"Small" client to run OpenVPN?

[ember1205]

In the past, I have gotten very good results running a VPN between two opnsense firewalls to connect two homes. The second home is no longer connected, but I am now looking at options to bring a different second home "on line" but I may not have the same level of ability to run a PC w/ opnsense on it. So, I'm wondering if there's another option that would be smaller footprint and lower power consumption (sort of like a RPi type of device) that would let me accomplish this?

[ember1205]

Really? No one has any kinds of suggestions for a small device that would fairly low power?

There has to be SOMETHING that would work...

[lfirewall1243]

Any small device which can run OpenVPN.
A raspberry Pi for example but depends on the throughput you need

[ember1205]

Any small device which can run OpenVPN.
A raspberry Pi for example but depends on the throughput you need

Thanks - I've been trying to figure out how to configure a RPi as an OpenVPN client, Site-to-Site, SSL, pre-shared keys, sitting behind a NAT device. I can't find any sort of HOWTO for this type of setup that even comes close.

[Patrick M. Hausen]

It's no different from any other site-to-site OpenVPN setup, so possibly exlude the "raspberry pi" keywords from your searches.

You will ned to to an inbound port forwarding for 1194/udp or whatever you prefer on the NAT gateway/router in that network but apart from that the setup should work with any generic "howto" document.

[ember1205]

It's no different from any other site-to-site OpenVPN setup, so possibly exlude the "raspberry pi" keywords from your searches.

You will ned to to an inbound port forwarding for 1194/udp or whatever you prefer on the NAT gateway/router in that network but apart from that the setup should work with any generic "howto" document.

If the RPi is the client and initiates the tunnel, why do I need a port forward on the NAT device it sits behind?

And thought the setup isn't specific to the RPi, I'm finding absolutely nothing from the OpenVPN docs that outline this sort of setup. Either the client-side NAT is missing or it's focused on setup using user/pass authentication instead of PSK. This is why I'm considering just putting a opnsense appliance in front of the router and doing it like I did previously.

[Patrick M. Hausen]

If the RPi is the client and initiates the tunnel, why do I need a port forward on the NAT device it sits behind?

If initiation is strictly in that direction, you do not need inbound port forward, I didn't catch that.

Either the client-side NAT is missing

Don't you want to put the Pi behind the DSL/similar router? That router does NAT and OpenVPN works through NAT devices. So what's to consider here? You can route the entire LAN through the OpenVPN connection site to site - provided the DSL router permits you to add a single static route for the remote site.

An alternative to building your own might be a small Ubiquiti EgdeRouter, either with EdgeOS or OpenWRT. They come reasonably cheap and power effcicient and with a great feature set at the price.

[ember1205]

Either the client-side NAT is missing

Don't you want to put the Pi behind the DSL/similar router? That router does NAT and OpenVPN works through NAT devices. So what's to consider here? You can route the entire LAN through the OpenVPN connection site to site - provided the DSL router permits you to add a single static route for the remote site.

An alternative to building your own might be a small Ubiquiti EgdeRouter, either with EdgeOS or OpenWRT. They come reasonably cheap and power effcicient and with a great feature set at the price.
[/quote]

Cable Modem (owned not leased) - WiFi Router (owned) - RPi

The router is the default GW and would get a static route for the remote LAN pointing to the RPi.

The RPi gets NAT'ed and there doesn't appear to be any documentation that I can find that spells out whether the router has to explicitly support NAT for VPN devices or not. If so, then this changes everything as I will ultimately end up swapping out the router with one that has OpenVPN support directly in it and this becomes a moot point.

[Patrick M. Hausen]

The RPi gets NAT'ed and there doesn't appear to be any documentation that I can find that spells out whether the router has to explicitly support NAT for VPN devices or not. If so, then this changes everything as I will ultimately end up swapping out the router with one that has OpenVPN support directly in it and this becomes a moot point.

OpenVPN works with standard NAT without any special configuration as long as that is only on one side - which needs to initiate the connection. That's why there's no documentation. Nothing to see here, just works.  ;)

[ember1205]

rks with standard NAT without any special configuration as long as that is only on one side - which needs to initiate the connection. That's why there's no documentation. Nothing to see here, just works.  ;)

Ok, good to know.

Is there a HOWTO from opnsense somewhere on setting up a remote OpenVPN client w/ PSK?

[Patrick M. Hausen]

With LAN to LAN and PSK it's essentially server to server - even if the "client" side is the only one that starts the connection. You should be able to copy the configuration file of your OPNsense side and flip IP addresses, certificate, etc.