BR200 and OpenVpn questions/considerations

ThomasNanninga: You posted this in the wrong forum area (ReadyNAS).  I moved it for you.

---

ThomasNanninga wrote:

2. Configuration options Windows TAP (for different groups of clients and authorizations): 

The client.ovpn TAP mode has just a DNS entry, port and refers to certificates and Windows TAP adapter which is all fixed by Netgear.

In my understanding, there is just one certificate, no control to allow the configuration for different access groups and multiple users. Note: This is not an OpenVPN limitation - this is how all these simple OpenVPN things are implemented, mainly for a single user to call back home (this is not limited to these routers, same on the popular other NAS vendor implementations. 

---

ThomasNanninga wrote:

The NETGEAR-VPN TAP adapter has a properties view where I have specified 192.168.1.200+ (above DHCP range) addresses to different PCs, all manually defined. They don't get an immediate IP by DHCP which may be a Smartphone hotspot latency problem.

When you have OpenVPN client devices establishing an OpenVPN connection to the "home" network from random locations, Open WiFi, mobile routers and modems: Why on earth to you stick on this default LAN IP where about half of the networks are using? Nightmare predictable ....

---

ThomasNanninga wrote:

My understanding is that remote clients only stay in the router's management VLAN, so they can see all router, NAS, etc web gui pages (don't know the PW though but don't like it in general).

Again, this is how the OpenVPN "server" part is implemented here. Not really an OpenVPN limitation.

---

ThomasNanninga wrote:

To switch some of the remote clients into a 192.168.10.0 VLAN segment is impossible?

Technically anything is possible - however it requires design, implementation, user interface, and much mode. With what is in pace - no way.

---

ThomasNanninga wrote:

3. Configuration options Smartphones TUN

There seem to be even less configuration options, it takes the next network segment win this example 192.168.2.0. This should be free from other IPSec segments to avoid conflicts.

Complete wrong assumption. Also the commercial OpenVPN Access Server does make use of an intermediate transport network for the TUN devices. The subnet must be unique (in the complete data path, and on all devices of course) - however that subnet is never visible except on the OpenVPN connection "hop".  All these IP subnet addresses from your TUN VPN clients are Many-2-one NATed to the router primary LAN IP. These IP addresses are never becoming visible to your local network.

Borrowed from the OpenVPN Server docs:

===
By default OpenVPN Access Server works with Layer 3 routing mode. In this mode a private subnet is configured for the VPN client subnet. This private subnet must be different from other subnets used in your networks, and clients automatically get IP addresses assigned from this subnet when they log on. This is automated. Usually it goes in a sequential order until it reaches the end of the portion of the subnet available to the OpenVPN daemon you get connected to, and then it starts reusing older addresses. This acts a little bit like DHCP but technically we don't run a DHCP server in Access Server, just a sort of rough emulation to assign addresses automatically. The subnet that users get addresses from automatically is found in the Admin UI under VPN Settings, Dynamic IP Address Network.

===

---

ThomasNanninga wrote:

At least this should be working better that the Readynas app where we can't see our homefolders and no-one takes care for the last two years.

ReadyNAS App? Probably talking of the ReadyCLOUD App? The trouble is that the "home" share server path is dynamic, and depends on the (single) authentication by username and password, specifically the username. What is relatively "simple" on a LAN and pure SAMBA, must be rebuilt and designed for all other access vectors. No idea by how far Netgear has implemented the home folders beyond of pure SAMBA, proably FTP, (yeah historical AFP), and the WebUI. 

---

ThomasNanninga wrote:

4. What would be the alternative?

 A complete commercial OpenVPN Access Server, or a fully and freely configurable OpenVPN on a generic Linux system could do what you want for example. At the end it depends if you already have some centralized acount and group management - like an Microsoft Directory, like some LDAP, just to name a few.

Except that there is some plan for a Netgear DualWAN device, I have no idea what is going on, and what implementation depth can be expected. Unless they build on a capable open source or commercial business router platform ... it will be difficult to regain the business router market again.

Grüsse

-Kurt