AT&T-based FTTN in mid-2021, and efforts to get a more Sonic-like experience (thumbs up so far)

[bg1811]

Recently moved and the only option I had for staying with Sonic was the resold AT&T U-Verse service. I had some misgivings after reading about how it differs from pure Sonic service, but I couldn't stomach going to another provider so I went through with it anyway.

Overall, the process went as expected, AT&T showed up on time (twice), Sonic's team is as great as ever to work with, and I was able to get a higher speed tier than in the original estimate.

After about two weeks, I can confirm that the experience others have shared about the resold AT&T service is still true as of mid-2021:

• Actual speed is closer to the advertised speed when compared to traditional DSL
• Forced to use AT&T RG (I got the BGW210 model)
• BGW210's "IP passthrough" isn't a true bridge mode, in that I still see 192.168.1.254 as the second hop after my router when I traceroute anywhere
• Cannot use Sonic's DNS servers without being on Sonic's VPN

I was told it would be 50Mbps, and got around ~55 / 6. After installation, the system recognized I could go to up to 75Mbps (and probably higher, but I believe 75 is as high as Sonic will go for this service) at the same price so I proceeded with that. After a few days, AT&T showed up again and completed the upgrade without a fuss. I didn't have to change out the BGW210 unit, and it picked up ~78 / 8 after power cycling it.

(Side note: I used to be on Sonic DSL at ~25 / 3, and the difference between 3 and 8Mbps up is huge when I access my home network with WireGuard / RDP.)

To deal with being on AT&T's network, I did some prep work to try to create a more Sonic-like experience. At the very least, I wanted to use my own router to specify different DNS servers on all my devices. I also got a more beefy router to run OpenWrt with, so I can use OpenVPN on that and encrypt all of my traffic. This part has been more of a mixed bag.

The setup I ended up with: Linksys WRT32X (identical to the WRT3200ACM), OpenWrt 19.07.7 with the following enabled-

• SQM (cake)
• OpenVPN client
• Dynamic DNS
• WireGuard for remote access to my home network

I chose the Linksys unit because its processor has amongst the best performance when encryption & QoS are enabled. (Helpful data from 2019 at OpenWrt's forums.) The performance was indeed solid, with the router being able to maintain the ~78 / 8 speeds even with SQM and OpenVPN enabled. My latency went up from ~23 to ~29ms in various speed tests but overall the performance was more than acceptable to me. OpenWrt is also great in that I can easily connect and disconnect the OpenVPN client with one click. My home network can instantly toggle between AT&T and Sonic IPs, and I'm also able to use Sonic's DNS while OpenVPN is connected.

But what I found was that Google doesn't play well with VPNs. When I enabled whole-home VPN, some Google services like the Messages for Web client (to use a desktop browser as the interface for my Android's text messages) wouldn't work, and my TV's Chromecast started acting up. Then WireGuard got mixed up when OpenVPN got into the picture, and I didn't want to spend more time getting that fixed.

The Messages for Web documentation shows that it's not compatible with VPNs, although I'm not sure if that's the case for Chromecasts. Maybe there was some other configuration issue at my end that caused problems with it. I believe WireGuard should work if configured correctly, too. But I just ended up leaving OpenVPN off on my router, and more or less run it like a "stock" AT&T customer except using Cloudflare's DNS instead of AT&T's.

I haven't run into any issues with the AT&T network yet, but it's good to know I can still use Sonic's VPN with my router, or a software client if I need to. If anyone else has tried something similar with OpenWrt or some other setup, it'd be great to hear about your experience.

Overall, it's been a good experience so far and I'm glad I can stick with Sonic. Thanks for the added features like VoIP, and giving us the VPN option!

[js9erfan]

But what I found was that Google doesn't play well with VPNs. When I enabled whole-home VPN, some Google services like the Messages for Web client (to use a desktop browser as the interface for my Android's text messages) wouldn't work, and my TV's Chromecast started acting up.

You should be able to resolve this with selective routing for the devices you want routed over ATT instead of the VPN: https://openwrt.org/docs/guide-user/network/routing

Then WireGuard got mixed up when OpenVPN got into the picture, and I didn't want to spend more time getting that fixed.

You shouldn’t have a problem running WireGuard on your WAN interface for incoming connections unless you have the same port open for another service (e.g., OpenVPN server, etc.) or a config issue.

I haven’t used OpenWrt in years but with the right configuration everything you want to do should be doable. I have a location with the same ATT router configured for IP passthrough to pfSense... WG, OpenVPN (Sonic client + local server) & policy-based routing all work without issue. After all I trust Sonic much more than ATT and their data collection habits

[bg1811]

Yeah, AT&T's data collection policies and sporadic issues reported by other Sonic customers in the past are the main reasons I had misgivings about this setup. If I could get all my IoT devices working without having to go through their network, and just take a marginal performance hit from the encryption, I'd be all over that.

I did check out the VPN policy-based routing package for OpenWrt but was a bit in over my head. I plan to take that on when I have more time to learn. A new major version of OpenWrt is also coming soon so I'll wait for that before taking this on.

[krby]

Just another confirmation that a "whole house" VPN connection and policy-based routing works with a router behind a Sonic-over-ATT service (I'm also using pfSense) I've been running a whole house VPN for several years and you really need per-device policy routing sometimes. Very few of the streaming services will stream to an IP address they think is from a data center IP or a VPN service. I tend to divide things up by VLAN and have some VLANs go out the raw WAN, some go out the VPN tunnel) but I end up making exceptions for the streaming devices.

[bg1811]

I don't stream too many things besides YouTube and Plex (and most of that is just locally stored media), but that's a bummer to know so many services won't work with VPNs. It would be great to be able to leave Chromecasts and other IoT devices alone without having to micromanage which connection they use for various services.

Do you leave entire devices on raw WAN or do you keep them on the VPN, but only have connections to streaming services be separate?

[js9erfan]

Its easiest to put those streaming devices in a vlan and set the gateway to ATT/WAN. However, pfSense + pfBlockerNG also makes it convenient to create alias’ using ASN’s which auto update. So if you wanted a majority of your devices/vlans to use the VPN as your default gateway (or you have a flat network) you can add exception rules to the firewall that x device will only use ATT for certain IPs or domains (streaming providers, etc). All other device traffic outside of that rule will hit the VPN.

Some websites and email servers will also reject VPN traffic. Applying similar routing rules will help get around that.

[bg1811]

Yeah, I'd still like the IoT devices to go through the VPN as much as I can, to avoid the AT&T data collection. I think OpenWrt can also do what you describe if I spent the time to learn and configure it.