Friday, July 28, 2017

VPNs - A Routing Warning

VPNs are great things.  They allow secure remote access to your resources, either for your home or your job.  At work the solution is simple to use because typically someone else sets it up for you.  But if you are that person that does the setup (either at home or if you're the "network person" at work), VPNs can be complex.  I'd like to cover a quick thing to watch out for targeted at small VPNs, especially since I talked about VPNs in a previous ZoneMinder article.

In a previous article, I talked about using OpenVPN as a VPN solution if your router doesn't serve VPN connections directly.  OpenVPN is great for small VPN rollouts.  Once you get to larger numbers of users, OpenVPNs viability becomes questionable and it may be best to go to a larger enterprise system.  In this post, I'm going to cover small VPN rollouts, with the target audience being the one "IT person" or "network person", or even the person who maintains the network at home.

A great way to rollout a small OpenVPN footprint is using PiVPN (  This is basically a pre-canned deployment for turning a Raspberry Pi into a VPN server.  This is fantastic for homes, and even small offices that have less then 10 people using the VPN.  For larger setups you'd want to use OpenVPN on more robust hardware.  No matter what hardware you run it on, successful deployment of a VPN server/endpoint requires some deeper considerations about how the existing network works in order to be successful.

A very small network (home or small office) typically is one big flat network, consisting of one router/firewall between the network and the Internet.  Many times device even acts as the wireless access point for the network.  Going a step deeper, by "one big flat network" I also mean one IP subnet.  For example,, which is more properly referred to as the subnet (for this example).

A VPN solution (typically one that does not run on the router itself) usually creates a new subnet for the remote users.  As an example, my desktop at home may have the address of, but when I connect with the VPN from my phone it may be assigned the address of .  It's the VPN server's and the router's job to make these two different networks talk to each other.  Without going too deep, something on the network cannot talk to anything on the network without a router and without the other devices knowing how to get to get to it.

In our OpenVPN example, the OpenVPN server is a router between and the network that it creates for the VPN users.  However, the network needs to know about the network in order to return traffic back to the VPN clients.  The simplest way to do that is to create a static route in the "main router" on your network.  The static route tells the router that the can be accessed by a certain host, which would be the address of the OpenVPN server.  Once that route is in place, when a device on the network tries to reply to a VPN client, it will send the traffic to the main router, which will send the traffic to the OpenVPN server for processing.

While that solution may work, it's not ideal.  It creates something called asymmetric routing.  Here's what will happen step by step with that setup when something on the VPN tries to connect to something on the LAN:

  1. Remote device (on VPN, addressed as wants to connect to ZoneMinder (at
  2. Remote device sends the connection request to it's default gateway (OpenVPN Server, which has addresses of and
  3. The OpenVPN server sits on the network, so it sends the connection request directly to the ZoneMinder server.
  4. The ZoneMinder server gets the request, processes it, and sends the reply message.  Since the ZoneMinder server is on the network and doesn't know anything about the network, it sends the reply message to it's default gateway, the "main router" at
  5. The main router gets the reply message and needs to figure out where to send it.  It looks in it's routing table and sees that is behind the OpenVPN server at, so it sends the reply message to the OpenVPN server to handle.
  6. The OpenVPN server gets the reply message.  It sees it's addressed to a client at, which is connected to it via VPN, so it sends the reply message back to the client.

You can see the path that the initial request took is different then the path the reply message took.  This is bad for several reasons.
  1. It's inefficient.
  2. It's often not predictable, which can cause performance issues in the network design.
  3. Firewalls don't like it.  Asymmetric routing looks suspicious, like someone is hijacking the traffic.  So firewalls often either block the traffic or perform deeper inspection on it.  This slows down the traffic, or causes it to stop all together.
The reason this is asymmetric is because the OpenVPN server can get to the LAN devices, but the LAN devices cannot get directly back to the VPN clients.

This is fixable.  You can do one of several different things to make the connections more efficient and run smoothly:
  • You could of course ignore the problem, and put up with any performance problems it causes.
  • If you only have a few select devices that you'd ever connect to using the VPN (ie, the only reason you setup a VPN was to connect to ZoneMinder), you could create static routes on each of those devices to point it to the network via the OpenVPN server directly, instead of going back to the main router.
  • If you have many devices you'd connect to over the VPN, or want something more centrally controlled, you can create a new subnet off of your main router if it has the ability to.  You would move the LAN side of the OpenVPN server to this subnet.  For example, if your router has a "LAN2" port, you could create a network for that port of, and put the OpenVPN server in that network instead of  What this does is remove all other devices from being local to OpenVPN, and forces all traffic through that main router.  This method also allows you to put additional protections on your LAN devices since you can implement firewall rules to block some of the LAN devices from being accessed via the VPN
As with all things in IT, there's the "quick and dirty" way, and there's the "right and efficient" way.  Often times quick and dirty is good enough for homes, and sometimes it's good enough for small businesses.  But with a little extra effort and planning, a home or small business network can run as good as the big enterprises.


  1. Virtual Private Network is a method used to add security and privacy to private and public networks, like WiFi Hotspots and the Internet. If you are looking for Network Solutions Baton Rouge, visit

  2. I admire this article for the well-research content and excellent wording which is on IT. I got so involved in this material and I am impressed with your work and skills. Thank you so much for your excellent description. Oracle service Oman

  3. This comment has been removed by the author.

  4. Chamfer bits are also used to create a decorative (albeit plain) angled edge. what is a wireless router

  5. This blog post was an eye-opener about the importance of VPNs and routing. I never realized the potential risks involved until now. Speaking of online security, I've been considering using a VPN for my online activities, especially when I use VPS hosting in the Philippines. If anyone has any recommendations for VPN services that work well with VPS hosting, I'd love to hear your suggestions. Let's all stay safe online!


IT Accountability: Avoiding Murphy

Amongst technology experts, Murphy is someone we all try to avoid.  Murphy's Law states "Anything that can go wrong, will".  E...