Hi Marvin

Sorry for the late reply.

We’re using Hexes as vpn-only devices, with the following setup:

||| ISP Router ||| <=> ||| Hex VPN Router ||| <=> ||| LiMe Router |||
   |
       wifi adhoc
   |
  [other LiMe routers]

This is the guide we’ve been following [https://matthewmcclatchey.com/using-private-internet-accesss-vpn-with-mikrotiks-routeros-via-pptp/], with the exception of the fact that our vpn is lt2p+ipsec, and that we’ve had to set max mtu and max mru values to 1280 for some reason as packets were getting fragmented with our setup.

If you connect a cable from the ISP’s router’s lan to the Hex’s wan, and another cable from the Hex’s lan to the LiMe router’s wan, you’ll have all of your internet-bound traffic from inside your mesh network sandboxed inside the VPN with no exceptions. The hex has some kind of "persistent tunnel” enabled by default, so drops the connection if the vpn breaks for some reason, even though it never has unless we actually rebooted the remote vpn server for testing purposes.

I suggest giving the Hex an address like 172.16.0.1 to avoid conflicts with other more common subnets. We set all our ISP routers to 192.168.0.1 and LiMe uses 10.13.0.1 etc… so we’re good to go. Also, as a bonus, we try to pair all LiMe routers with an openwrt “simple AP” router, that takes care of the AP level and lets the LiMe router handle only the adhoc meshing level, for maximum wireless efficiency.

We give APs static addresses of 10.13.64.1, 2, 3, and so on. They must all be different. Try and stay out of the DHCP range which starts at 100 I think. This last part [the AP addressing] is all trial and error and experimental so it might be wrong, but for us it works. We still need to figure out how to scale addressing for APs so we’re open to suggestions. While we’re at it:

TLDR question: what static IPv4 address to give a simple AP connected to the lan of a LiMe router? Is 10.13.64.1 - 10.13.64.99 a good range? How do we scale beyond that since every AP in the entire network must have a different IP?

Let me know how this works for you. To those answering the question: thank you in advance.


Nicolas

From: Marvin Arnold <marvin@unplugged.im>
Reply: libremesh users <lime-users@lists.libremesh.org>
Date: 9 February 2017 at 04:47:41
To: libremesh users <lime-users@lists.libremesh.org>
Subject:  Re: [lime-users] VPN

Hi Nicolas,

Could you give us some more tips about how to set up the VPN client on the hex router. We ordered one that will be arriving tomorrow and will set it up like you suggest ISP router <-> hex VPN router <-> mesh router.

Do we flash the hex with LibreMesh as well? How do we configure the connection between the VPN and mesh router so that the VPN knows to forward web traffic correctly?

As a 1+, I'd also be interested in understanding how to do this when on the same device. I currently still have a wdr4300 that can connect to a VPN but it stops forwarding web traffic correctly after it connects.


On 02/07/2017 11:18 AM, Marvin Arnold wrote:

Hey Nicolas,

Sorry I just noticed that some lime email goes to my spam. I wonder how many emails I've missed before.

Anyways, this is awesome feedback. Thanks a bunch.


On 01/31/2017 05:26 AM, nk@os.vu wrote:
Hi Marvin

I've done a lot of tests with VPNs for the standard setup of the mesh network we're building here in Milano, Italia, and I've found that usually routers are rather terrible at handling VPNs with reasonable speeds, openvpn being the slowest [10mbps up and down] and l2tp+ipsec being faster [15 to 20mbps], at the expense of being less secure. Also, I've gotten to the conclusion that doing the VPN routing in the same device as the one doing the meshing makes it rather difficult to diagnose issues over time and to pinpoint the bottleneck for slow overall speeds.

I know this is not the answer you were looking for, but our definitive setup involves setting up getting a microtik hex router that you can buy for about 60 to 80€ and running l2tp+ipsec to a Streisand instance [a fully self installing VPN and anonymity server]. We've been getting stable 120/120mbps speeds.

This setup also makes it very simple to understand what device is doing what, and how the routing is done on the large scale from the ISPs router, to the VPN router, to the meshing router, to the AP router, and so on [this is our setup].

I don't know how to solve your problem directly, but I thought I'd share my experience with you. Sorry for going slightly off topic.

Hope you can get your setup working nicely however you decide to do it!


Nicolas
________________________________
From: Marvin Arnold <marvin@unplugged.im>
Sent: Jan 31, 2017 06:34
To: lime-users@lists.libremesh.org
Subject: [lime-users] VPN


I would like to finally make my internet at home available to my
neighbors over lime. I called my ISP and they made it pretty clear they
would take action against me if one of the users accessed illicit
content. So I'm thinking about routing all web traffic through a VPN. Is
this the most sensible thing to do?

Assuming it is, I already setup the VPN server and now I'm trying to
connect my lime router as a client.

http://wiki.openwrt.org/inbox/vpn.howto

https://www.robertkehoe.com/2015/08/setup-openvpn-using-openwrt/

But as far as I can tell, opkg is not installed on the router. What's
the best way to install it or install the openvpn client without it?


_______________________________________________
lime-users mailing list
lime-users@lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users


_______________________________________________
lime-users mailing list
lime-users@lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users


_______________________________________________
lime-users mailing list
lime-users@lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users