I also tried following settings. It was accepted but eventually, I had to reset my Omnia to previous settings.

route-nopull
route 192.168.1.0 255.255.255.0 vpn_gateway
route 192.168.2.0 255.255.255.0 net_gateway

I think I will wait for an advice from a human. :smiley:

#18

I’m not sure that you can directly connect to the OpenVPN server without a public IP. I would not lean toward routing all traffic from site 2 (non public IP) to site 1 (public IP) as that would create a lot of traffic on site 1’s network.

While this does not answer the question that was asked, you may also look into using a service like ZeroTier. Easiest way I can think of right away would be to install ZeroTier client node on a computer at Site 2. And then on your remote computer have ZeroTier client installed as another node, both in the same ZeroTier network ID. You could then remote into that computer and access everything on that network. I’ve used ZeroTier for motorsport races I’m unable to attend in persons and I need to support remotely. We don’t have access to port forwarding of the track’s network devices and often use our own router behind theirs to isolate us a little more from the rest of the network. Using ZeroTier I can be at another site and still connect Orbits Remote (race management software) the Orbits server running on the onsite computers so I can process races, generate results and build grids for them remotely.

ZeroTier also has options for bridged nodes, and I think the OpenWRT side of the Turris Omnia should support that, but I’ve not looked into that setup too much, though I’ve thought about it so that I could also remotely print to the network printer on site as well. A quick search shows this page may have more information for that setup: Home · mwarning/zerotier-openwrt Wiki · GitHub