VPN on router - beginner (dumb) questions...

[Terry Stanford 11]

I have never tried putting VPN on a router before, but due to a growing family with kids having phones etc, I think I need to now as the device limits are a becoming a problem. 

I have a Ubiquiti Edgerouter 10X - I am pretty sure that's no use for OpenWRT or OpenDDT. I bought it originally for the 10 gigabit ports. We don't use wifi at all here, only wired, so fast wire speeds are important and ideally no wifi to have to turn off (or wonder if they are still active). If I am wrong and this router can be used, someone please SHOUT! I'd love to use it if at all possible, with AirVPN

I have been offered a Linksys WRT3200ACM for reasonable money. I am told that's super flexible and can have OpenDDT or WRT installed (though the process scares me a bit!)

BUT I have a BIG QUESTION, and a few small ones...

Let's say I managed to install OpenWRT/OpenDDT on either router....

1. Do I have to set up a profile for EVERY server, one by one by one?
2. BIG question - How easy is it to switch connections, and can different devices be set to bypass the VPN (if desired), or set to have different VPN connections to other devices on the LAN?

Reason for my question is mainly because I use VPN apps (i.e. Eddie) extensively because I have a NEED to switch connections frequently, often many times per day. This is due to my work/research where I need to analyse different Google serps results in different countries. The convenience of a VPN app where I can switch connections in a second or two is great. I am assuming it's not so easy when using VPN on a router, am I right?

If so, I suppose I could still use Eddie on my main machine for those fast VPN connection changes, although the extra layer would surely slow things down a fair bit more. 

Oh, and ..

3. Wireguard - I have tried Mullvad briefly a few years ago and was amazed at the speed and stability of connections and connection switching when using Wireguard. But someone told me it's not as good for privacy so I have never used it since. Is it possible to use Wireguard connections via Eddie?

Thanks to all the great people in here, hoping I can take the plunge with a VPN router soon somehow.

[SurprisedItWorks 49]

I don't know anything significant about OpenWRT, but for dd-wrt, what you are amusingly calling OpenDDT (look up DDT sometime if you don't know that awful chemical), start your education at dd-wrt.com.  You cover lots of ground, so I will also, but mostly by giving you pointers on where to look and what to look for in the dd-wrt documentation world.  It's a lot of stuff to read and digest, and you can't do this all at once.  You can get a WRT3200ACM up, then on a different day, get ether OpenVPN or wireguard going on it.  (Wireguard is easier and faster.)

First find the router database to look for your Ubiquiti router.  Do NOT take its advice on what build to flash, as that info is not updated.   All details in the dd-wrt world beyond "Is it supported?" you need to get from the dd-wrt forum, because other "documentation" is neither updated regularly nor timestamped, so if you read it, you'll mostly see obsolete advice.

The WRT3200ACM is well supported, and to learn about dd-wrt on that router, find the dd-wrt forum and, within it, the Marvell forum.  (The WRT3200ACM has Marvell chipsets inside.)  Flashing it with dd-wrt is pretty simple.  Look in the Sticky Posts at the top of the Marvell forum for a general orientation thread.  Keep an eye out for a "Cliff Notes" post.

It is easy enough to have one wifi SSID that routes its traffic through a VPN and another that bypasses VPNs altogether.  The topic of extra SSIDs is that of Virtual Access Points (VAPs).  The technique of routing things differently for them is called Policy Based Routing (PBR), and IIRC there is a PBR Sticky at the top of the Advanced Networking forum.  The Advanced Networking stickies also include a guide for OpenVPN in dd-wrt and a guide for wireguard in dd-wrt.  Once you are using PBR, it's possible to set up to have multiple VPN connections simultaneously, but switching servers on the fly, while possible, is more of an advanced topic for someone with coding (bash shell scripting) skills and greater familiarity with the workings of dd-wrt.  Better to connect your main computer to the no-VPN ssid and just run Eddie on that computer.

Re wired/wireless, it's possible but a bit tricky to set things up to treat the different ethernet ports on the router differently, like having some go through a VPN and others not.  The topic is Virtual LANs (VLANs).   There's a new GUI-based approach to VLANs just coming online in the most recent dd-wrt builds, but it may not be ready on the WRT3200ACM yet.  The older "swconfig" method still works great, but it's again a bit of an advanced topic.

Again though, this is more of a new hobby than a new project.  My dd-wrt config (on the predecessor to the WRT3200ACM) evolved over about three years, with a new aspect being added every few months as I become interested or happened to think of a way to do it.  I have an OpenVPN client and three wireguard clients running, use six SSIDs with PBR, use VLANs to segment the wired part of my network, and even change OpenVPN servers on the fly using my phone.  So all is possible with time and patience and bullheadedness.  (I have lots of the latter!)  I started with dd-wrt shortly after retirement, so exploring/enhancing things in that world became a sort of retirement project for me.  Not everyone will have that kind of time, but a basic setup with VPN and PBR is not a huge effort if done a careful step at a time.  AirVPN works really well with dd-wrt, both via OpenVPN and via wireguard.

Finally, do ignore the naysayers in the dd-wrt forum who are down on the WRT3200ACM and its Linksys relatives.  Their wifi drivers are not open source, and that has meant headaches in the past.  There was a year or so of unreliable wifi until intrepid volunteers figured out the patches needed, but things are great these days.

Good luck to you!

[Terry Stanford 11]

DDT - hahaha, sorry, wasn't that the teflon people? Oops, forgive my age!

What a wonderfully generous post thank you. I think you've solved my problem via your honest explanations of the depth of the matter. I neither have the time nor the ability for it right now, by the looks of it. Sure I can obtain the latter, but definitely not the former! 

We have zero wifi usage here, none whatsoever, so looks like it will all be VLAN stuff and I have tried to get my head around that stuff before and it was painful (to say the least, mostly due to rushing due to time constraints). 

I had a lot of trouble with eddie in the past, huge troubles where I had to force restart my mac very often (once or twice a day, which could cost a lot more time than it would for most due to encryption keys, software running and all sorts of other hassles. The app would just regularly become inactive (like a hung process). 

Maybe the best bang for buck right now (as I do want to use Air rather than switch, despite Eddie's difficulties on my machine) is to learn how to use Wireguard and set up connections manually in there. 

I wonder... is there a way to set up Wireguard (instead of Eddie app), but to import all Air's connections in one go (in bulk), or does every single server have to be setup individually?

Thanks again, you've been a great help.

[SurprisedItWorks 49]

I've never tried a bulk setup, so I can't answer that one. I've done fine with a config for a "country" and a couple more for individual servers, as backup. I have found wireguard connections to be remarkably solid and foolproof and hardly ever subject to bogging down under a heavy server load, so I've been good with only two or three options in a phone. 

Edit: The Mac wireguard app is simple enough to set up and use for a few server choices. Go for it. 

[SurprisedItWorks 49]

For future reference, the VLAN setup to partition the WRT3200ACM's set of four LAN ports into subsets to be treated differently is actually not bad. The classic dd-wrt forum thread on it is actually one of mine from several years ago. Find any post of mine (same handle) in the dd-wrt forum and check the links in my signature. 

Edit: since I wrote that just a while ago, I have spotted a report in the dd-wrt forum of a successful GUI setup of VLANs in a Linksys/Marvell router, using the new GUI tab "Switch Config."  This is way simpler than the method of my old post. Now it's a piece of cake.  See the "Simple LAN side port VLAN" example in the that tab's guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334342

[Terry Stanford 11]

Thanks. I've been using the official WG app for a day or two now and I really can't get on with it. If I want the 'kill switch' on, it's tricky (to explain to family how) to turn that off to select a different connection or disconnect VPN altogether. But I feel a bit naked without the "on demand" kill switch feature. Maybe it's stable/reliable enough to just use without the "on demand" thing selected, if so then it could be used. My wife needs to disconnect sometimes to log into online banking, and its too complicated for her to turn off the on demand feature each time

[SurprisedItWorks 49]

I came to a similar conclusion when setting things up for my adult children and just left on-demand disabled altogether. They need to engage wireguard manually when they find it appropriate.   For my wife on-demand is enabled and is usually fine, but just as in your case, her having to turn wireguard off for certain banks is a pain and frustrates us both.  Basically she'll never remember how or even that she needs to, but I'll catch grief later if a site is blocked.  Real people in the real world vs us nerdy types!

Do note that you can change the name of a config in wireguard apps for at least most devices, so labeling one "Banks" or "For fussy sites" or whatever is not a terrible idea.

[Terry Stanford 11]

Ha, peas in a pod, exactly same experience here. Not sure it would help to name connections "bank" etc, none of them seem to work for me, so it has to be disconnected completely. banks are clamping down on privacy enthusiasts, oops, i mean, they are trying to "protect us", yeah, whatever. I am sure blocking VPN usage will protect us just as much as masks and gene therapy did for a virus.

[SurprisedItWorks 49]

You are right!  Here "Banks" on our phones enables a wireguard tunnel to a private server (on a router, actually) that would not be on any block list but that would still protect from a MITM wifi AP pretending to be Marriott (they got caught in this situation a couple of years back) or whoever.  The application of such a wireguard client config on a router, however, has benefits limited to very special cases only, not worth the energy for most of us.

Health aside: average cloth masks are placebos, but good ones (N95, KN-95, KF94, FFP2) worn well (essential) really do help one's odds, as best as my engineering nerdiness can figure out.  I ended up with an autoimmune condition from Covid - can't prove it, but the statistical likelihood is clear enough - that's going to affect my life (and further Covid vulnerability) from here out, so I have a bit of an attitude.  I don't want my wife, kids, friends, etc. ending up anywhere similar.   Good masks would matter more than VPNs to most of our lives long term, and we fuss over getting the VPNs right, so...

Anyway, I'm going to wrap up this thread.  Been great but we're too far afield now for a general discussion!

[Terry Stanford 11]

haha. AGREED! If they had insisted on everyone wearing an N95 (PROPERLY, which you can't with a beard (like me) by the way!) then it wouldn't piss me off so much. Covid wasn't a non-issue, nor is the vaccine. Sorry to hear your case, I know of someone with similar. However, I know of 3 people who were injured by the vaccine (one killed, yes, dead, 38 year old mother of 2 boys, brain haemorage 3 days after, now finally admitted by doctors caused directly by vaccine). I know of at least 3 people dead through shut down of hospitals to protect us from what was nothing like as dangerous as 'they' wanted us to believe. Harmless? NO. Deadly for 90% of the population? NO. Lifesaving Cancer treatment refused due to "covid risk". Surgeon just before Covid breakout said "one hundred percent success" would be achieved by surgery. Appointment cancelled, dead 12 months later leaving children behind. Horrific. As ronnie reagan once said (brilliantly in my view)... What are the scariest 8 words in the English language?...

"I'm from the government, I'm here to help."

 

But that's more than enough off topicness for today!