Setup several virtual Access Points, each connected to different VPN servers

I’d like to add a few extra virtual Access Points to my Turris Omnia, but each of these should only be connected to a VPN server (such as proXPN, VPN-Unlimited or my company for that matter).

This should allow me to set up a “New York” or “Tokyo” or other locations virtual AP’s, which I should simply be able to connect through to use VPN.

As I see it, I’d have to setup an OpenVPN client (or more?) to the Turris, and then somehow configure the routing when I create the virtual AP’s.

But what’s the recommended take on this?

  1. Which (open)VPN clients are recommended for easy setup on the Turris? (I guess the choice is between SoftEther or OpenVPN.)
  2. Will I need to use containers and setup a new one for each VPN connection I’d like to have simultaneous, or is one instance enough?
  3. How to set it up?
  4. Any experience worth sharing, related to something similar to this?

Thanks in advance.

We could probably help you better if you explained your use-case more. For example, your client is?

If you’re trying to get pass Geo-fencing (e.g. your client connects to an AP, which is ‘located’ in one of the cities you mention), then let me know & we’ll be having a completely different conversation involving NAT rather than routing.

In any case, here I am assuming you’re trying to get clients (out there in the internet) to connect to home (your TO router)… …but a lot of this applies whatever your use-case…

In the absence of any specific information otherwise, I can’t see why you couldn’t just run the VPN server on the TO. In that case, I would use either OpenVPN, or Wireguard (which offers significant performance advantages by minimising ring-switching).

I will start by saying that using an LXC in theory will let you use OpenVPN-AS (OpenVPN Access Server), but I don’t think there is a arm7l package available - other than that, there is no justifiable reason to use an LXC for OpenVPN.

You can easily set up multiple OpenVPN listeners/servers on the TO - you’d almost certainly best install OpenVPN via the Foris GUI (Updater section has a checkbox for this), but configure it outside of Foris.

Then I would create multiple VPN via the CLI. You have two options regarding the configuration of them:
via UCI configuration files (i.e. all the configuration is in /etc/config/openvpn), or via .ovpn files. Below is an example of the former (I haven’t tested this, and it will probably require tweaking for you):

for IDX in 0 1 2 3; do
    uci set      openvpn.vpn${IDX}=openvpn
    uci set      openvpn.vpn${IDX}.enabled=1
    uci set      openvpn.vpn${IDX}.dev=tun${IDX}
    uci set      openvpn.vpn${IDX}.proto=udp
    uci set      openvpn.vpn${IDX}.fast_io=on
    uci set      openvpn.vpn${IDX}.persist_tun=1
    uci set      openvpn.vpn${IDX}.persist_key=1
    uci set      openvpn.vpn${IDX}.ca=`ls ${PKI_DIR}/ca.crt`
    uci set      openvpn.vpn${IDX}.cert=`ls ${PKI_DIR}/my-server.crt`
    uci set      openvpn.vpn${IDX}.key=`ls ${PKI_DIR}/my-server.key`
    uci set      openvpn.vpn${IDX}.log=/tmp/openvpn-vpn${IDX}-log.log
    uci set      openvpn.vpn${IDX}.status=/tmp/openvpn-vpn${IDX}-status.log
    uci set      openvpn.vpn${IDX}.server='172.31.'${IDX}'.0'
    uci set      openvpn.vpn${IDX}.port=1194
    uci set      openvpn.vpn${IDX}.dh=`ls ${PKI_DIR}/dh2*.pem`
    uci set      openvpn.vpn${IDX}.ifconfig_pool_persist=/tmp/openvpn-vpn${IDX}-ipp.txt
    uci set      openvpn.vpn${IDX}.push='redirect-gateway def1'
    uci add_list openvpn.vpn${IDX}.push='dhcp-option DNS'
    uci add_list openvpn.vpn${IDX}.push='dhcp-option DNS'
    uci set      openvpn.vpn${IDX}.comp_lzo=adaptive
    uci add_list openvpn.vpn${IDX}.push="comp-lzo $(uci get openvpn.vpn${IDX}.comp_lzo)"

Of course, there’s a bit more to it than that…

Thank you dbonnes, I’ll try to explain better.

I already have the easy OpenVPN active on my TO, and it’s working nicely, allowing me to connect to my TO from abroad, and seemingly be using the net from my home, anywhere in the world.

What I’m now looking for is the opposite - and yes, I believe it involves geo-fencing.

I’m currently running an openVPN client (Viscosity) on my computer, which allows me to connect to VPN servers abroad, and seemingly use the net from anywhere in the world. Again it works nicely… but I’d like to move that functionality to my TO, so I don’t have to re-configure all my devices everytime there is a change . In other words, I’d like my TO to act as an openVPN client, or rather several openVPN clients simultaneous, where each client is then routed to a dedicated VLAN on the TO, which shall also be able to see my home network devices, such as printer. (SSID of the VLAN would then be city or country name of the specific OpenVPN server).

I hope it’s more clear now.

OK, so confidentiality isn’t a prime concern - you just want to bypass Geo-Fencing? It’s still not clear to me where the client (say your laptop) is? For example, do you want to

  • access Netflix USA even though you’re at home in (say) London, UK?
  • access your own servers/printers/webcams as if you’re located at home (in London, UK), even though you’re in New York, USA?

I’m not sure what you mean by this? Just trying to understand - it isn’t congruous with what you said above. Maybe it would help if you told me what devices (and what bits of those devices) need re-configuring?

For example, I cannot see why you need multiple VLANs (which offer some minimal security/performance benefit in exchange for significantly increased complexity), and - if you don’t require concurrent ‘access’ to multiple geo-locations at once - why you need multiple access points (SSIDs) (you’d need to visit each device and get it to switch to another SSID), when all you may have to do is stop one OpenVPN client and start another).

@fsteff - don’t take this the wrong way, but: maybe you could spend more time explaining what you want to do, rather than how you want to do it?

If all you want is to get you home network (which is actually in London, UK) to ‘appear’ to be in, for example, Tokyo, Japan (or New York, or even at home in London), and - assuming you only to appear in one place at once, then: this is easy enough - just have multiple OpenVPN clients and only have 0 or 1 of them active at a time. This is quite common - I did a quick google, and here is the first result (albeit for only 1 VPN,:

A use-case for this: I used to travel to France quite often. I would take my tablet and a Chromecast device, along with an OpenWrt router (TO is based upon OpenWrt). The router was configured as an OpenVPN client to my OpenVPN server at home in the UK, and routed all traffic through the VPN. I would attach the router to the modem via ethernet cable (so it could access the Internet). My tablet & ChromeCast both connected to the router via it’s AP & I could talk to the ChromeCast dongle, and everyone thought we were in London. Viola: BBC iPlayer!

Note: appearing in multiple places at the same time would be much more difficult, you’d have to do the above, and work out the IP address of each domain you want to connect to, then establishing route table entries for them - I couldn’t recommend it.

What you could use is source-based routing. Basically, you would set up each OpenVPN connection and a corresponding WiFi network. Then, each WiFi network would get its own routing table, which would direct its traffic through its respective VPN. This is how I do it on mine, where I have 2 VPNs and each has a network that forces traffic from that network to go through the VPN. The only annoying part is that you’ll have to edit your ovpn files a bit and probably write a short script to manually add entries to your routing table (so they get added to the table for the right network - not the global one).

Since it sounds like your primary issue is geo rather than privacy, you don’t have to jump trough any hoops to stop DNS leaks either.

Thanks again @dbonnes.
As suggested, I’ll try to focus my question on what I want to do.

At my home in Denmark, I have more than 20 devices (ranging from laptops over tablets and phones to tiny Wifi enabled microcontrollers) which I’d like to connect via VPN to various other networks. Some of these other networks are commercial VPN services, others are private networks with an OpenVPN server running (similar to the easy VPN option in the TO).
Especially for the tiny Wifi enabled microcontrollers, configuring a VPN client is not an option, but connecting to different AP’s are. Several of these will be connected to different VPN networks at the same time.
When it comes to my laptops my needs are currently met by selecting a single VPN server in a GUI (Viscosity) which also allows traffic for that computer to be routed to my private LAN, whereby all my laptops can access my printer and file-servers etc.

So I were hoping to merge all of this functionality and avoid configuring a VPN client more that one place (and therefore also only have one place to re-configure when needed - per VPN connection).

@mattventura explains it much better than I do, in post #5

Yes, @mattventura, this seems very much like what I want to do.

What did you do - and why does it have that annoying part?

If I recall correctly, you set up the other routing tables in /etc/iproute2/rt_tables, and then put some lines in /etc/rc.local that sets up traffic from each of those VLANs or WiFi virtual APs to use those respective tables (e.g. “ip rule add from table mytable1” where is the subnet you want to force through that VPN).

Then, you have to edit each VPN config file (assuming your VPN provider gave you pre-packaged config files rather than making you do it yourself). You have to have each one call an up-script and a down-script that will add/remove the routes and also tell each config file to ignore the server-supplied routes (as most VPNs will add a default route, BUT it gets applied to the default routing table). When I get home I can provide an example.