Newbie question regarding topology and config for VPN gateway

[zante]

I'm still new to this so here goes - I'm trying to leverage the CPU power in a NUC, that remains unused, to offload OpenVPN processing from my router.

My proposed topology looks like the below:

[Modem] ==> [NUC with OpnSense] ==> [Router] ==> [LAN Devices]

Simply put, I need the NUC to act as a VPN gateway (to a service like Nord/ExpressVPN) in order to ensure all clients on the network benefit from the encryption.

• I do not want the NUC to act as a router
• I'd like to avoid double NAT if possible

If this is possible, and I understand that I wouldn't be utilising 90% of what OpnSense does, how would I configure OpnSense to harmonize with the above?

Thanks for any suggestions/answers.

[Gauss23]

I do not want the NUC to act as a router

In the setup you proposed the NUC will be a router. It will be the router who is in charge of your WAN connection.

I'd like to avoid double NAT if possible

Depends on your other router. The OPNsense is definitely doing NAT in your scenario. So it depends on your router not to do NAT. It is possible.

I really don't see the sense in this setup. Why don't you want the OPNsense to be your only router?

I would understand the other way around:
WAN -> ISP Router (maybe with built-in modem) -> OPNsense -> Clients

In that case you can configure your OPNsense not to do NAT and you need to configure your other router with static IPv4 routes to your OPNsense network.

[zante]

Thanks for your reply and patience with me.

• I don't want the OpnSense to do any DHCP stuff because I'm entirely happy with the UX on my Synology rt2600ac. That's what I mean by not wishing it to function as a router and only as a dumb OpenVPN crunching client machine
• If your suggestion allows non-wired connections to go via the NUC before leaving the LAN, then yes, it sounds like that would be the better option.

In effect, are you suggesting the following topology?

[Modem] ==> [Router] ==> [NUC with OpnSense] ==> [LAN Devices]

Wherein all outbound traffic from the network has to go via:

[LAN Devices] ==> [Router] ==> [NUC] ==> [Router] ==> [Modem]

I'm just trying to understand your proposal and I happily betray my ignorance when it comes to this sort of thing.

[Gauss23]

If you want to use your router as dhcp server you need to leave it in ,,Wireless Router Mode" according to this Synology site: https://www.synology.com/en-global/knowledgebase/SRM/help/SRM/NetworkCenter/operation_modes

But in this mode the router is using NAT. Seems to be not possible to disable it. So you would introduce double NAT to your network.
The order of devices would be like you suggested in the beginning.

Definitely not the most optimal solution.

[zante]

If you want to use your router as dhcp server you need to leave it in ,,Wireless Router Mode" according to this Synology site: https://www.synology.com/en-global/knowledgebase/SRM/help/SRM/NetworkCenter/operation_modes

But in this mode the router is using NAT. Seems to be not possible to disable it. So you would introduce double NAT to your network.
The order of devices would be like you suggested in the beginning.

Definitely not the most optimal solution.

With that being said then, other than by using a device running OpnSense, how else would I be able to crunch the VPN workload in such a way that its not limited by the hardware on the router and doesn't put me in double NAT?

That is the question I'm asking, for all intents and purposes.

[Gauss23]

With that being said then, other than by using a device running OpnSense, how else would I be able to crunch the VPN workload in such a way that its not limited by the hardware on the router and doesn't put me in double NAT?

That is the question I'm asking, for all intents and purposes.

Your Synology router is the inflexible part here. If you find a way to use it as your favorite DHCP device without doing NAT and maybe even propagate another device as default gateway, that would be a better solution. I never worked with Synology routers (only NAS devices), so I don't know if it's possible.

I'd suggest using the Synology router in Access Point mode and use OPNsense as your main router.

As a first attempt the setup you had in mind would be ok, to see if you're happy with the results.
Pushing all traffic from all clients through a VPN tunnel will reduce your Internet speed. I only use it for my guest networks or certain clients/services (like DNS over TLS). You won't be able to be so selective with all clients be "natted" behind your Synology router. It would be all clients or none. But you could be selective about destination IPs and ports.