Hello. I would like to setup a VPN server on my network so I can connect remotely. Can this be done outside the router? I looked into a 3rd party firmware for my cheap router but the model is questionable (Belkin F9K1102 v3).

For some reason the port forwarding doesn't work on this router either... everything inforward just ends up pointed to the router (192.168.2.1)

Any help would be appreciated! Thanks.

Is there facility on that router for a DMZ?

Yes there is... but that also does not work.

You could make the VPN host the gateway of your network and ditch the router, though obviously the machine would have to be on all the time... but that was probably the plan as a VPN anyway. You'd have to harden the machine and setup the firewall too, since you wouldn't be protected by the router. If your machine has only one ethernet port you'll need at least one additional ethernet port (e.g. have to get a pci card) to pass the network on, and you could use the old router as a switch/wireless AP. Or you could get a new router!

Maybe I better setup a pfSense box? Lol

Honestly, I'd go down to the office-supply store and buy yourself a new router!

You need port-forwarding, so that incoming traffic on UDP Port 1192 (or whatever port-number you choose) is delivered to the proper computer.

You also need static routes, because there will be packets flying around your network with IP-addresses such as 10.8.0.x, representing traffic generated by remote directly-connected users. And, if there are remote subnets, packets bearing those addresses will be flying around, too. Your router must static-route those packets back to the OpenVPN machine as a gateway, so that they can be returned to the other side.

Any garden-variety (cheap!) router will do the job nicely, as long as it provides these two features. It is my frank opinion that your old router might have a whole new life as a bookend.

- - -

I've written several lengthy forum-posts here on the subject of OpenVPN, as have several others. Please feel free to post questions here.

Although, like any crypto technology, it takes some time to set up and to get to know , OpenVPN is a very cool technology. When properly set up with digital certificates – ("bad dog! no PSKs!") – and tls-auth, it provides a secure TCP/IP router that cannot be detected(!) from the outside. Authorized users pass easily through, and 100% of their communications through the tunnel are secured. Everyone else is left staring at ... nothing at all.

(I long ago gave up on IPSec ... "why bother?" Those raccoons can just go play in the woods.)

How many "unauthorized access attempts" do we get on our systems? Zero. The outer-layer gantlet is both invisible(!) and impenetrable. No one can get far enough to reach, let alone challenge, the second portcullis.

. . . and yet, to authorized users, who bear the proper (non-revoked ...) certificates, "it's as though it wasn't even there." The IP-addresses on the other side are just as immediately accessible, from their point of view, as is anything on their local network. To them, OpenVPN behaves "just like any other router." The encryption is entirely unobtrusive.

Thanks for the reply, I really appreciate it... would it be wise for me to purchase a VPS and learn on that before I deploy it in my live network?

You could, for example at home, set up a VPN on your box (after buying a new cheap router!), and confirm that you can connect to it at work. Or, yes, you could use a VPS for that purpose, although it's likely that you'll be doing some actual-hardware configuring when you deploy the thing in real life.

Remember that the OpenVPN process does not have to be "at the front door," and it does not have to be located on "the machine that you use." (In fact, you should purposely explore both use-cases, because when you are connecting directly you have a 10.8.0.x address, whereas, if you are connecting through an OpenVPN-router located somewhere else, you do not.)

Really, the most difficult thing about setting up OpenVPN for the first time is getting the routing straight everywhere. Fundamentally, it is a "standard 'I have a router leading to a remote subnet' situation," but many of us don't normally operate in a network that uses multiple routers at all.

(I wrote a fairly lengthy forum-post on just that topic here, but I'm too lazy to look it up.)

The other s are actually mostly just annoyances: by design, a crypto system will not tell the supplicant anything about why a connection attempt didn't succeed ... until, and if, it does. And, while OpenVPN does fairly-spew into its server-side logs, it can still be difficult to grok what's going on until you've done it a few times. (And, unlike ipsec, you're not dealing with stuff that's wedged into the kernel: all of OpenVPN, other than the very insignificant virtual-tap/tunnel-device wedge that only serves to get data in and out, lives entirely in user-land. Every OpenVPN participant is basically "the same bit of all-user-land software, talking to another copy of itself.")

So, get that "old" machine out of your closet, attach it to your home network, and start experimenting.

And ... "ask, ask, ask" right here.

There's a fairly easy and explicit tutorial for setting up OpenVPN on Ubuntu available in the March 2017 issue of MaximumPC. It is trivial to adapt to the distro of your choice.

The reason I chose FreeBSD is because I plan to deploy this in pfSense after I learn to use it... and pfSense is based on FreeBSD

For a very easy VPN server setup you can use a Raspberry Pi. I use the Quad-core RaspberryPi 3 to run 50+ users on a VPN connection and works flawless. Haven't tested the bandwidth but no one has complained yet.

https://github.com/Nyr/openvpn-install

This script from github makes installing and managing OpenVPN too easy.

Install Windows OpenVPN client and put VPN certificate in folder and you're good to go on client side.

Mentioning this because it's a very quick setup and works very well as a stand alone product.

Awesome!! I'm going to give this a try on Monday. Much appreciated. Thanks for all the responses to this thread.

This may be a stupid question... but I'm going to ask it anyways. Does openVPN assign an IP or do I need to setup DHCP?

The answer is "no," and here's why.

• OpenVPN runs as an ordinary user-land program on the host computer. It sends and receives its encrypted traffic through [any one of ...] the host's network adapters, therefore at the host's IP-address. It neither knows nor cares how that IP-address was established, by DHCP or otherwise.
  • For external routing purposes, OpenVPN machine's own external IP-address always refers to "the OpenVPN process that is running on that machine," and the packets which depart and arrive there are encrypted.
    
  • Meanwhile, OpenVPN will assign addresses (usually ...) in the 10.8.0.x address-range for all connected servers and clients. These addresses are used for them to talk among themselves. DHCP has no part in this subnet: these IP-addresses are strictly virtual, are assigned by OpenVPN itself, and are always routed through a tunX (or tapX) virtual device.

And so:

• If you connect directly to an OpenVPN server using an OpenVPN client on your computer, you will have an IP-address (or two) on the 10.8.0.x subnet, and the traffic that you send will appear to come from that IP-address, no matter where your packets wind up. (Your own external IP-address is being used by OpenVPN to send and receive encrypted packets.)
• On the other hand, if you were a user on your local subnet, merely using another OpenVPN machine "as a router" and not running a client yourself, your traffic will carry your IP-address within that subnet – whatever it might be, and however it might be established ("DHCP or otherwise ... ditto"). This, of course, is the case when you are using any sort of "router."

- - - -

Most importantly (and this unrelated to DHCP ...), remember that every subnet will encounter, at minimum, packets bearing the 10.8.0.x address range. It will also encounter packets bearing the IP-address ranges used by all accessible remote subnets. OpenVPN will handle this for any machine upon which it is running, but every subnet must contain sufficient routing provisions – either through route commands on on individual machines or through static routes in the local router – to cause these address-ranges to be delivered to the local OpenVPN server "as a gateway" so that it can serve as a TCP/IP router for all of them.

(And, again, this is the case for any sort of "router," except for the additional presence of the 10.8.0.x subnet.)

- - - - -

The IP-address range "10.8.0.x" is established in the OpenVPN configuration files. This particular address-range, like the use of "UDP" port "#1192" for external communications, is merely customary.

What is the model of the router?

Have you check the user manual?

What sort of router is it, if it doesn't support port forwarding. How are you able to browse the internet?

Port 80 by default in any router is open and if you're network is behind NAT then port forwarding is being done by the router.