ER7206 - Whick VPN is "best"
We have people (US based) traveling to Europe this summer and I would like to provide a VPN solution for their Windows PCs and iOS devices (iPad, iPhone, etc).
The ER7206 has several VPN options. And, (from what I gather), OpenVPN seems to be the preferred VPN option.
I have dual, load balancing ISP connections (Frontier 1Gbps and Spectrum 300Mbps) and I have a Dynu dynamic DNS account that resolves to whichever ISP replied at the time an update was request (an app requests an update every 30 mins).
Even though the ER7206 is setup to use DHCP for the ISP WAN connections, the ISP never seem to change the IP address we get. I guess we could use the IP address instead of the address that the Dynu domain resolves to.
I'm new to setting up a VPN on my firewall.
I've had FWs that supported VPN's in the past, but only tried once using PPTP to a Windows server, and that wasn't great.
Assuming this isn't stupid, I envision a VPN where all traffic from the client passes back through the ER7206 to the main network for file and services and back out through the ER7206 to the Internet for anything that is outside.
So, I'd like to hear from the "community" about which of the ER7206-supported VPNs is better than the rest in terms of initial FW and client setup.
If there is a commercial option, I'd be interested in that.
I've read that the ER7206 can be setup with NordVPN for a "whole network VPN". But we don't need that right now.
Thx
Where can I get the details on each of the tic-boxes and options to optimize the setup?
There is a YT video on this, but it leaves out most of the simple details
"AccountPWD:" The User that I create already has a password field. Does this box need to be checked to use that? Or is this for prompting the user to enter a PW when they connect?
"Full Mode:" What is this? When it is enabled, the "Local Network:" changes to 0.0.0.0/0" and can not be changed. Is this (basically) creating a DefaultGW?
"Protocol:" I assume this is for the VPN tunnel. Should it be TCP? Or is UDP going to be faster?
"Local Network:" The only setting that it allows is "192.168.xxx.0" (with the Netmask /24). But, if I understand this correctly (assuming "Full Mode:" is not checked), it should be the DefaultGW for the one and only subnet we use (192.168.xxx.254/24) to allow them to get out to the Internet
"IP Pool:" Should it be a range of IP addresses on the same LAN and the GW (192.168.xxx.32/28 - 14 clients)? Ot is OpenVPN creating a new subnet of clients (EG: 10.10.1.X / 28)?.
"Authentication Type:" Since this option is grayed out, it may be related to the Users that I create. If I had RADIUS or AD configured on the router, would there would be an option?
Here’s the one I'm worried about: "WAN:".
There are 2 WAN configured: "WAN" (Frontier) and "WAN/LAN1" (Spectrum).
Since the GUI only allows 1 WAN, does this mean that there is no redundancy and if the ISP's IP address changes, all the clients will be FUBAR?
I was planning to use the Dynu DNS record for the clients to connect. So it looks like that is not an option.
Thanks.
The <?> icon helps a little, but there isn't much detail.
I was able to stumble through a setup that seems to be working with my Windows 10 PC and an old version of OprnVPN GUI.
I hope there's a newer version of the OpenVPN server coming soon.
I thought that using a DNS entry for the VPN endpoint would allow the client to use the one that was "alive".
But, now that I've had a chance to think about it, I can't recall any VPN client that I've used that had an FQDN as the endpoint. The "profile" names where significant, but the end point was an IP address. I guess that makes sense.
I'll create a 2nd server for the 2nd ISP.
When I worked for a multi-national company, there was a dozen VPN profiles. And, when one didn't work, we just tried the next one for a different country until one connected. Same thing here.
The PC is using OpenVPN GUI openvpn-install-2.4.7-1607-Win10.exe from the Community Downloads - Open Source VPN | OpenVPN because of the age of the OpenVPN server that's being used on teh ER7206.
In case anyone is looking for something like this in the future, this is how I set it up.
And there is 1 "User" defined. I'll add more.
The "IP Pool:" will assign an IP address withing the scope of the subnet defined.
In this case, /28 provides 14 clients with IP addresses from .113 to .126. Make sure this range does not overlap with a DHCP server's pool or any static IP addresses.
I suspect that the "IP Pool:" could be a completely new and different subnet. But, I haven't tried that yet.