Any Edgerouter X users with VPN?

  • 1
  • Question
  • Updated 6 months ago
I recently replaced my old router with a Ubiquiti Edgerouter X. The Edgerouter is fantastic, highly recommended, by the way. Since it has VPN capabilities I decided to see if I could also eliminate my existing VPN solution, a Raspberry Pi running Softether, and just use the Edgerouter X. (Hang in there, there is a Flex tie-in here...)

Well, the VPN on the Edgerouter (L2TP/IPSEC) works fine for most things, but it won't work with SmartSDR because broadcast packets are not relayed across the VPN tunnel, and SmartSDR uses broadcast discovery to find any radios on the LAN. I'm not sure why Softether works and the Edgerouter doesn't, but I assume it has to do with the hardware - the Edgerouter has a WAN and LAN port and broadcast packets aren't relayed across, whereas the RasPi VPN works over a single ethernet port. I freely admit that I am far from being a VPN expert, so the problem may lie there. From my reading I have determined that a number of VPN solutions do not relay broadcast traffic, while some do. There are even some old messages here in the Community discussing this, but nothing about the Edgerouter.

Does anyone have an Edgerouter product working with SmartSDR over VPN? For now I have reverted to the Softether solution, but it would be nice to eliminate another box to maintain.

Yes, I have scoured the knowledge base at Ubiquiti, maker of the Edgerouter, and so far have come up empty. I've asked on their forum but nothing yet...

73,
Doug K4DSP
Photo of Doug Hall

Doug Hall

  • 188 Posts
  • 55 Reply Likes

Posted 6 months ago

  • 1
Photo of Michael Walker

Michael Walker, Employee

  • 268 Posts
  • 75 Reply Likes
Hi Doug

I think you will find that the Edgerouter does not set up its vpn client on the same subnet as the Radio.  This is something that SoftEther does.  

Most VPN's have their VPN client on a different subnet.  

Mike
Photo of Doug Hall

Doug Hall

  • 187 Posts
  • 54 Reply Likes
Mike,

At least in my setup the radio and my VPN client are on the same subnet.

Perhaps I am showing my ignorance here, but isn't that the whole purpose of a VPN? All the IP traffic thinks it's on the same subnet.

73,
Doug K4DSP
Photo of Michael Walker

Michael Walker, Employee

  • 268 Posts
  • 75 Reply Likes
I'm not the best at this, and I hack away until it works.  Ham radio style :).    

Maybe the vpn is not relaying layer 2 packets across the vpn.  Just a thought.  That is where I would look next.  Look for something that says Layer 3 or L3 limitations.

Mike
Photo of Mark Thomas

Mark Thomas

  • 47 Posts
  • 14 Reply Likes
The IOS (iPhone/iPad) client works great over non-broadcast-forwarding (separate subnet) VPN and LAN configurations. But, Maestro and SmartSDR deliberately do not support connecting to a radio in another subnet (by specified IP address), unless you provide a mechanism to forward or fake the radio broadcast discovery packets to trick SmartSDR into figuring out the base radio IP address. I do this with a pair of raspberry PIs, but it makes for an extremely clunky remote portable end, which is counterproductive being as one of the main obvious benefits of SmartSDR and Maestro is portability! SmartLink is an alternative, but for those of us who are already using VPNs or multi-subnet LANs in our environment, SmartLink is not always desirable or even a functional alternative.

Myself and others here bring this up from time to time because we feel this is an unnecessary and downright frustrating limitation to an otherwise spectacular product. It is a thorn in my side. See further discussion here:  https://community.flexradio.com/flexradio/topics/radios-in-other-subnets-why-cant-smartsdr-for-windows-maestro-be-used-without-auto-discovery

-Mark Thomas KC3DRE
Photo of Doug Hall

Doug Hall

  • 187 Posts
  • 54 Reply Likes
Thanks for the input, Mark. I share your frustration over not being able to connect to the radio by IP. Flex cites security reasons. I'm not a network security expert, so I don't feel qualified to challenge their reasons, but I would like the opportunity to take responsibility for the security side of things as I do with my other equipment. The IP address could be specified on the command line (along with a passphrase perhaps) and this would make SmartSDR work with more VPN implementations.

In the Edgerouter I make the DHCP server assign a fixed IP address to the Flex based on its MAC address. So I know the IP address, but the Edgerouter VPN doesn't pass the broadcast discovery traffic, and the radio never shows up as available.

SmartLink is OK for what it is, but to fully remote my station I need to be able to switch between 4 antennas, rotate my beam, and turn the amplifier on and off at a minimum. Sometimes I remote into my hamshack PC for stuff like RTTY. All this is stuff I can do easily on my LAN, and by extension, over a VPN tunnel. So for me VPN is a given, and if I'm going to do that I really don't need SmartLink.

Softether works well, and that's what I'll continue to use unless I can figure out how to make the Edgerouter VPN work. I was just trying to simplify things.
73,
Doug K4DSP
Photo of Jim Gilliam

Jim Gilliam

  • 839 Posts
  • 172 Reply Likes

The Asus line supports TAP on OpenVPN that puts the client on the same subnet as the Flex radio. I have Asus routers (RT-AC88U) at both the server and client site. I get better throughput than on Smartlink.


Jim, K6QE

Photo of Doug Hall

Doug Hall

  • 187 Posts
  • 54 Reply Likes
Thanks, Jim. OpenVPN is an option on the Edgerouter. That's something to investigate.

I, too, find that I get a better remote experience if I use VPN. Lower latency, and the added benefit of being able to operate my antenna switch, rotator, and amplifier, all of which are LAN-connected.

73,
Doug K4DSP
Photo of Mark Thomas

Mark Thomas

  • 47 Posts
  • 14 Reply Likes
Operating a VPN server and client for remote access to radios and other devices at the shack is a different setup than using third party VPN providers to access Internet content anonymously, although both share the same underlying technical mechanism.

Ordinarily, it is a beneficial feature of VPN software not to pass broadcast traffic, but in the case of flex radio base discovery, it is necessary for SmartSDR and Maestro use, since they do not have the option of designating the base radio IP address to connect to. The IOS iPhone/iPad software does have this useful option, which is in fact necessary for most IOS built-in VPN options.

-Mark Thomas KC3DRE
(Edited)