As I will be traveling a lot more in the next months I am currently looking for a way to securely access my home network even when I will be away. The GL.Inet products seems to be the best fit to do that but before buying them I’d like to be sure that my analysis is correct.
My current home set-up is quite simple. My ISP provided router is connected to the internet. It locally acts as a DHCP server and all my devices are connected to it either using wifi or ethernet.
Great question. I would love to know the same if anyone is kind enough to provide an easy step by step guide for a networking noob like myself. I am already using the Flint at home in an otherwise exactly the same setup as the OP. and can use the Beryl or any other Gl.iNet outfit for travel.
The GL iNet hardware you listed can work, but I think there are better options. Lets start with the remote side. Looks fine. I’m doing about the same thing with the older AR750s, as I have a personal preference to use GL iNet hardware that has been in the field a bit longer and that only uses the OpenWrt network stack, but there are many good reports from users on the MT1300 with current firmware.
On the home side, you have drawn what is known as a double NAT, and you want as few of these as possible. You are already stuck with one double NAT on the remote side. A double NAT means you are translating the IP address twice, once in your ISP router and once more in the B1300 router. Unless you feel that your current ISP router is not properly filtering or not secure, I would keep it as your primary WIFI and Ethernet connection, and add another GL iNet router as either a OpenVPN or Wireguard “VPN appliance”. Future versions of the firmware may officially support serving both protocols on the same GL iNet router at the same time, which can help you work-around VPN issues that you may encounter at different remote sites, as you will then have two different options, on different ports.
The best way to connect this new router working as a “VPN appliance” is to connect it to your Ethernet switch. In your ISP router, you will need to forward the VPN port traffic, and direct traffic for that one port into this new router. Which router to buy depends on the speed you are looking for, so look at the sales literature to help select the product, but remember that for security reasons, you will probably want to turn off WIFI on this device and use it as a dedicated VPN appliance, so WIFI speed is not important. At one place I help manage, I do this with a GL iNet Microuter-N300 as a Wireguard server, but its an older device that I no longer recommend.
The good news is with a bit of work, you should be able to achieve the two goals you stated, as many of us are doing about the same thing.
To have the same external IP address as if I was using it from my home
To be able to access some files that are stored in my home network
Sorry I can’t give you a diagram as I’m on travel and just don’t have the time this morning, but I hope this helps out.
Great explanation Eric but I will unfortunately need to continue to use my “Home Gl.iNet” as my second router in a double NAT situation and not merely as a “VPN appliance”. The reason for needing to use it as my router is the importance of having both AdGuard and Torguard VPN Client features running all the time when I am surfing the net at home and as my ISP router does not provide these vital features. Is there a way around this still?
If I understand correctly when the GL-MT1300 router will have established a VPN connection to my home network, it will be like it’s a part of my home LAN network. Does it means that the GL-MT1300 will obtain a new IP in my LAN network (i.e. 192.168.1.60) or will it share the same as the home GL iNet router (192.168.1.50 in the example) ?
Also I think I will have to test and fine tune but I guess it means that the private wifi provided by the GL-MT1300 (on which I will connect my laptop while traveling) will have to use a different subnet that the one of my home network (i.e. 192.168.5.0/24) to avoid conflicts, right ?
I will have a look tomorrow to find the router with the best specs for this use case.
Can you turn off the “NAT mode” on your ISP provided Modem/Router and run it in “bridge mode”, so it is not as a NAT router? If so, then just plug the GL iNet router WAN port into the ISP router in “bridge mode”, and your will not have a double NAT.
This is one reason I try to never use the ISP provided equipment and just use my own separate modem and router, so I have total control of my packets until they exit the modem.
IP address: On the GL iNet router, if you use the WAN port, by default it asks for a DHCP address from your ISP router. On your ISP router, just assign the MAC address of the GL iNet router a static IP address. To make it easier to manage, on the GL iNet router, use the Firewall interface to allow management of the router using the WAN interface (normally only allowed on the LAN interface). When you configure the GL iNet router as the OpenVPN server, the router will open the necessary WAN port on the GL iNet router. You still need to open and forward that port on the ISP router. The internal LAN address of the GL iNet router will really not be used, except maybe for debugging, as you will access it only via the WAN port which is on your internal network. The only thing is that the internal LAN address on the GL iNet router must be different then your ISP provided LAN address. OpenVPN will also setup an internal address needed for its routing (a virtual thing), and that must be different then the other two.
Any packet coming into your home ISP router on the port forwarded to the GL iNet router will be routed by the GL iNet router’s OpenVPN’s rule set to either your internal LAN network, if it is addressed to your local LAN (192.168.1.x), or it will route outgoing traffic back to your ISP router, so your remote systems packets will be exiting your home ISP router using your home IP address.
And yes, your remote MT1300 should be on a different network then your ISP LAN or your home based GL iNet router.
Many thanks indeed Eric for this. It is unfortunately not possible for my to use ISP router in bridge mode as I need it for WAN aggregation (just to make things easier. LOL). I will definitely try and follow your detailed instruction above to Davz83 but with a double portforward (if that makes any sense - or even tripe if you count my second WAN router - silly, I know) as that has worked for me in the past with accessing a plex server remotely). I will possibly stick a Brume on to my Flint at home and try and use it as a VPN appliance. Thank you again for all the clarifications.
I have tried both bridging and not bridging my ISP cable modem/router and have not noticed any difference, with Internet speeds >200Mbps. I do not currently bridge my ISP router and have my own main router behind it with double-NAT. Even having a GL.iNet router as an OpenVPN client behind my main router works fine with triple-NAT.
In general, the ISP router works well as basic firewall/routers, but is not very flexible/sophisticated. My main issue is that the ISP retains remote control over their router and can monitor/modify it unbeknownst to you.
I do not work for and I do not have formal association with GL.iNet
I’ll add a few things that haven’t been mentioned so far.
Speed. In your diagram, you have four chokepoints to take into account. The first is your upload/download speed for your home cable connection. This is usually asymmetric, say 100/10, so when you are connected to the home vpn server, the fastest you will be able to download to your Beryl is 10. The second, similarly, is the speed of the hotel connection. The third is the processing speed of the Beryl and the fourth is the processing speed of the convexa. Openvpn is slower than Wireguard.
Related to this, you will actually want two almost identical Openvpn clients, the second set up to ignore an instruction to change its default gateway to that of your home openvpn server. That way you can download directly from the internet when you don’t need to appear to be sitting at home.
Port forwarding. Eric mentioned this, but in your structure be sure your ISP router can do this.
DDNS. Unless your home has a static routable IP address, you will need to set up DDNS. When I had comcast as my ISP, the cisco router they required only supported 3 services. You can set it up on the convexa, no doubt, but it is a little tricky with double nat.
But yes, with the sole exception of that ISP router, you are doing what I do. (Never mind link aggregation, you also have that TV thing in the mix).
If your ISP does not provide a Dedicated public IP address for your Internet service, then you have to enable DDNS, with the domain name in the client config file.
EDIT: elorimer beat me by seconds regarding DDNS.
I do not work for and I do not have formal association with GL.iNet
In my experience, it’s not speed but functionality issues with double NAT. I helped a friend debug a problem with Ring cameras not properly notifying them of movement on there property and dropping video frames. It was very intermittent. They spent a lot of time working with Ring support including swapping out cameras, but the fix was getting rid of a double NAT on there WIFI network.
To be sure, there are some situations that may be limited by double-NAT. I do not have any problem with my Dlink and Eques cameras, but port forwarding would resolve it.
My ISP cable modem/router has wifi, so I have a secure Guest wifi on it that is completely isolated from my network. It also has a DDNS client.
I do not work for and I do not have formal association with GL.iNet
I have a fast FTTH connection at home (around 900MBits DL / 500MBits UL) so this part shouldn’t be the problem. Hotel connection will probably be slower but I think something around 100 / 10 is likely based on my upcoming destinations.
So comes the processing power of the devices. Looking at the technical specs of the Beryl it seems it will be around a maximum of 21 Mbits which seems a little low. Thus I am now more considering to switch to the Brume-W instead (maximum of 97Mbits)
It implies that I will have to also switch the Convexa (seems it’s around 25Mbits) for the Flint (around 112Mbits).
It’s a little more expensive than I initially planed but the speed difference (around 4,5x) seems worth it.
Indeed not all my traffic will need to always come from my home. It will be mainly for work and activities like web banking.
I already own a nordvpn subscription and I will be using it the rest of the time. It will give more confidentiality than direct access through hotel or public wifi.
Considering that I will be using a Brume-W while traveling, is it simple to switch from one VPN connection (my private home) to another (nordvpn) and vice-versa ? Reading the docs it seems you can keep a list of the openvpn configurations and change to another one through the admin panel of the Brume, but I was wondering if it could somehow be scripted.
I have checked and my ISP router allows NAT / PAT configuration
My ISP router allows DynDNS. But I need to have a DDNS provider. Do you recommand a reliable one (and if possible free) ?
I’m so jealous of your speeds. We’ll see indoor plumbing before we get fiber. In fact, my ISP is reducing upload speeds from 40 to 10 to “be competitive with other ISPs”.
One reason OpenVPN will be slower than Wireguard is that OpenVPN is single-threaded, so it can’t take advantage of multiple cores. I’m not that familiar with Wireguard, but you might think about using that.
Not sure of your timing, but I see on the product listing that an A1300 and AXT1800 are in the pipeline.
I have six or seven Openvpn clients loaded. You disconnect one and connect the other through the GUI. I’m sure there is a way to script the changes, but I think it might end up being harder.
Here is a radical suggestion for you, given the speed of your home connection, and that is to set up a PC that you RDP into for the work stuff. Form your OpenVPN connection, then start the RDP session. I know that is double-encrypted but I don’t like exposing my work PC to any port forwarding at all, and because the only traffic that is going back and forth is keystrokes and screen paints, there isn’t a lot of traffic so even a Mango is more than sufficient.
I understand very well before FTTH I had to struggle with a 6Mbps (yeah six) ADSL connexion for years… but it’s worth waiting
My timeframe is september. As I’m not in a hurry I guess I will wait a little before buying the travel router and check the incoming products.
I will keep the RDP solution in mind but I don’t think I will be able to use it in the beginning. In fact my current job requires me to use a specific laptop for work with an already embedded VPN client on it to access my company network.
