Shelly devices are superb (and even better when flashed with esphome). The steps you describe (learning about mDNS, vlans setup, simplified protocols), make sense for highly technical people. Unfortunately, for 99% of family/friends (at least mine 
), that is out of reach.
1 Like
This sounds complex from an outside perspective. Do you have any guidance on how one might accomplish this?
Yes - this will take a lot of work and patience, and alot of phone calls and reasearch. My setup pools 10 Client VPN tunnels from two service providers (5 from each). I cannot share more specific detailed information as then I am risking my own cybersecurity…
- Sign up with two VPN service providers (read the prerequisites first below)
- Set up 5 client VPN tunnels in your router for each service provider, using servers in the countris/cities of your choice for each.
- Create a group of devices in your router (those devices in your network that you want to use the VPNs for internet access).
- Create a routing policy for that group of devices to connect to a group of all of those VPN tunnels. Once this is set up - it is so cool to see it working, if you go to “whatismyip.com” or “whoer.net” in a web browser, both of which will show which city you are in, almost every time you refresh the browser it shows a different city (one of the 10 cities in mmy case
)*
Some homework you need to do first - prerequisites:
A. FInd a router that can do this - either TP-lInk (‘Omada’ series) or Unifi (there may be others)
B. Find two VPN service providers that are not headquartered in any nine-eyes country, and list the cities they offer that are not in any nine-eyes countries first, and then eliminate the cities form those lists which are in countries that are dictatorships or have a reputation for corruption and limited freedoms.
C. Make sure the VPN service providers offer client VPN tunnels that will work with the router in “A” (meaning, the correct protocol that can also be used in a routing policy - such as L2PT/Ipsec, etc.)
*Such VPN connections are notorious for not having 100% stable connectivity - so another hassle is using one tunnel all the time for your regular computer use, you may lost internet connectivity from time to time. However - if you pool 10 of them together - it’s then almost impossible to ever lose your internet connection!
Hope that helps…
1 Like
Thanks, this is helpful.
The routing policy is where I’ll have to work the hardest. I’ve experimented/used most of the other parts you speak of.
For the policy, do you explicitly tell it to rotate through the various tunnels, or is that a consequence of giving it multiple options and it occurs somewhat “randomly”?
Any reason this couldn’t be accomplished using Opnsense as the router?
I think I reached the limit of sophistication with my router, they are ust grouped, my guess it is the first one that replies to a request?
I don’t know that much about OpnSense.
Also I’ve noticed that alot of VPN service providers do not offer L2TP/IPSEC routing but instead prefer OpenVPN which is evidently newer, more secure and faster. However my router manufacturer tells me that the only way I can use OpenVPN is to set it up for a specific vlan, not by device. Therefore the idea of policy routing and being able to on the fly add or remove devices from the VPN connection is not possible the devices would need to be swtiched from one VLAN to another. From what the Omada engineers told me the OpenVPN connection is established on the server (VPN Service provider) end, so changes to it cannot be controlled from the client (local network) end. That evidently makes routing policy updates impossible on the client end. I am not sure about the other protocols - so I am suck with L2TP/IPSEC. PPTP is available but that is weaker and easy to breeak the encryption.
One weird thing about Omada, is they insist upon for each L2TP/IPSEC VPN setup, that you enter (this is there instructions): “Remote Subnets:Enter the IP address and subnet mask to specify the remote network. It’s always the IP address range of LAN on the remote peer of the VPN tunnel.” (the format of course being ###.###.###.###/##. Most VPN service providers do not give this information out unless you ask for it. Also, since all of the VPN Service providers typically set up their servers in the same manner no matter what city they are in (wouldn’t you?), this information is the same for every server. Omada’s bug is that for all VPN connections of this sort they assume that internal IP address range is unique across all of the VPN tunnels so the pooled connections do not work. This is a bug they are fixing in their next release and have given me a custom firmware build with the bug fixed so it works fine.
My VPN service providers - and I think most, also offer straight IPSEC connections. I also tried setting some of those up but when mixed with L2TP/IPSEC connecitons up and running at the same time, the whole thing blows up anbd doesn’t work. I haven’t tried it with all VPN tunnels just being straight IPSEC though. Supposedly you can at the same time as mentioned before also have OpenVPN tunnels at the same time as long as they each are on a separate dedicated vlan. Also the hassle with only one connection for the outgoing internet access, that is a single point of failure so your internet connection isn’t as reliable.
Another thing I like about OpenVPN, with the certificate configuration you can actually specify for certain URL’s to NOT use the VPN connection - I thought that would be very handy when say you are on a VPN and try to access a web site that expects you to be where you say you are and not be on a VPN, such as the IRS or some banks, etc. Then you would have the best of both worlds, always be on a VPN - but not when you can’t be - automatically.
Previously I would get around this by changing the routing poolicy on the router for my PC and then run a script with “ipconfig /renew”, but that is very time consuming. Currently I get around that by running a script on my PC (desktop shortcut) to change my internal IP address to one my router does not assign the PC, so I am going to the internet NOT through a VPN. Then , I can just run the same again to switch back to the correct assigned IP address (only works when my PC is set with a manual, not automatically assigned IP address, and you cannot run the script easily directly, you have to make a shortcut to it and in that shortcut specify “run as administrator”). There may be better ways of doing thisng but this works for me:
@echo off
setlocal enabledelayedexpansion
rem Define the network adapter name
set "adapter=Ethernet 2"
rem Define the IP addresses
set "ip_vpn=192.168.0.<ip in routing policy>"
set "ip_novpn=192.168.0.<ip not in routing policy>"
rem Define the subnet mask and gateway
set "subnet_mask=255.255.255.0"
set "gateway=192.168.0.1"
rem Determine the currently active IP address
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| find "IPv4 Address"') do (
set "current_ip=%%a"
)
echo Current IP: %current_ip% - changing...
rem Check which IP address is currently active and switch to the other one
if %current_ip%==%ip_vpn% (
netsh interface ip set address name="%adapter%" static %ip_novpn% %subnet_mask% %gateway%
echo IP address is now %ip_novpn% - not on any VPN.
echo To get back on a VPN, rerun this script.
pause
) else (
netsh interface ip set address name="%adapter%" static %ip_vpn% %subnet_mask% %gateway%
echo IP address is now %ip_vpn% - back on VPNs.
echo To get back off all VPNs, rerun this script.
pause
)
I think I won’t be able to take this journey much further and I have to admit it was very painful and takes endless patience and painstaking troubleshooting (actually about 2 years of tweaking on and off). What a hassle. People may think, why did this guy do this, “get a life”!?
One day I learned that someone had tried to steal my identity (evidently someone tried to claim for unemployment benefits under my SS# while I was actually employed). Ever since I have been extremely hyper about doing whatever it takes to (try to) stay protected…
1 Like