[Workaround] Assistance with building an advanced home network router

Let me setup my situation here; I live in an apartment with mandatory internet package through an ISP Fastel. I have absolutely no control over the modem/router, we just have ethernet jacks in each room that use a switch to connect to the router in the main office. Our speeds are good, 50Mbps up and down nearly all the time.

I have a computer set aside to run any OS or services required by my issues I’ve listed below.

Our first issue is we have 5 Xbox Ones that struggle being behind one NAT and really have a bad time being double NATed. Xbox One’s support IPv6, but we’re not getting an IPv6 address assigned to anything, is there a way either with VPN, proxy, or some sort of network tunnel to get an IPv6 address through a router?

The second issue is that I can’t access any of the things on my network while out and about because I don’t have a static IP, which I can get around with something like dyn-dns, but I can’t port forward because I’m behind another router. (I know this because it’s assigned all of our devices a private IP address in the 172.16.x.x range.) I don’t know if there’s a way to get past this using some VPN, proxy, or some sort of network tunnel like above?

The final issue is that we all play the same games and so when an update comes out it can take a while for all of us to get it downloaded and installed so I’d like something like a squid proxy for caching those downloads then distributing them locally.

I’ve tried messing around with pfSense, Windows Server 2016, and OpenSUSE. Out of all of those I’ve liked OpenSUSE the most (really liked yast), but I’d be fine with anything that supports SSH (I have a Chromebook for my main machine).

I’ve messed around with PureVPN, Perfect Privacy, and Privatoria, but haven’t figured out how to get them to work with my issues and/or choice of OS.

So to review I have 3 main issues:

  1. Xbox One’s are behind NAT.
  2. Need to be able to port forward.
  3. Cache large downloads of games.

Some Nice-to-Haves:

  • IPv6
  • Virtual machine support (hopefully with GPU passthrough)
  • Static IP address
  • Little-to-no impact on speed/latency
  • Headless mode in OS

I need assistance with what OS and services I’d have to use to accomplish this, if possible.

1 Like

You could do something like buy a DO droplet (doesnt have to be DO, could be any VPS provider), set up a VPN there, then use your router to connect to that 24/7 and in theory it should bypass the NAT issue. If configured to do so you should be able to connect to other devices also connected to the VPN. Its mostly a roll your own solution.

The trade off is latency here (and some bandwidth but shouldnt be too much). If your latency is already pretty low it shouldnt be too bad. For instance my ping in most games is ~25-35 ms, with a vpn though that jumps to ~60-80ms. The closer the VPN server the better.

The rest is doable but I have 0 experience with anything but ubuntu, which AFAIK can do what you're looking for.

2 Likes

I'd want an unlimited bandwidth option in that case. Any advice on what type of specs I'd need on the VPS? I'm looking at these guys, if I'm just routing traffic through them, no caching or anything, would 256MB of RAM be enough?

From htop on my own:
Mem[||||||||||||||||||||||||||||||||||||||||205M/488M] Load average: 0.08 0.28 0.20

256 would be cutting it close as im at 205 right now, but im also running a teamspeak server and music bot for it. YMMV

I cannot stress enough though about physical VPS location. You might have to play around with different providers to find one thats low latency to you.

You could set up an account & a tunnel to Hurricane Electric, but I wouldn't guarantee that you'd be happy with the latency, unless you lived near one of their data centers.

pfSense can be configured to support a Hurricane Electric tunnel, in addition to your existing IPv4 connection. It also makes Squid deployment easy. However, Squid can not cache data that is encapsulated in a SSL stream.

I set this article aside for future reading. It may not be applicable for Xbox use, but it may provide food for thought.

1 Like

I tried that before and it's "okay", but I feel like that's not really an option for gaming, unless around >120ms is fine for you. But the bigger issue with HE's tunnels is that it's a simple IP tunnel, which is great latency and processing wise, but not an option if you can't control the modem's port forwarding.

In my opinion the easiest, fastest, cheapest and probably the best in terms of latency option is to get a VPS and install a VPN server on that. DigitalOcean has some good offers and you can try theirs without any commitment. The cool thing with them is that you only get charged for the minutes you occupy their resources, not per month or even longer periods. So if you try something out for a few hours and it doesn't work, you didn't even spend a dollar and with their promo codes* you can have like $10 free, so you don't even need to spend money at all for trying it out. I use it all the time for tests where I need multiple servers on the internet each with their own IP address.

They also support IPv6, so you can have IPv6 on your VPN as well as IPv4. Of course, since it's a standard VPS, you also have static IPs to connect to from outside. I am not sure if you can run a VM on it though, but you can always just run another droplet, if you need a separate environment.
It does require some effort to set it up, but the tutorial I linked should be easy to follow and should show you how to set it up in no time.

* Disclaimer

The link I posted is connected my own account, so I get some bonus but everyone who uses it gets $10 to start off. I am not affiliated to them in any way, this is just my personal account, which I like to shamelessly plug here to fund my undertakings as a computer science student. :D

1 Like

Thanks for the advice @Adubs, @BarkingMad, and @comfreak. I've setup a VPS a couple miles away from me and working on getting an OpenVPN Server/Client setup. I actually realized I have a Chromebox M004-U that I'm not using for anything so I'll dedicated that completely to pfSense which makes the VM thing not an issue. I'll keep this updated with what I'm doing.

3 Likes

Good man.

I never had any luck with that. OpenVPN client hates Windows 10 on my computer due to the funky DNS stuff W10 does. If you run into the same issue you could try https://github.com/hwdsl2/setup-ipsec-vpn

That uses l2tp which you shouldnt need any client to use. Should work out of the box with just about anything and its a script so it basically does everything for you.

1 Like

Even with OpenVPN running on the router? I'll look out for issues, thanks. 👍🏻

TBH I never did try to get it working on my router because I didnt want to send all my traffic through a VPN. I mainly got frustrated with trying to get the client working on my gaming machine and gave up. So make of that what you will. I also didnt want to have to run a specialized client on the devices I wanted to connect when most things supported l2tp out of the box.

I mainly use a VPN to bury my torrent traffic from my ISP. I have no other use for one otherwise.

1 Like

Ran into a hitch with the current version of pfSense and my Surface Ethernet Adapter, it's not detecting it as a NIC so I'm going to look into the beta version or how to add a driver to FreeBSD. I'll have to work on it later tonight.

I figure the even though it's using USB 3 it shouldn't cause a problem with my WAN connection which maxes out at 50mpbs.

Would you mind sharing how exactly you are tunneling a specific application's traffic through a VPN? ;-)

I'm not, I'm just doing one computer instead of my whole network.

I have 4 desktops, 2 laptops, 3 chromecasts, and a NAS. I dont want them all on a tunnel.

I have had the same problem as you and posted a solution to some of your problems here: https://forum.level1techs.com/t/vpn-reverse-proxy-ssl-madness/113287

I pretty much use a VPS and a VPN to my local pfSense box. I have a ping of 10ms to the VPS so pretty ok I guess.

Mind you, it's not that easy but doable.

2 Likes

I see, I though you were just using the VPN for one app on one computer for that purpose ;-)
How are you making sure that that PC's traffic completely runs over the VPN and the app doesn't bypass it? I heard that's a common issue with using VPN for that purpose..

I'm not. I have no reason to believe that the traffic isnt being routed properly through the VPN. My public IP changes, my ping goes up, Netflix displays different stuff, the youtube logo gets a CA next to it (I typically use the canadian server). In every surface check of the connection it appears to be working as intended. I suppose I should fire up wireshark or something and check 100% but, FWIW my ISP has stopped sending me letters.

1 Like

I'll definitely read over your post. Thanks!

2 Likes

I cannot for the life of me get OpenVPN working. I'm just trying to do (what I thought would be simple) static key or site to site VPN. The VPS is running Ubuntu 16.04 LTS and my router is running pfSesne 2.3.3. Is anyone familiar with OpenVPN .conf files?

I have no idea but I found this.

https://github.com/Nyr/openvpn-install

1 Like

I can't say that it is still fresh in my mind, but I remember looking into this for a project, +/- four years ago. I confess that I had to read all the way through the documentation at least three times, before it clicked for me. Like most Linux/Unix documentation, it is accurate, but not very friendly. After getting the basic gist of it, I found it helpful to collect a couple of sample working configs and decipher them, line by line. After that I found that creating my own config was much simpler.

Coincidentally, my client was also behind a pfSense box and it worked a treat. IIRC, I used pfSense to generate the keys. I was able to get a couple of laptops and Android phones to access the network with no trouble, whatsoever. The key for me was to recognize that there was no shortcut, slow down and resign myself to the fact that I would need to get a grip on the documentation. If I had recognized that from the beginning, it would have saved me a couple of days and a lot of frustration.

1 Like