The QNAP Qhora-301W router is a device aimed at small and medium-sized businesses, where local networks need to be segmented with VLANs and who need to have VPN services to connect remotely. This router not only has high-end hardware features, such as several 10G Multigigabit ports, Dual-WAN and even Wi-Fi 6 with simultaneous dual band, it also has a QuRouter operating system that will allow us to configure VPN tunnels. Today at RedesZone we are going to show you how we can establish a site-to-site VPN tunnel with OpenVPN on these routers.
Why make a VPN tunnel between two routers?
A VPN server is usually configured so that the different clients connect to the local home or company network. In this use case we have the possibility to access local resources via VPN, and access the Internet through our own Internet connection. In other cases, we can redirect network traffic from the Internet through the server, and out to the Internet through this server, with the aim of tunneling all traffic from the source to the destination. These types of VPN architectures are called Roadwarrior.
There is another scenario called Site-to-Site, in this case we have the possibility of joining two locations (either a house or a company) through VPN. Depending on the configuration, you can only access local resources, or you can also redirect all traffic through the VPN. In this case, all WiFi or wired clients connected to the router will go to the Internet through the VPN server since our router has been connected in client mode.
In the following diagram you can see how a Site-to-Site can be configured (architecture on the left) and how the Roadwarrior can be configured (architecture on the right):
For example, if you want to bypass the current Netflix restrictions and share the same account, we can use two VPN client-server routers to trick the shared account detection system. In this way, we will have a configured VPN server, this server must be accessible through the Internet and configure a dynamic DNS to locate the server through a domain. In the case of the VPN client integrated in the router, it will connect to the server, and all Internet-facing traffic from connected wired or WiFi clients will travel through the tunnel to the server, exiting to the Internet with the same IP address.
The QNAP Qhora-301W router allows us to configure both the OpenVPN server, as well as the OpenVPN client. Wireguard could be used if the router supports a client with Wireguard, however, currently it only supports this protocol in server mode and not in client mode.
Configuration of the routers
In the example that we are going to indicate below, we have used two QNAP Qhora-301W routers, one is configured as a server and the other as a client. Next, you can see the most relevant configuration:
- Router that acts as a server .
- This router must have a public IP, so that it is accessible through the Internet.
- We need to configure the DDNS of the router.
- The LAN can be 192.168.100.1, which is the one configured by default.
- This computer is where we have to configure the OpenVPN server
- Router acting as client .
- This router does not have to have a public IP on a mandatory basis, although the most normal thing is that it does. It can be behind CG-NAT and will still work properly when acting in client mode.
- The LAN must be different from the destination, for example, we can put 192.168.200.1. In this way, we will not have LAN conflict between the two locations.
Now that you know how the global configuration of the virtual private network architecture that we are going to configure would be, we proceed with the configuration of the server and also of the client.
Configuration of the router’s OpenVPN server
The first thing we must do is access the router with our access credentials, make sure that we have the Internet connection working, and that the operator has provided us with a public IP address, to be accessible from the Internet. We should also make sure that the LAN of this router is 192.168.100.1 as mentioned before.
Once these two things have been configured and verified, we are going to create a DDNS in the router, to access remotely without needing to know the public IP. To do so, we need to log in with our QNAP ID and then choose a DDNS.
In the QuWAN section we log in with our QNAP account, we have to put the username that is the registration email, and also the access password. Once we click on “Apply”, we can choose the name of the device, which will be the DDNS that will automatically create in myqnapcloud.com. Once chosen, click on “Apply”. When we have applied the changes, we will see that now in “QuWAN Configuration” we have different options, but we should not touch anything else here.
In the DDNS section we can activate the DDNS and automatically the DDNS domain of myqnapcloud.com will be synchronized with the public IP address that we have obtained through the Internet WAN. Once done, it will show us that everything is working correctly, and it will indicate the result of the last DDNS update.
Now it’s time to configure the OpenVPN server in the “QVPN Servers” section. The first thing we must do is create a username and password to access correctly, once we create the username and password, we proceed to enable this user, since we can enable and disable the ones we want.
In the “QVPN Servers / QVPN Configuration” section, we go to the OpenVPN section and proceed to configure it. We click on the “Settings” section and we can configure it as follows:
- Client IP Group: 10.8.0.X
- Port: UDP and the port number you change so that it is not the default.
- Encryption: high
- DNS: we can put the typical 8.8.8.8 which is the Google DNS.
Other options that we must activate are those of “ Use this connection as default gateway for remote devices ” and also the one just below, although our advice is that you deactivate the compressed VPN link, because it hardly improves performance and in the past it has been a habit. compression-related attacks.
Once configured, we enable the server to start, it should not give us any type of error. Now we have to click on the “Download configuration” button.
The configuration is the file with the ovpn extension, we save it where we want to later upload it to the other router, however, we can also use it ourselves to access the local home or office network.
We must open this file that we have downloaded with a notepad, and modify the IP address that appears in “remote IP 11943 udp” for the DDNS domain that we have registered on the server. For example, in our case it would be homenetflix1.myqnapcloud.com.
Now that we have the server configured, we proceed to configure the second router. However, before doing so, our advice is that you connect to a computer or PC from another network, to check that the server is working correctly and that it accepts connections.
Router OpenVPN Client Configuration
In this case, we verify that we have a correct Internet connection, it does not matter if we are in CG-NAT or have a public IP, the latter is the most normal, but it is possible that you have this Qhora-301W behind the operator’s router. We must also make sure that the LAN of this router is 192.168.200.1 so as not to have any conflict with the LAN of the first router.
In this case we do not have to configure anything about the DDNS, we simply have to add the profile that we have downloaded before. We go to the « QVPN Clients » section , click on the blue button « Add profile » and proceed to add it.
Now we proceed to choose the .ovpn file that we have previously downloaded and modified, we give the profile a name and we proceed to put the username and also the password to authenticate correctly on the server.
Now that we have added the profile, all we have to do is select the profile at the top, and click on ” Activate QVPN client service “. Once we have done it, the client router will start to connect with the server.
If we want to check if the connection has been established correctly, we can go to the “Logs” section on the client, and also on the server, where the incoming connection that has the VPN tunnel up will appear.
At this moment, all the network traffic of the second router will be sent to the first one through the tunnel that we have configured, in this way, all the wired and wireless clients will connect to the Internet through the public IP of the router that acts as a server. .
As you can see, the configuration of the server and client is quite simple and intuitive, in about 10 minutes we will have everything perfectly configured to avoid Netflix blocks, to access the remote local network at any time, etc. We should state that the server will always be in “control”, as it can disable user credentials at any any time, and also allows the client to be kicked off the server at any time.