Set a 'secret' VPN with your second residence using OpenVPN and a cheap TPlink TL-WR703N

This hood is also a wifi
OpenVPN server !

Sometimes you want to connect with a remote NAS or backup service or simply want all your Internet trafic to come from another location.

If you have a second residence with a broadband Internet access, chances are that your Internet provider will supply a preconfigured (and basic) router that fits most people's needs. This router will unfortunately not let you add a VPN server on it ... (even if it were allowed by the ISP terms and conditions) because they are not going to pay for functionalities 99.9% of the population doesn't know and care about.

This post will summarise what you need to have and configure to get you on your way. As well as the best place I found to hide it (tip: it's in the kitchen... ;-):

My TPlink TL-WR703N

Install OpenWRT on your WR703N

I won't go through all the details here, since this post covers it perfectly.

Add extroot using a USB stick (optional)

Although this step is optional, it will give you much more storage than the 4mb available on the TL-WR703N and I therefore strongly recommend it.

Here as well all the details can be found here.

Add a serial console (optional)

Although this is also optional, I strongly recommend doing this as it will be much easier to solve a network misconfiguration problem if something goes wrong.

Adding the serial port to the WR703N

I wrote a post on this a couple of months ago. You can find all the details here.

Configure your routers to work together

This is a step that involves configuring your TL-WR703N as client of the wifi of your other router. It can be done using the Luci web interface (remember to connect to your TL-WR703N through the cable then) and involves setting a fixed IP (that is out of the normal range used by the DHCP server of your main router) and entering the credentials of your wifi:

/etc/config/network should contain the following

config interface 'wan'

        option ifname 'wlan0'

        option proto 'static'

        option ipaddr '192.168.1.254'  # THIS IS THE IP OF THE WR703N

        option netmask '255.255.255.0'  

        option gateway '192.168.1.1'   # THIS IS THE IP OF THE ROUTER

        option dns '192.168.1.1'       # THIS IS THE IP OF THE ROUTER

/etc/config/wireless should contain the following

config wifi-iface

        option device 'radio0'

        option mode 'sta'

        option ssid 'your_wifi_ssid'

        option encryption 'psk'

        option key 'your_wifi_password'

        option network 'wan'

Add port forwarding on your main router (the one with internet access)

Lots of Internet Service Providers block lower ports and I therefore prefer avoiding using default ports for the services I'm using. It also has the advantage to protect you a little better against hackers. 

I'm using the port 5022 for SSH and 5194 for OpenVPN (this is what I'm forwarding in my router's configuration).

Install and configure OpenVPN

I personally started with a bridged OpenVPN configuration (that's the one with the TAP network interface) as they are easier to configure but got some problems when trying to bridge OpenVPN with the wifi interface of the WR703N and therefore switched to a routed solution (TUN interface).

The other advantage of routed OpenVPN is that you do not lose connectivity on your (only) network interface when something goes wrong and can still use SSH to reconfigure it.

Installation details can be found here.

Note: things to remember when configuring OpenVPN:

• The OpenVPN port (in my case 5194 insted of 1194
• The interface you want to route your packets to (and from): wan instead of lan (in this case)

Install a dynamic DNS service

The best value for a domain name service provider I found was OVH (at least in Europe). The good thing is that they provide a dynamic DNS service called Dynhost and you have it for free if you purchased a domain name through them.

The installation is straightforward and covered here.

Install a watchdog 

If you install this device in a remote location with very limited (physical) access, you will want to make sure it automatically reboots if it loses connectivity... (there's apparently a bug that can crash the wifi sometimes on the TL-WR703n).

The procedure described here is pretty straightforward.

Test your configuration

Connect from somewhere else, either through 3g, a hotspot or whatever... but make sure it works before continuing.

Hide it !

Let's imagine you're going to your second residence only once a year, rent the house (with the Internet) the rest of the time and don't want to leave your OpenVPN server somewhere accessible such as next to the Internet router: you need to find a good place to hide it (with electricity):

The best place I found to hide my
OpenVPN acces point

You're right. My first choice is in the vent hood. There is plenty of room in under the casing, you always find an access to the mains and you should be in range of your wifi:

Plenty of room under the hood
... of the hood ;-)

What you'll need (to install it under the hood of the hood)

A female plug

An USB charger (this one is a modified
charger where I soldered a USB plug on it)

The 'secret' wifi OpenVPN server hidden in the hood