Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: Adding a VPN router to my Apple setup

I am considering installing a VPN router to my setup. I've got a Time Capsule and Airport Express, along with various other devices in the house. Some are ethernetted and some are WiFi. Everything works.


The is no way to add VPN anything to the TC or AE. And I don't like the idea of adding a parallel VPN router, switching between the two. That has been mentioned on a couple of websites of VPN router manufacturers.


I can think of two ways to go. One option is to install a VPN wireless router and replace the TC (or bridge it an continue using it as my TM backup). One of my iMacs is ethernetted to the TC. Alternatively, I could insert a wired VPN router between the TC and cable modem. I'd have to bridge the TC to keep the two devices from fighting.


Two questions, please:

1) If I bridge the TC, will its WiFi features keep working, so I can maintain wireless connectivity, streaming, etc, as things currently work?

2) Is there some reason I haven't thought of that would cause the wired VPN router idea to not work?

Posted on

Reply

Page content loaded

Nov 14, 2017 9:57 AM in response to DesertRatR In response to DesertRatR

I can think of two ways to go. One option is to install a VPN wireless router and replace the TC (or bridge it an continue using it as my TM backup). One of my iMacs is ethernetted to the TC. Alternatively, I could insert a wired VPN router between the TC and cable modem. I'd have to bridge the TC to keep the two devices from fighting.

FWIW. The second option is basically what I'm running at my home currently. I use a Cisco RV180 (wired) router as my "main" Internet router. It feeds into an Ethernet switch panel that has Ethernet runs throughout the house. Connected to a number of these runs are a variety of Apple and non-Apple wireless access points. The Cisco provides VPN and routing services. The other network devices are all bridged.

1) If I bridge the TC, will its WiFi features keep working, so I can maintain wireless connectivity, streaming, etc, as things currently work?

Yes, and yes it should.

2) Is there some reason I haven't thought of that would cause the wired VPN router idea to not work?

Not that I can think of.

Nov 14, 2017 9:57 AM

Reply Helpful

Nov 14, 2017 10:26 AM in response to Tesserax In response to Tesserax

Thanks for that. Someone on my VPN user forum (they seem to know zero about Apple stuff) mentioned I'd have to set up a default route to the new router, and I'd have to ensure that the IP address is different. My networking skills are negligible. Any chance you can offer some pointers?

Nov 14, 2017 10:26 AM

Reply Helpful

Nov 14, 2017 10:53 AM in response to DesertRatR In response to DesertRatR

It is always a good idea to establish static local IP addresses for all your networking hardware ... except for network clients. That is, all routers, wireless access points, printers, NAS devices, etc. should have a static local IP address.


I did not have to set up any static routing for my network in order to use Cisco's VPN feature. Note; however, there are a number of "flavors" of VPN services and configurations. Mine is a VPN router that allows me to remotely connect a VPN client to access my local network when I'm away from home. This would be considered a "Remote-Access VPN."


The AirPort base stations have been known to have issues with VPNs that rely on IPSec for the security protocol, but that has only been the case where the base station was configured as a router and not as a bridge. In your case, your base stations would all be configured as bridges.


Today, the most common type of VPN is the SSL VPN. This VPN uses a web browser-based VPN client instead of a dedicated VPN client. Also this type of VPN does not rely on IPSec, but uses SSL/TLS instead for security.

Nov 14, 2017 10:53 AM

Reply Helpful

Nov 14, 2017 11:50 AM in response to Tesserax In response to Tesserax

Thanks for that. I've got the TC and AE set to use DHCP, but the addresses never seem to change. If I wanted to set static IP addresses, can I just pick any old IP addresses and plug them in?


My VPN service is thru Private Internet Access. I believe the employ Open VPN of some sort. However they seem to have a dedicated client. So I'll have delve into their user forum.

Nov 14, 2017 11:50 AM

Reply Helpful

Nov 14, 2017 12:12 PM in response to DesertRatR In response to DesertRatR

...I've got the TC and AE set to use DHCP, but the addresses never seem to change. If I wanted to set static IP addresses, can I just pick any old IP addresses and plug them in?

You could. I would suggest that you use a local IP address outside of the DHCP range being provided by your "main" router. For example, my Cisco DHCP scope is: 192.168.1.2-200. I use addresses above 200 for static address assignments. I also do them by groups. That is, printers are assigned, let's say, addresses 201-205, NAS devices, 206-210, WAPs 211-220, servers 230-239, etc.

My VPN service is thru Private Internet Access. I believe the employ Open VPN of some sort. However they seem to have a dedicated client. So I'll have delve into their user forum.

Excellent choice. I have been using PIA for a few years now. They have a number of VPN options, including Open VPN tunnels ... and Open VPN is an SSL VPN. Actually with their clients, you don't actually need to use dedicated VPN hardware as they create the secure VPN tunnel between their client and their VPN exit points. I only use my Cisco VPN when I want to remote into my local network.

Nov 14, 2017 12:12 PM

Reply Helpful

Nov 14, 2017 12:52 PM in response to Tesserax In response to Tesserax

Glad to hear a testimonial.


Maybe I need to rethink the VPN router anyway. I have no need to remote in to my local network. I have read that one reason to have a VPN router is to remote to it from a public WiFi to get into the VPN tunnel. However, if you have the VPN iOS apps, I don't see a reason to need to do that. Or am I missing something? Personally, I never connect to public WiFi. I use my iPhone Hot Spot to connect my iPad. So that is reasonably secure from snoops.


My rational for a VPN router was to put everything in the house inside the tunnel. I am fine with the PIA apps. But I'll never get my wife to use them on her iPhone or iPad. If something isn't a single push button with a 1 character PW she hollers. Is there any other security reason to use a VPN router?

Nov 14, 2017 12:52 PM

Reply Helpful

Nov 14, 2017 1:33 PM in response to DesertRatR In response to DesertRatR

Is there any other security reason to use a VPN router?

Again, primarily if you want to remote into your local network securely. VPNs are the best "line of defense" against evildoers when using the Internet to pass critical personal data, like banking or health records/transactions.


The only other would be if your run a business and you want a secure "site-to-site" VPN connection, you would typically employ a VPN endpoint at each end of the connection.


If you don't have a need to access your home network while you're away on vacation or business, then a VPN router will not really offer you much. Many router manufacturers offer VPN functionality, but it is normally not enabled by default.


As you know PIA's VPN clients run on many different platforms and can be configured to run at startup in almost all cases. Since PIA does not collect or sell your Internet traffic, they are a pretty safe bet that your critical data will be secure without a lot of hassle ... sort of "set and forget."


Your local network is another matter, especially if you have Wi-Fi. There the #1 security method is to use WPA2-level encryption and change the password every 30-60 days.

Nov 14, 2017 1:33 PM

Reply Helpful

Nov 14, 2017 2:56 PM in response to DesertRatR In response to DesertRatR

My rational for a VPN router was to put everything in the house inside the tunnel.

That is still a valid reason to use a VPN router. And depending on what your internet speeds are like, remember this actually uses a lot of CPU cycles. You can expect about 20Mbps out of a 750mhz processor.. far less than its capacity without VPN. So my recommendation is look at something like Asus, RT-AC68U and above.. which has OpenVPN client and server built in, although the processor is only dual core 800mhz.. unless you search around some later ones have 1Ghz. But don't skimp.. you will regret it.

Nov 14, 2017 2:56 PM

Reply Helpful

Nov 14, 2017 3:52 PM in response to DesertRatR In response to DesertRatR

As long as you realise nothing in your local network can communicate with each other as long as the vpn is in place.. that means .. no printers .. no airplay.. no file sharing.

The advantage of using a single point vpn client is that your local network will continue to behave like a normal network..

And the Asus can manage split tunnels if you run it on Merlin firmware.. that means it skips using vpn when you don't need it.

Nov 14, 2017 3:52 PM

Reply Helpful

Nov 15, 2017 8:38 AM in response to DesertRatR In response to DesertRatR

So now I am thinking about adding a VPN router as a learning experience. Everyone needs a hobby, as they say. After doing a little reading, including the comments in this thread, I am concerned about the ability of VPN routers to handle the data processing required for speed. Does the Cisco RV180 have the processor power not slow the throughput? Price wise It is at the upper end of what I am willing to spend on a hobby. It appears that consumer level routers might lack the processing power to handle the load. No gamers in this house, but my wife has expectations. So if I need to spend significant money to not throttle significantly then this is a no-go.

Nov 15, 2017 8:38 AM

Reply Helpful
User profile for user: DesertRatR

Question: Adding a VPN router to my Apple setup