I would like to operate with my Turris Omnia (access applications, manage virtual machines) remotely.
My first Turris Omnia has public IPv4 address and OpenVPN works perfectly.
My second Turris Omnia elsewhere doesn’t have a public IPv4.
My question is simple: What are the options to bypass this limitation?
Some possible solutions (I have no idea if this going to work, please, correct me if not):
Port redirections
Server usually sits on port 1194, but it can be changed in reForis web interface.
You can forward traffic for certain port to whatever port is used by OpenVPN server on your Omnia.
You need to update the line remote ISP_public_IP Port_forwared_by_ISP, e.g., 11.22.33.44 54321.
Not tested by me, theoretically it should work.
IPv6 public IP
My ISP should have enough IPv6 addresses.
Does OpenVPN server works with IPv6 only? Is the connection somehow limited?
1st party VPN with public IP via OpenVPN
If you have an access to another Turris Omnia with public IP, you can connect it via OpenVPN.
Omnia with public IP will be a server.
Omnia with non-public IP will be a client.
Be aware of traffic setup. Server could dictate to route all client traffic to VPN, so all client of non-public Omnia could be redirected to VPN. This can be address with WireGuard.
3rd party DDNS service + CLI client for LXC
Maybe there is a DDNS service that has a CLI client that could be automatically connected after start and accessed from outside and used as an access point for LAN operated by Omnia.
If you don’t have a public IP, DDNS won’t really help you (by itself at least). That helps for people who do have a public IP all the time but that IP can change over time unpredictably.
I see one problem. If I want to operate my second Omnia, I need to connect the Omnia to a VPN that means redirect all the traffic to the VPN. Based on my experience (with my setup), this creates more problems than solutions.
Note: I don’t want to keep some PC turned on just because of possibility to operate the second Omnia. LXC container would be OK, but this will not work (most likely).
Is there any OpenVPN client for TurrisOS? Any client that would work with inside LXC?
Is there any tutorial how to setup avoid redirecting the traffic to the VPN and isolate it just for the incoming traffic (aka management from the server)?
I’m not that skilled with networking possibilities of Omnia & TurrisOS.
Documentation does specify if TurrisOS supports multiple server configuration.
A configuration without routing traffic would work for my case of hooking the second Omnia (but doesn’t solve the problem of absence of public IPv4), but I also need that server (and route the traffic from the client to it) when I’m abroad.
Assignment: you have one turris with a public address and a second router with a non-public IP. You want to manage virtual machines on the second router.
On the router with the public address you run the openVPN server. You generate a client configuration file.
On the non-public router, you run the openvpn client, configure it with the configuration file.
Your second router will now have a non-public IP address towards the WAN, plus a tunnel to the first router. The tunnel will have an address such as 10.111.111.2
You connect from your computer to the first router with the public address. You then connect from the router to the router with the non-public IP using the tunnel. And then you can manage your virtual lxc computers.
If you want to access turris omnia without public ip from internet you will need reverse tunnel or vpn with something that have public ip.
For example:
client —ssh tunel—> something with public ip(vps, or other device <—reverse tunnel-- omnia with non public ip
or
client —vpn—> private vpn server with public ip <–vpn-- omnia with non public ip
edit: another option is to use cloudflare tunnel (zero trust) but you will have to have domain, but its cheaper option than vps with public ip.
You are very helpful, I got your trick and how to setup it.
Unfortunately, I also need to support routing client traffic into the VPN on the same server. If this can’t be setup on the client side, I can’t use it.
OK then there is the solution of having OpenVPN for clients with full VPN traffic. Use Wireguard to connect a second router without a public IP. Both are supported on turris routers and can run at the same time.
The principle will then be the same, the adminPC will connect to the router with the public IP and then the tunnel will connect to the router with the non-public IP.
In that case, keep the option on the OpenVPN server to route all traffic through the tunnel enabled and just edit the configuration file for the client to not replace the default route.
Dear @hagrid could you give me a hint how to override it in the config file?
I tried to consult it with ChatGPT, but it gives me an invalid setting (fails upon upload in reForis administration).
route 192.168.1.0 255.255.255.0 192.168.2.1
// 1.1 Omnia with Public IP
// 2.1 Omnia with non-public IP that I’m trying to manage.
When remove my change , the config file is accepted.
ChatGPT mentioned these possible settings but I’m not sure which should I use for my case
(Omnia 2.1 should be accessible from any client in the VPN, but the traffic of that Omnia clients should not be routed to VPN).
I’m not sure that you can directly connect to the OpenVPN server without a public IP. I would not lean toward routing all traffic from site 2 (non public IP) to site 1 (public IP) as that would create a lot of traffic on site 1’s network.
While this does not answer the question that was asked, you may also look into using a service like ZeroTier. Easiest way I can think of right away would be to install ZeroTier client node on a computer at Site 2. And then on your remote computer have ZeroTier client installed as another node, both in the same ZeroTier network ID. You could then remote into that computer and access everything on that network. I’ve used ZeroTier for motorsport races I’m unable to attend in persons and I need to support remotely. We don’t have access to port forwarding of the track’s network devices and often use our own router behind theirs to isolate us a little more from the rest of the network. Using ZeroTier I can be at another site and still connect Orbits Remote (race management software) the Orbits server running on the onsite computers so I can process races, generate results and build grids for them remotely.
ZeroTier also has options for bridged nodes, and I think the OpenWRT side of the Turris Omnia should support that, but I’ve not looked into that setup too much, though I’ve thought about it so that I could also remotely print to the network printer on site as well. A quick search shows this page may have more information for that setup: Home · mwarning/zerotier-openwrt Wiki · GitHub
I was looking for a way how to manage some web service running on 5001 port and VPN worked for me with my previous ISP that gave me a public IPv4 for free.
The new one did not.
Eventually, I was able to figure this out. My ISP did port forwarding from its public IP to my machine. I struggled with firewall setup, but after some time and thinking I got the setup right:
In luci/admin/network/firewall/rules I created a rule Incoming IPv4, protocol TCP, From wan To this device, port 5001, Accept input .
After this, I’m able to connect to my web service from anywhere.
I could extend this to manage my Omnia itself, but I don’t need that, but it could be helpful for somebody who come across this topic.
If I will have time, I try to test if VPN would work with simple 1194 port forwarding.
(As a client, I try to connect to a public IP, 1.2.3.4 on port 34567 and this traffic will be redirected to my Omnia with non-public IPv4 address but with VPN server running. If this is a complete non-sense for some fundamental reason, please, enlighten me )
Omnia with Public IP
, the config file is accepted.
.
)