Page 6 of 9 FirstFirst 123456789 LastLast
Results 101 to 120 of 179

Thread: VPN Routers

  1. #101
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    As client in the router? I’m not really familiar with their product, will look into it.

  2. #102
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,429
    Post Likes
    Client I believe but haven't played with it yet. Saw the announcement a few weeks back and been meaning to track down one of ours to test on. Have my hands on one that I plan on tinkering with it over the weekend, but seem to be in sim card hell. May have to test with the wired wan.

    Included in the firmware
    https://forum.peplink.com/t/configur...-openvpn/19757

    $20 / one time fee adds this
    https://forum.peplink.com/t/introduc...-license/30392
    Propagating the formula. http://www.noagendashow.com/

  3. #103
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    OK, so looks like a solid contender for taking cradlepoints place for LTE clients. Even seems most have a WAN failover port which the IBR200 lacks. But for our wired sites it's not looking like they will dethrone ubiauiti.

  4. #104
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,429
    Post Likes
    They are not as flexible as the edge router series by any means. For cellular they have been my go to, for both temp and permanent access. The ones we ship around for temp access have gotten roughed up pretty good over the years and zero failures. Never had them go off into lala land and need a monthly reboot. Multi sim, either for dual carriers / redundancy or share data between the cards. You can even mix and match between both sims and wired if need be. Firmware is constantly updated and if you need to manage a gaggle of them the Incontrol cloud service is very nice. Openvpn support if it does what we want, icing on the cake.

    They also added Lan side NTP server that can get time from an external NTP server you specify or from GPS.
    Propagating the formula. http://www.noagendashow.com/

  5. #105
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,429
    Post Likes
    So the base firmware is server mode, can't configure much of anything. Haven't messed with that yet. Guessing it works as good as the other options.
    The openvpn wan license gets you client mode. This uses a standard client config file to setup, so it seems pretty flexible. All your certs need to be within that config. Finding a few snags, but it is first release.

    Will start a new thread elsewhere later.
    Propagating the formula. http://www.noagendashow.com/

  6. #106
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Quote Originally Posted by orion242 View Post
    So the base firmware is server mode, can't configure much of anything. Haven't messed with that yet. Guessing it works as good as the other options.
    The openvpn wan license gets you client mode. This uses a standard client config file to setup, so it seems pretty flexible. All your certs need to be within that config. Finding a few snags, but it is first release.

    Will start a new thread elsewhere later.
    Inline config certs don't look hard, though my commercial solution uses individual files at the moment as that's what comes out of easyrsa. This is an example of what comes out of my openvpn client export in pfsense for a client config.

    Code:
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote site.example.com 1195 udp
    verify-x509-name "Home pfSense" name
    auth-user-pass
    remote-cert-tls server
    
    <ca>
    -----BEGIN CERTIFICATE-----
    MIIGYjCCBEqgAwIBAgIBADANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzEL
    ~
    wjW6fodg
    -----END CERTIFICATE-----
    </ca>
    <cert>
    -----BEGIN CERTIFICATE-----
    MIIFuDCCA6CgAwIBAgIBAzANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzEL
    ~
    colY6HWMJ+6Z3sOb1+hWMYXSu1XgU78jAd3M1g==
    -----END CERTIFICATE-----
    </cert>
    <key>
    -----BEGIN PRIVATE KEY-----
    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDQ79z49/ptOuIF
    ~
    JLVLR9C97Cy2FdvJkniviMzJ
    -----END PRIVATE KEY-----
    </key>
    key-direction 1
    <tls-auth>
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    3b74be37068016f06061c9d1c43c4aca
    ~
    ca2762a056a8d90900db66d530cf68a9
    -----END OpenVPN Static key V1-----
    </tls-auth>

  7. #107
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,429
    Post Likes
    Pretty much. Also added -

    Code:
    ca [INLINE]
    cert [INLINE]
    key [INLINE]
    tls-auth [INLINE] 1
    Certs was not a big deal. Not much of any VPN debug within the router, kinda leaves you guessing sometimes. It will puke out your setup file if there is an error at least.
    The firewall & routing between the VPN & LAN subnet could use a bit of documentation imo.

    Also seems to ignore non-standard ports within the config.

    Need to play with it a bit more.
    Propagating the formula. http://www.noagendashow.com/

  8. #108
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    The biggest debug I saw was the messages log, is there a way to grep that?

    The routing in OpenVPN is indeed a challenge but for the VPN clients it all gets pushed to them from the server client configuration directory files. Nothing explicitly stated in the client config. Other routing defined in server config too.

    Non standard ports would be a critical fail for me too, using the heck out of that.

    I guess another angle would be the non standard TCP tunnel I’m using.

    Firewall is whatever is built into the router, not really a thing to do with it with OpenVPN. I should do a write up on the firewall stuff I’m doing in the edge router.

  9. #109
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    From the Pressroom

    Ericsson Agrees to Acquire Cradlepoint for $1.1 Billion

    The future of Wireless WAN has been recast. Ericsson has agreed to acquire Cradlepoint for $1.1 billion. This landmark partnership will help accelerate 5G and Wireless WAN within the enterprise and beyond.

  10. #110
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,429
    Post Likes
    Quote Originally Posted by MaxBurn View Post
    The routing in OpenVPN is indeed a challenge but for the VPN clients it all gets pushed to them from the server client configuration directory files.
    It should be, but if that's ignored like the server port is...

    You can only see static routes you add, not any that are automatically created by the device or related to the VPN. Your feedback on the VPN status is connected, connecting, disconnected, finding MTU. Not that great for troubleshooting at the moment. This is one step above beta firmware at the moment, so anything is possible I assume.

    Quote Originally Posted by MaxBurn View Post
    Firewall is whatever is built into the router, not really a thing to do with it with OpenVPN.
    The VPN endpoint is considered a WAN port, so its firewall is in the middle of any LAN access. Its allow all at the moment, but I wouldn't say the UI in that department is all that clear how things play out between all the WAN ports and (v)LANs. Just glanced to make sure its allow all everywhere for testing.

    Kinda what you get for all GUI setup vs the more bare metal approach of the edge router. Have the connection up, suspect its just the routing between things that's that snag. Visibility on the router end could use some improvement. Need some more time with it and I assuming it will dance to my tune.
    Propagating the formula. http://www.noagendashow.com/

  11. #111
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Might see some evidence on the server side logs as it pushes the CCD info. This is server log with a successful push making that VPN endpoint virtual IP 10.8.0.11 and pushing the LAN routing to subnet 10.0.1.0/24. Lastly there is another route added for another site 10.100.102.0 255.255.255.0, make that gateway 10.8.0.1 which is the VPN server IP.

    Code:
    Thu Sep 17 09:25:44 2020 client1/206.74.242.6:59624 OPTIONS IMPORT: reading client specific options from: ccd\client1
    Thu Sep 17 09:25:44 2020 client1/206.74.242.6:59624 MULTI: Learn: 10.8.0.11 -> client1/206.74.242.6:59624
    Thu Sep 17 09:25:44 2020 client1/206.74.242.6:59624 MULTI: primary virtual IP for client1/206.74.242.6:59624: 10.8.0.11
    Thu Sep 17 09:25:44 2020 client1/206.74.242.6:59624 MULTI: internal route 10.0.1.0/24 -> client1/206.74.242.6:59624
    Thu Sep 17 09:25:44 2020 client1/206.74.242.6:59624 MULTI: Learn: 10.0.1.0/24 -> client1/206.74.242.6:59624
    Thu Sep 17 09:25:44 2020 client1/206.74.242.6:59624 REMOVE PUSH ROUTE: 'route 10.0.1.0 255.255.255.0'
    Thu Sep 17 09:25:45 2020 client1/206.74.242.6:59624 PUSH: Received control message: 'PUSH_REQUEST'
    Thu Sep 17 09:25:45 2020 client1/206.74.242.6:59624 SENT CONTROL [client1]: 'PUSH_REPLY,topology subnet,route 10.100.102.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.11 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

  12. #112
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    I reached out to their support with a ticket to see about compatibility for us. Another notable thing is we are using a TCP tunnel which might not be something they allow if they aren't allowing the OpenVPN client to do everything it's capable of.

    Where are you getting these? If all goes well I might get a sample. Would be nice to reduce these down to one box for cellular sites.

  13. #113
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,429
    Post Likes
    Quote Originally Posted by MaxBurn View Post
    Where are you getting these?
    Started getting them from 3Gstore.com, then 4Gstore.com and wouldn't you know they are the 5Gstore.com now. Got a few from Amazon as well.

    Kinda annoying when using password managers and the company decides to switch up their URL every few years...
    Propagating the formula. http://www.noagendashow.com/

  14. #114
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Answer. That’s one use of OpenVPN but it would be really silly if they locked it down to that.

    I think I’m still interested over Cradlepoint, failover sim seems useful.

    Hi Scott,

    I've received some info from our team but unfortunately I don't think it's what you'll want to hear;

    "OpenVPN WAN" feature is used to connect to OpenVPN service provider (such as NordVPN, ExpressVPN) and the established connection is supposed to route "internet" traffic (NAT'd) but not "network-to-network" traffic (IP Forward).

    Thanks

    Peplink | Pepwave

  15. #115
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,429
    Post Likes
    Quote Originally Posted by MaxBurn View Post
    Answer. That’s one use of OpenVPN but it would be really silly if they locked it down to that.
    Indeed, hoping this can remove the need for any more junk on the remote side. I haven't had a chance to sit back down with it again before I start firing off service tickets. Sounds like the ticket cannon will be firing over the weekend.

    Wonder they watered it down to preventing it from sucking sales from their cloud VPN.
    Propagating the formula. http://www.noagendashow.com/

  16. #116
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    I wanted to take a look at this anyway and we got a MAX BR1 Mini Core SN; xxx-xxx-xxx. Trying to purchase the license the store gives error; Serial number is invalid or does not match the product, please verify ([xxx-xxx-xxx]). Commented on my existing support ticket with this, wondering if the store hasn't been updated with the new SN or something. Seems you didn't have any issues with your.

    Potentially an issue is I haven't put a SIM in this yet so it can't phone home yet and alert the store it exists. Be real interesting if that's the case.

  17. #117
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    I'm also starting to get annoyed with peplink websites. I've got a login for the forum, support, store, and now it's saying none of those accounts are valid for the incontrol cloud management. Seriously, ever hear of SSO?

  18. #118
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,429
    Post Likes
    Would check and make sure you have the right model number. Seems they now have 50 versions of the BR1 and they all have similar part #s.

    SSO lol, think they missed that memo.
    Propagating the formula. http://www.noagendashow.com/

  19. #119
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Store is asking for the serial number and that's it. Support is looping in 5gstore so this might be a sales reporting issue.

  20. #120
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Got my license and I built an in line config file. Stuck that in the peplink router and it just says disabled still, even after reboot. Not really seeing a log file anywhere either. According to the server that client never checked in. Not looking good so far.

    You ever make headway here?

    Edit; Also 5gstore is giving me flack about self hosting incontrol, says I need special approval.

Page 6 of 9 FirstFirst 123456789 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •