Hello again! Remember a few posts ago when I said I would get back into printing after I get things situated? Welp, now that I finished my Halloween post, I think its time to debrief on how we got there. Lots of lessons learned and silly mistakes to be had so this post should be plenty informative and fun!
Disclaimer! There is going to be lots of ID10T errors and face palming ahead! If you are an expert in networking and already have high blood pressure, I’m not going to pay for your medical expenses when you go into cardiac arrest. With that out of the way, take a step inside Frank’s brain! 🙂
You’re probably wondering how my Firewall got here…
It all starts with an annoyance. An irritation that grows to make a man go mad. For me, it was spotty WiFi. Originally, I had a Netgear Nighthawk R6700, mid range wireless router. It allowed port forwarding, VPN, 5Ghz + 2.4Ghz AC signal, all the things you need to self host at home.
The beef I had with it, was Wi-Fi range. The Nighthawk, was located in the far corner of the house, in the basement. Now, my house is not that big, but a layer of flooring plus being 60ft will cause Steam streaming to lag. However, I was able to live with it.
Strike two was when I got the Oculus Quest 2. Being a Wi-Fi 6 device, I was restricted to my Nighthawk’s AC signal. Streaming Half Life Alyx over Airlink thru Steam can get very laggy. I figured this was the last straw. I already shelled out $300 for the quest, $60 for the game, what’s another couple $100 to get the Wi-Fi right.
Doing some intense research I found my silver bullet. The Amazon Eero mesh Wi-Fi system.
Eero, the iPhone of Firewalls, Routing and Wi-Fi
Yes this is a jab at Apple but there is also a point. Being an android user it is basically the same as having an iPhone with one key difference. Android allows you to go off the beaten path. With Apple, you basically have to jailbreak in order to get off the path. Eero follows this same logic.
Eero forces you to use an app to control your Wi-Fi’s config. You cannot make changes from a desktop browser. Eero will not let you make static routes, gateway changes, or even act as a VPN server. However with Netgear, I could at least do those changes or if I couldn’t, resort to installing DD-WRT.
Anyway, the point is, going to Eero, I was gaining a ton of performance, signal range, and a mesh network at the expense of a few things. Going back to my Apple jab, this is where an iPhone user would have just said “Welp, I guess I can’t do that anymore! Oh well!” Not me, where there is a will there is a way, and where there is a way there is a work around! 🙂
Question is how do we regain VPN and full networking control? The answer…
Fire up the Firewall
At a previous job, we had to run things on the cheap. Meaning, we did everything open source. When it came to our firewall, we used pfSense. It’s a solid piece of software to turn any rinky-dink computer into a badass firewall. I just so happen to have that rinky-dink desktop, but I had one critical piece missing. I needed a secondary network card.
Reason being, one NIC is for WAN and the other is for LAN. So the network flow goes from modem to WAN port on firewall, then LAN port to Eero. Eero in this scenario will be in bridge mode, so its just going to pass the traffic along. The Eero router has two ports, one to the firewall and the other going to my old Netgear modem that is also running in bridge mode. Its essentially just a switch at this point.
When I had a day where my wife was going to be out and the internet can be down for most of the day I got to work. During setup, I kept the LAN IPs, port forwarding and reservations the same as what I had with Eero.
After setup and running updates, the firewall went live. Success!! I setup DNS and added records so I don’t have to memorize IPs anymore which was a huge plus. I also got OpenVPN running and connected to my 3D Printer from the outside!
The internet and network seemed to be working! Until I tried to cast to my Chromecast…
Give me Wi-Fi or Give me None! Don’t Tease me!
The Chromecast was just the tip of the iceberg. My Ring doorbell wouldn’t pull up footage, Sonos would think that I am offline and Plex couldn’t find my server anymore. At least Alexa and Hue worked. However, when I switched over to 4GLTE, all of a sudden all of the cloud based apps would start working again. I knew that it had to do something with the firewall blocking too much or something screwed up with DNS.
Over the next two days (22 hours in total I think?) I tried every trick I could think of. Killing security rules, turning off Snort, opening traffic to all the ports. You know, all the worst things you can do to a firewall.
Alas, I threw in the towel and reverted my network back to using the Eero as my router. Oh well, it was worth a shot and I learned a lot. Welp that’s the end of this post…. Thanks for reading.
HOLD UP! WE DON’T QUIT THAT EASY!!!!
It dawned on my how fucking stupid I was being… Remember, originally the goal was DNS and VPN. Why did I have to do this using pfSense or with a firewall?! Then it hit me, I could just fire up another VM and use it as a BIND DNS server and an Open VPN server!
Hopping into Proxmox on our VM server, I created a new linked VM running Ubuntu and Webmin. Templates in Proxmox make spawning new servers super easy 🙂 DNS wasn’t too hard to setup. Webmin already comes with BIND installed along with a management module. With a new domain and some A records, my woes of typing in an IP address to get to my servers were over! Well, after I figured out how to setup customer DNS servers on my Eero config. That way when a device on my network gets DCHP and DNS, it knows to talk to my DNS server to figure out where to go instead of google or cloud flare.
The final hurdle to jump was a VPN server. Turns out Webmin already comes with a VPN service, PPTP. Buuut…. before we say “problem solved!” there is something to know about PPTP VPNs. They are NOT secure. Like, a pencil shoved into your door bolt lock and ramen noodles used for the chain on your door is more secure than PPTP…
Don’t get me wrong, you want speed you go PPTP! You want secure, you go somewhere else. Like Open VPN 🙂
Making Things less Open with OpenVPN
The catch with setting up an OpenVPN server is that it is a complete PAIN IN THE ASS. I think it took me almost a damn week to get it right. I highly, highly, highly recommend using the Open VPN Module for Webmin. You might have to do some translating, since the developer is Italian and wrote the documentation in their language. But other than that the tool is great! There are even several YouTube videos out there that go over using it and doing setup.
So, how is this a pain in the ass? Networking. The big problem with the OpenVPN server config is that there are literally hundreds of parameters and properties to try. Trying to figure out which one is going to do exactly what you need involves a shit ton of trial and error.
The problem was once my VPN device connected, it was given an IP from the VPN server. The part I didn’t know how to do was setup routing between my VPN subnet to my LAN. Out on the internet, everything I found involved static routes, changing the default gateway settings, etc, etc… Problem is, Eero doesn’t let you touch any of that! So, here I was thinking game over.
Eventually, I got super lucky and found a post with someone trying to do exactly what I was doing. That post helped me get through how to setup CAs, Server keys and Client keys for SSL and TLS. Much of that was taken care of by the OpenVPN Webmin Module! That post eventually lead me to this GitHub post, showing the config of a working OpenVPN server!
The critical code that kept my failure from being a victory was:
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.2.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR SERVER IP ADDRESS
What this basically says is “hey, see that Eero over there? That’s not your gateway. Me, the VPN Server, I’m the gateway, and I’ll take you to the LAN!” The push route commands send the traffic between the 10.x addresses to the 192.x.
After a reboot and another swig of beer, the VPN was live and working!
Takeaways from a Dumpster Fire
This was more of a story 10,000ft. view post and less of a tutorial. I haven’t written in a while and I’ve been meaning to get this one out. I may revisit bits in this post for a more tutorial series like how to setup BIND, VMs in Proxmox, or OpenVPN.
Just figured that I would share my struggles and let readers know that its not all easy and 100% progress all the time in tech. Most of the time its straight up failing. What is important is that you keep trying and don’t give up!
Stay curious and keep trying to find new angles! 🙂