Work From Home or bring your corporate network at home

Work From Home (WFH)… Not a big problem for IT. Almost all that I need I can do without any discomfort. Big understanding of how to work became in the first carnitine time, in Lithuania it was in summer. Good weather, own house, lots of forests around… Who cares about COVID19, I just be with my family and spend my time as usual. After the first global lockdown all systems were prepared for remote work and added new hardware with some capacity for future use. But time went by and started a new project: design whole infrastructure for WiFi in the school (yes I work at school, the biggest and unical school in Lithuania). Lot of access points in 4 buildings with authorization from google education (google workspace) ldap service. More than 1500 users… And only one “must be” requirement - comfortable usage for everyone - clients and admins.

To meet all requirements I must be connected to the school network, but configure VPN on all devices - not a good idea, put some services outside - also not good… So, solution, bring the network at home. Ok, I have some enterprise level routers with I can use… But no one not support OpenVPN. Why OpenVPN? Because this service is already present and I don't see any point in changing something. Short research and candidates to solve this problem: pfSense, OpenWrt and DD-WRT. For pfSense I need some computer, or raspberry pi… I keep it as plan “B”. From my friend I got a TP-Link with less than 2mb flash - not enough space. After buying D-Link DIR-300 (4 euro) - not enough space too. And found D-Link DIR-620 A1 with 8mb flash for 10 euro. This device fits all my needs (btw, this post I write connected via DIR 620). Short remark, why not DD-WRT? Because first TP-Link I got already with OpenWRT then - pfSense (Plan C), DD-WRT (Plan B) and OpenWRT (Plan A).

Let's start

Latest version OpenWRT LuCI - 19. But very interesting, not all kernel modules present for installing OpenVPN service, I found a few issues with similar problems and one of easy solutions - just use version 18. Why not, I don't need the latest version, I need to solve my problem. All was installed and during configuration I found luci-app-openvpn very useless, not comfortable configuration… a few looks and I just remove this package. BTW, lot of OpenWRT functions not work as expected, as example no delay during adding routes, not work additional name servers for DNS Forwarders, WAN interface some times use configuration from WAN6 (IPv6), No easy way use VLANs with TUN/TAP… All can be solved!

Autostart openvpn with my configuration

cat /etc/init.d/openvpn
for path in /etc/openvpn/*.conf; do
I need to rename my .ovpn to .conf and put to /etc/openvpn. Then enable service for autostart and start service. Present way pass password from file, but most easy way - create password less user with authentication via certificate.
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:  P-t-P:  Mask:
          inet6 addr: fe80::500c:371:ed18:e4a1/64 Scope:Link
          RX packets:20234 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20433 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:6912171 (6.5 MiB)  TX bytes:2338488 (2.2 MiB)
OpenVPN is a very specific service, I mean configuration depends… What I change in client.conf file - disable routes with passed from server.


root@DIR-620-A1-OWRT:~# netstat -ran
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG        0 0          0 eth0.2   U         0 0          0 tun0   U         0 0          0 br-lan   U         0 0          0 eth0.2
Looks good, but not work… we need add route for my school subnet
root@DIR-620-A1-OWRT:~# /sbin/route add -net netmask gw

root@DIR-620-A1-OWRT:~# ping
64 bytes from seq=0 ttl=63 time=13.101 ms
64 bytes from seq=1 ttl=63 time=9.091 ms
64 bytes from seq=2 ttl=63 time=9.414 ms

root@DIR-620-A1-OWRT:~# ping
64 bytes from seq=0 ttl=63 time=12.005 ms
64 bytes from seq=1 ttl=63 time=9.190 ms
64 bytes from seq=2 ttl=63 time=16.837 ms
All work fine. We just need add route command to System > Startip > Local Startup (/etc/rc.local)
sleep 20; /sbin/route add -net netmask gw


In Network > Firewall > General Settings > Zones we need set Input, Output and Forward to accept
In Network > Firewall > Traffic Rules create
Any traffic From any host in LAN To IP range in VPN Accept forward
Short test
Alans-MBP:~ alan$ ping
64 bytes from icmp_seq=0 ttl=62 time=9.132 ms
64 bytes from icmp_seq=1 ttl=62 time=11.621 ms
64 bytes from icmp_seq=2 ttl=62 time=9.629 ms

Alans-MBP:~ alan$ ping
64 bytes from icmp_seq=0 ttl=62 time=13.580 ms
64 bytes from icmp_seq=1 ttl=62 time=11.014 ms
64 bytes from icmp_seq=2 ttl=62 time=11.175 ms
All work fine too


As I meant before - DNS have some problems, easy way with I found, just pass school DNS server to my computer from DHCP server.
Alans-MBP:~ alan$ cat /etc/resolv.conf | grep nameserver
In Network > Interfaces > lan > DHCP Server > Advanced Settings
DHCP-Options: 6,
Final test
Alans-MBP:~ alan$ ping auth.cmm.lan
64 bytes from icmp_seq=0 ttl=62 time=13.082 ms
64 bytes from icmp_seq=1 ttl=62 time=13.541 ms
64 bytes from icmp_seq=2 ttl=62 time=14.320 ms


Popular posts from this blog

Redis with failover replication

FreeRadius and Google Workspace LDAP