On Mon, 28 Dec 2020 12:46:56 +0000
Chris Green  wrote:

> druck  wrote:
> > On 28/12/2020 11:07, Joe wrote:
> > > The first and last are 'site-to-site' VPNs, handling multiple
> > > clients. Best done by scenario 1), but can be done by 3) if the
> > > gateway cannot be a client of the VPN type required. Most modern
> > > routers can be client or server to some VPN types e.g. IPSec and
> > > PPTP, but not usually OpenVPN.
> >
> > Asus router support OpenVPN client and server out of the box. Any
> > router supported by OpenWrt is also OK.
> >
> If a router 'supports VPN' what does that actually mean?

There are two levels: first is to pass the VPN protocol at all, in
either direction. This isn't relevant to OpenVPN, but some other types
of VPN use two channels like FTP. Like FTP, they require a conntrack
module in the stateful firewall to associate the two channels, to allow
one to pass when only the other has been seen by the firewall. I've
seen routers that supposedly have 'PPTP passthrough' which do not, in
fact, do it correctly. VPNs are an afterthought to router
manufacturers. Draytek was always notable for having better VPN
implementations than most other makes at a comparable price.

Secondly there is actual VPN client or server support, often described
as 'VPN endpoint'.
>
> Presumably it doesn't mean that the router runs as a VPN server, or
> does it?

At the second level, yes.
>
> If my router supports VPN (which it does, a Draytek 2860N) and I
> enable it what else needs to happen to make it useful?

It depends on the type of VPN. Some like OpenVPN are normally secured
by certificates, some just by password. They will often need a key at
both ends for use in the symmetrical encryption. Asymmetrical encryption
can be provided by the certificate, but that is generally too slow to
have a decent performance.

> ... and what
> does my LAN behind the router look like, is it *all* on the VPN by
> default or what?  ... and how do I connect a remote system to the VPN?
>
>
If the router is the endpoint, then all the LAN is potentially
available to the client. If the router has a decent firewall user
interface, then access can be tailored so that only certain LAN
computers are visible. Ideally the router should connect to the LAN via
a separate firewall computer running iptables or nftables, which allow
very fine-grained control in forwarding.  Of course, the LAN computer
firewalls can also permit packets on only certain ports when arriving
from the router.

>  ... and how do I connect a remote system to the VPN?

Give the VPN client the public IP address or hostname, and tell it to
connect. Network Manager works fairly well these days, and has plugins
for some VPNs. Obviously arrange for the client to have any keys or
certificates it requires. It is wise to have human intervention required
e.g. to have a private key encrypted with a good passphrase which is not
entrusted to the VPN client, so if the key becomes compromised it can
be cancelled and replaced without much risk of intrusion. I keep
OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
lose a laptop, my home network is still safe, and if I lose the wallet,
the encryption passphrase isn't stored on the stick.

--
Joe

--- SoupGate-Win32 v1.05