ER7206 - Whick VPN is "best"

ER7206 - Whick VPN is "best"

ER7206 - Whick VPN is "best"
ER7206 - Whick VPN is "best"
2024-08-04 22:50:47 - last edited 2024-08-05 01:07:05
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.4.2 Build 20240618 Rel.63827

We have people (US based) traveling to Europe this summer and I would like to provide a VPN solution for their Windows PCs and iOS devices (iPad, iPhone, etc).

The ER7206 has several VPN options. And, (from what I gather), OpenVPN seems to be the preferred VPN option.

 

I have dual, load balancing ISP connections (Frontier 1Gbps and Spectrum 300Mbps) and I have a Dynu dynamic DNS account that resolves to whichever ISP replied at the time an update was request (an app requests an update every 30 mins).

Even though the ER7206 is setup to use DHCP for the ISP WAN connections, the ISP never seem to change the IP address we get. I guess we could use the IP address instead of the address that the Dynu domain resolves to.

 

I'm new to setting up a VPN on my firewall.

I've had FWs that supported VPN's in the past, but only tried once using PPTP to a Windows server, and that wasn't great.

 

Assuming this isn't stupid, I envision a VPN where all traffic from the client passes back through the ER7206 to the main network for file and services and back out through the ER7206 to the Internet for anything that is outside.

 

So, I'd like to hear from the "community" about which of the ER7206-supported VPNs is better than the rest in terms of initial FW and client setup.

 

If there is a commercial option, I'd be interested in that.

I've read that the ER7206 can be setup with NordVPN for a "whole network VPN". But we don't need that right now.

 

Thx

  0      
  0      
#1
Options
4 Reply
Re:ER7206 - Whick VPN is "best"
2024-08-05 01:17:50

Hi @ticedoff8 

Thanks for posting in our business forum.

If you are looking for commercial VPNs, then you don't need the Omada router. You need to configure their devices with the commercial VPNs. It does not play a part of the connection as they join the server directly from their devices. Not passing the middle man, which is the router.

 

And if you need to use the ER7206 as the VPN server that is located in domestic, I think you can consider the OpenVPN which can be exported with the file. Send the file to everyone and they connect.

Other types of VPNs don't have a better way to support easy connections like OVPNs yet.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  3  
  3  
#2
Options
Re:ER7206 - Whick VPN is "best"
2024-08-05 23:24:34 - last edited 2024-08-05 23:37:37

  @Clive_A 

Where can I get the details on each of the tic-boxes and options to optimize the setup?

There is a YT video on this, but it leaves out most of the simple details

 

"AccountPWD:" The User that I create already has a password field. Does this box need to be checked to use that? Or is this for prompting the user to enter a PW when they connect?

"Full Mode:" What is this? When it is enabled, the "Local Network:" changes to 0.0.0.0/0" and can not be changed. Is this (basically) creating a DefaultGW?

"Protocol:" I assume this is for the VPN tunnel. Should it be TCP? Or is UDP going to be faster? 

"Local Network:" The only setting that it allows is "192.168.xxx.0" (with the Netmask /24). But, if I understand this correctly (assuming "Full Mode:" is not checked), it should be the DefaultGW for the one and only subnet we use (192.168.xxx.254/24) to allow them to get out to the Internet

"IP Pool:" Should it be a range of IP addresses on the same LAN and the GW (192.168.xxx.32/28 - 14 clients)? Ot is OpenVPN creating a new subnet of clients (EG: 10.10.1.X / 28)?.

"Authentication Type:" Since this option is grayed out, it may be related to the Users that I create. If I had RADIUS or AD configured on the router, would there would be an option?

 

Here’s the one I'm worried about: "WAN:".

There are 2 WAN configured: "WAN" (Frontier) and "WAN/LAN1" (Spectrum).

Since the GUI only allows 1 WAN, does this mean that there is no redundancy and if the ISP's IP address changes, all the clients will be FUBAR?

I was planning to use the Dynu DNS record for the clients to connect. So it looks like that is not an option.

 

OPenVPN Config

  0  
  0  
#3
Options
Re:ER7206 - Whick VPN is "best"
2024-08-06 01:47:50

Hi @ticedoff8 

Thanks for posting in our business forum.

ticedoff8 wrote

  @Clive_A 

Where can I get the details on each of the tic-boxes and options to optimize the setup?

There is a YT video on this, but it leaves out most of the simple details

 

"AccountPWD:" The User that I create already has a password field. Does this box need to be checked to use that? Or is this for prompting the user to enter a PW when they connect?

"Full Mode:" What is this? When it is enabled, the "Local Network:" changes to 0.0.0.0/0" and can not be changed. Is this (basically) creating a DefaultGW?

"Protocol:" I assume this is for the VPN tunnel. Should it be TCP? Or is UDP going to be faster? 

"Local Network:" The only setting that it allows is "192.168.xxx.0" (with the Netmask /24). But, if I understand this correctly (assuming "Full Mode:" is not checked), it should be the DefaultGW for the one and only subnet we use (192.168.xxx.254/24) to allow them to get out to the Internet

"IP Pool:" Should it be a range of IP addresses on the same LAN and the GW (192.168.xxx.32/28 - 14 clients)? Ot is OpenVPN creating a new subnet of clients (EG: 10.10.1.X / 28)?.

"Authentication Type:" Since this option is grayed out, it may be related to the Users that I create. If I had RADIUS or AD configured on the router, would there would be an option?

 

Here’s the one I'm worried about: "WAN:".

There are 2 WAN configured: "WAN" (Frontier) and "WAN/LAN1" (Spectrum).

Since the GUI only allows 1 WAN, does this mean that there is no redundancy and if the ISP's IP address changes, all the clients will be FUBAR?

I was planning to use the Dynu DNS record for the clients to connect. So it looks like that is not an option.

 

 

There are many explanations about the VPN parameters. You can mainly refer to the User Guide or Help Center to find out the explanation for them. About some terms, do a quick Google search, you'd know it.

 

We have a guide about the OVPN config which you can use for the reference about the parameters you ask for. I'll just pick up some to explain:

UDP faster.

LDAP is possible for the auth type. Controller mode, you have LDAP. In standalone, this might be different.

 

There is no failover for the OVPN. Two WAN means two different VPN servers with different ports.

DDNS has nothing to do with what you think. You should think if you can set both WANs with the same DDNS but I recall the system does not allow it.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  2  
  2  
#4
Options
Re:ER7206 - Whick VPN is "best"
2024-08-07 02:25:55 - last edited 2024-08-07 02:26:47

  @Clive_A 

Thanks.

The <?> icon helps a little, but there isn't much detail.

I was able to stumble through a setup that seems to be working with my Windows 10 PC and an old version of OprnVPN GUI.

I hope there's a newer version of the OpenVPN server coming soon.

 

I thought that using a DNS entry for the VPN endpoint would allow the client to use the one that was "alive". 

But, now that I've had a chance to think about it, I can't recall any VPN client that I've used that had an FQDN as the endpoint. The "profile" names where significant, but the end point was an IP address. I guess that makes sense.

I'll create a 2nd server for the 2nd ISP.

When I worked for a multi-national company, there was a dozen VPN profiles. And, when one didn't work, we just tried the next one for a different country until one connected. Same thing here.


The PC is using OpenVPN GUI openvpn-install-2.4.7-1607-Win10.exe from the Community Downloads - Open Source VPN | OpenVPN because of the age of the OpenVPN server that's being used on teh ER7206.

 

In case anyone is looking for something like this in the future, this is how I set it up.

ER7206 OpenVPN Config

And there is 1 "User" defined. I'll add more.

 

The "IP Pool:" will assign an IP address withing the scope of the subnet defined.

In this case, /28 provides 14 clients with IP addresses from .113 to .126. Make sure this range does not overlap with a DHCP server's pool or any static IP addresses.

I suspect that the "IP Pool:" could be a completely new and different subnet. But, I haven't tried that yet.

  0  
  0  
#5
Options