OpenVPN Service

Advanced feature discussion, beta programs and unsupported "Labs" features.
66 posts Page 3 of 7
by netllama » Sun Feb 07, 2016 12:54 pm
i think I figured this out. Apparently the beta server was perfectly happy to accept just a username (netllama), rather than an email address (netllama@sonic.net) for the openvpn username field. However, the production server won't accept a username, and requires an email address.

No clue whether this was intentional, an oversight when the beta server was setup, or what.
by whorfin » Mon Feb 15, 2016 4:13 pm
kgc wrote:
There's no 24 timeout, and shouldn't be on beta.vpn.sonic.net anymore either.


As recently as a few days ago, before I switched to the production server, the beta would drop on me approximately every 24 hours.
by forest » Mon Feb 15, 2016 6:43 pm
kgc wrote:
There's no 24 timeout, and shouldn't be on beta.vpn.sonic.net anymore either.


Thank you so much, Kelsey. Being able to use the VPN 24/7 without those interruptions we saw in the beta makes a huge difference for me. Looks like I won't have to leave Sonic in order to get decent bandwidth after all. Instead, I plan to sign up for FTTN, and protect my bits from AT&T's network using this VPN server. I've just ordered an EdgeRouter X to act as a whole-house VPN client.

For anyone who has been following the VPN session expiration discussion:

I've been using this new server for the past two weeks. My first session died just short of three days in, but it wasn't due to the session time limit that we saw on the beta server. (Judging by my logs, it was either a DSL re-sync or an overly-aggressive openvpn --ping-restart setting.) My second session has been running for ten days so far. This is very promising.

Again, Kelsey, thank you.
by Guest » Mon Feb 15, 2016 8:18 pm
Do any of them support openvpn? I looked at the user guide for the EdgeOS and it only mentioned vpn pptp server support.

forest wrote:
kgc wrote:
There's no 24 timeout, and shouldn't be on beta.vpn.sonic.net anymore either.


Thank you so much, Kelsey. Being able to use the VPN 24/7 without those interruptions we saw in the beta makes a huge difference for me. Looks like I won't have to leave Sonic in order to get decent bandwidth after all.

I now plan to sign up for FTTN, and protect my bits form AT&T's network using this VPN server. I've just ordered an EdgeRouter X to act as a whole-house VPN client.

For anyone who has been following the VPN session expiration discussion:

I've been using this new server for the past two weeks. My first session died just short of three days in, but it wasn't due to the session time limit that we saw on the beta server. Judging by my logs, it was either a DSL re-sync or an overly-aggressive openvpn --ping-restart setting. My second session has been running for ten days so far. This is very promising.

Again, Kelsey, thank you.
by forest » Mon Feb 15, 2016 9:13 pm
Guest wrote:
Do any of them support openvpn? I looked at the user guide for the EdgeOS and it only mentioned vpn pptp server support.


I'm using an EdgeRouter Lite with it right now. The openvpn client is present in EdgeOS 1.7, though it's not integrated into the web interface. I had to add an /interfaces/openvpn node to the router's config tree, telling EdgeOS which vtun interface to use and where to find the Sonic-supplied openvpn config file. I also had to add an auth-user-pass setting to that file, telling it where to find my username and password for the VPN. Once that was done, the VPN link appeared in the EdgeOS dashboard and allowed me to bring it up and down from my (local) web browser.

Setting up the firewall as I wanted it was a bit of a hassle. The EdgeOS web interface has simplified firewall rules that don't seem to let me have one policy for traffic between two network ports and another policy for traffic originating on the router, such as the openvpn client. I got around that by learning the slightly more complicated zone-based rules available through the EdgeOS config tree. I now have a configuration where the VPN will fail closed.

My VPN link currently requires a manual restart (through either the web interface or the command line) when the session dies, for example after a DSL resync. I'm sure I can automate that with some bash scripting.

In short, it requires some command line and config file setup, but it works.

Here are a few articles I bookmarked when I was figuring this stuff out:

The Ubiquiti EdgeRouter: Configuring this extremely low-cost, enterprise-grade router for home use

Full Network “Anonymous” VPN w/Ubiquiti EdgeMax Router

Ubiquiti EdgeMax Router – OpenVPN Client Setup
by matausch » Thu Feb 18, 2016 1:40 pm
What kind of speeds do you see with this router?
It's a cheap device and if speeds would hold up it would be the perfect "all home" Vpn solution so many seek.

I found that is has only a dual core 880 MHz cou so I guess the speeds are low on vpn. What is your speed with vpn on?
by forest » Thu Feb 18, 2016 2:03 pm
matausch wrote:
What kind of speeds do you see with this router?
It's a cheap device and if speeds would hold up it would be the perfect "all home" Vpn solution so many seek.
I found that is has only a dual core 880 MHz cou so I guess the speeds are low on vpn. What is your speed with vpn on?

I don't have an EdgeRouter X yet (I'm borrowing an EdgeRouter Lite), and my Fusion ADSL service is so bloody slow that it can't test any router's throughput. I can take some measurements once I have the device and FTTN. I expect it will be a few weeks.

Based on this thread and other discussions I've found scattered about the net, I have the impression that the EdgeRouter X should handle Sonic's 20mbit/sec FTTN just fine, even with OpenVPN, NAT, and firewall. Not sure about FTTN x2 under those conditions, but I wouldn't be surprised if wire speed was achievable there, too.
by polpo » Fri Feb 26, 2016 12:39 am
This is working great for me on my Linux-based DIY router.

Any chance of IPv6 support over the tunnel in the future, since OpenVPN natively supports it?
by pratik » Mon Feb 29, 2016 11:11 pm
ashes wrote:
@pratik Here's how to setup Tomato...

I'm a Sonic FFTN customer and I want the same level of privacy protection I had under my old Sonic ADSL service. I am VPNing my whole home network to Sonic's VPN server. If the VPN goes down, I want it to fail closed (not to simply route out on ATT's network).

I am running Tomato (Shibby) on an ASUS RT-AC68U v2; you will want router, like this one, with a reasonably fast CPU to handle VPN without impacting bandwidth. It is not DMZ'd since this VPN-only configuration does not double-NAT due to the VPN bypassing the Uverse gateway's NAT. I have another router DMZ'd providing a standard non-VPN NAT to a separate home network.

Step 1)
Log into ovpn.sonic.net I mean "Login" not "Connect". Note the drop-menu next to the "Go" button.
Image

You'll see this screen, otherwise you didn't change the drop-menu to Login in the previous step. Hit the last link, "Yourself (user-locked profile)". It will download a file called client.ovpn open this in any text editor (e.g. Notepad, TextEdit, etc). You will need to copy some keys from this file later on.
Image

Step 2)
On your router running Tomato, go VPN Tunneling->OpenVPN Client. Enter the following settings.
You could replace ovpn.sonic.net with it's IP address: 209.148.113.36
Enter your sonic username/password
Image

The Exclusive DNS setting ensures that only Sonic's DNS servers are used when VPNing.
Image

Here's where you want to copy-paste those keys from the client.ovpn file. Look for the correponding <tag> in the client.ovpn files and copy the whole alphanumeric string, including the BEGIN and END lines, excluding the <tag> </tag> lines
Image

Image

You should at this point be able to hit the "Start Now" button and the VPN will start, you can check it on the status tab or in the logfile. If it doesn't establish, check your settings and the log file.
Image

Step 2) (Optional)

In Administration->Scripts->Firewall adding this will block all home network traffic is the VPN is down.
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Image

In Administration->Scheduler you can set the VPN to automatically restart on schedule or disconnect.
If you need to restart your VPN connection, then enable this. I was using this on the VPN beta server since it timed out OpenVPN connections after 24 hours, supposedly this doesn't happen on the production server (or the beta server anymore). I just switched to production today, so I haven't tested to be sure. Anyhow if you need it, it's here.
Image

Also there we can have the VPN auto-reconnect if we lost the connection.
This sets it to try to establish the VPN every minute (at the 40 second mark, due the "wait 40;"). I offset this by 40 seconds for compatibility with the scheduled force-restart setting above. If your VPN is already established, then this does not disturb the existing link. You can test this yourself by disconnecting your WAN port on your router to force a loss of connection, then watch it re-establish on reconnect.
Image



Thank you very much for detailed write up, I really appreciate it.
I've similar (if not same) router -- T-Mobile router flashed with Advanced Tomato.

Can you please elaborate more about DMZ? I am currently using it in DMZ setup cause that was only way to use port forward on my router.
by kkl0 » Tue Mar 01, 2016 4:32 pm
Hello.

I need some help from Sonic and user community with an issue I'm having with the OpenVPN service at ovpn.sonic.net using the Windows OpenVPN Connect client. I'm able to connect and establish session but it constantly drops/disconnects and then reconnects again. Most of the time the drop happens within 5-10 minutes. The longest session that I've been able to establish was about 1 hr 20 mins. Not sure if everyone else is having this similar issue.

Your help is most appreciated. Thanks.
66 posts Page 3 of 7

Who is online

In total there are 2 users online :: 0 registered, 0 hidden and 2 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 2 guests