Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: chenks on May 05, 2018, 11:25:52 AM
-
i'm trying to find a ubiquiti edgerouter x in the UK that actually comes with a UK power adaptor.
i've seen a few listing and they seem to either come with a US or euro adaptor.
broadbandbuyer don't have any stock so can't try there.
do these actually come in a UK variant?
-
I purchased mine some months ago from netxl.com It came with a euro plug along with a Euro-UK plug adaptor that you slotted the Euro 2 pin plug in to. However the item description on netxl is now different reading "UK Power Supply Cord included". Not sure if it's the same Euro-UK adaptor, or they're bundling the item with a UK adaptor like the one linked below.
I didn't like the Euro-UK plug adaptor so I ended up powering the Edgerouter X using the POE adaptor that came with my UAP-AC-Lite.
https://www.netxl.com/power-cables/12v-500ma-psu/
-
Yeah no way would I ever use those death euro/us to UK adaptors.
So did you use the Poe injector to power the router then power the ac-lite via poe from the router?
-
So did you use the Poe injector to power the router then power the ac-lite via poe from the router?
I did indeed. Worked out nice and tidy with the cabling.
-
Unifi AC lite has arrived.
Edgerouter in the post.
-
Should make your home network more robust. Let me know if you have any configuration questions once it's all setup.
-
the basic setup of the edgerouter should be fine (as in getting it to connect to the internet).
going forward i'll be looking at putting the guest wifi on a different IP range so it's totally isolated. i'm guessing that will be setting up a VLAN and telling the AP to use that VLAN ID on the guest wifi ?
also be interested in setting up OpenVPN on it (assuming the edgerouter X supports that). at the moment i have a Pi Zero running as an OpenVPN host.
-
Please see the following article on creating firewall rules on the Edgerouter for locking down a specific VLAN from accessing any other part of the network. Worked a treat for me.
https://help.ubnt.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch0-with-Inter-VLAN-Firewall-Limiting
I've not set up OpenVPN on my Edgerouter, I use my Raspberry Pi for that. The first video below demonstrates on setting up OpenVPN as a client device on the Edgerouter to connect to an external OpenVPN service provider. The 2nd video sets up an OpenVPN server on the Edgerouter.
https://www.youtube.com/watch?v=B9dXiKhDVl0
https://www.youtube.com/watch?v=LTBE8YiPhkg
I used the following commands below to enable IPv6 for devices on my network. For reference, I'm with BT who offer a /56 IPv6 prefix. So check the settings with your own ISP.
Notes: eth0 on my Edgerouter is the WAN port from my modem. "switch0.99" is VLAN ID 99 that I created. For adding IPv6 to additional VLAN networks on your Edgerouter, simply copy+paste the last 3 lines and change "switch0.99" to "switch0.10" for VLAN ID 10 as an example. Also change the 2nd line from "prefix-id ':1'" to "prefix-id ':2'" and so on. If you do intend on enabling IPv6 please let me know and I'll paste the IPv6 firewall rules as sadly the Edgerouter doesn't allow an easy convenient way of adding IPv6 firewall rules in the web interface.
set interfaces ethernet eth0 pppoe 0 ipv6 enable
set interfaces ethernet eth0 pppoe 0 ipv6 address autoconf
set interfaces ethernet eth0 pppoe 0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 prefix-length /56
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0.99 host-address '::1'
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0.99 prefix-id ':1'
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0.99 service slaac
-
No ipv6 for me, Plusnet ipv4 only
-
the edgerouter X arrive today, so hopefully have a play with it tonight.
-
Been eyeing one of these for a while, let us know how it goes.
What sort of connect do you have and do you run any form of good QoS (SQM or the like) on it atm?
-
Been eyeing one of these for a while, let us know how it goes.
What sort of connect do you have and do you run any form of good QoS (SQM or the like) on it atm?
In my case I'm with BT and connect to my Zyxel router running in bridge mode using PPPoE. I've tested the QoS functionality of the Edgerouter and it seems to work well returning an A+ on dslreports.com But I have since disabled it as I have no use for it as I'm often the sole user of the internet connection in my home.
I have set up a couple of VLAN's, one for the home network, the other for use as guest Wi-Fi access with firewall rules blocking the guest VLAN from accessing the rest of my network. All in all a solid piece of kit at a decent price point.
-
Your usage case is pretty much identical to what I'll be doing.
Zyxel in bridge mode to Plusnet 80/20 (syncing at around 76 currently on fritzbox).
Unifi ap-lite with main and guest WiFi.
Guest to be totally isolated on a separate vlan, and guest WiFi on limited bandwidth.
Will require some open ports on the firewall for certain traffic and services. And some static IP for some servers.
May try some QoS as I have a couple of IPTV boxes that works need priority over anything else should it ever get to the stage where there is a lot of traffic.
-
ok well update
edgerouter installed, got internet access (zyxel in bridge mode).
set up static IP addresses via the DHCP server - all ok
opened up ports on firewall and pointed them to the static IPs - sort of works
it seems the firewall is blocking internal traffic as well as external... ie i can't access 192.168.1.2:7878
wifi, something went a bit weird there, the Unifi AP took an age to pick up a new IP address from the network, and for about 45 minutes was totally dead to the world (not even visible on a wifi scan), the power was never disconnected to it. then it seems to kick back into life. it's not visible in the unifi controller though.
so first things that needs sorted.
1) firewall clearly isn't working as i expected. i've opened up a couple of specific ports for external incoming traffic.
but it appears that even for internal traffic it's blocking connections to other internal devices.
2) need to get the unifi AP to be visible in the controller again. the controller is hosted on a windows PC on the network, so i'm guessing that the firewall has something to do with that
3) is it possible to get access to the zyxel from the network? ie connect to the web interface on it? and a sub-question, where can i see what the DSL connection is like? is that visible on the edgerouter? or only on the zyxel ?
4) what should the MTU be set ot on the edgerouter for the PPPoE? it's currently set to 1492
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi64.tinypic.com%2F2vnkpae.jpg&hash=10f73d127d7d517edced176105aea1dfafaf2f35)
edit - i have posted an image but for some reason it's not showing up when i view the forum in my network. shows up fine when on 4G though!!
-
How are you powering the Edgerouter. Is it via the POE injector that came with the AP-AC-Lite? I might be wrong, but I believe if you're using the power adaptor that came with the Edgerouter, it might not be good enough to power the AP-AC-Lite. If you use the Chrome web browser try using the UBNT Discovery app from the app store to try and see if your AP is discoverable on the network. It might also be worth factory resetting the AP-Lite pressing the reset button on the device with a paperclip / pin.
One issue that I found when first setting up the Edgerouter is that the DHCP service stopped working and needed restarting. Either reboot the Edgerouter via the UI or issue the following command via an SSH session to the Edgerouter: sudo service dhcpd restart
As for modem stats, I used the following guide under heading 5 on this page. My router is on 192.168.99.1 and modem is listening on 192.168.99.2 which is the IP that dslstats connects to. I use the 2 ethernet cable setup described in the following guide. Lan 1 from the Zyxel modem goes in to eth0 of the Edgerouter which is the PPPoE. Lan 2 from the Zyxel goes in to Eth1 on the Edgerouter for modem stats. The PPPoE connection on the Edgerouter has an MTU of 1492 due to the Zyxel not supporting baby jumbo frames (long thread on this forum discussing this).
https://kitz.co.uk/routers/zyxel_VMG8324-B10A_bridge.htm
-
the edgeroute is being powered by its own PSU (12v 2A), and the AP is powered with it's own injector.
so no power issues anywhere.
the main issue i need to resolve right now are the firewall issues which clearly isn't working as intended.
even though i have apparently opened up port 80 i can't get access in from the outside world.
from what is happening it looks like it has applied the firewall rules only to the internal side of the network and not the external.
basically for internal everything should be accessible with no blocked ports. for external only the ports specifically listed should be open. that doesn't seem to be working.
currently the set up is this.
zyxel connected to eth0
eth1,2,3,4 are just normal ports for the network (POE turned off on eth4).
DHCP range is 192.168.1.x (with lease range starting at 192.168.1.100).
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi63.tinypic.com%2F2s9t0t4.jpg&hash=e3f186472f56c558181cdd750a59152c2b8bcaf1)
-
Did you try restarting the DHCP service, or if you're not comfortable with SSH commands tried a reboot?
On the main dashboard page, does pppoe0 have a public IP address assigned to it, not an IP address in a private address range? Trying to determine if there's some double NAT situation going on.
My firewall page looks like this. Both WAN_IN and WAN_LOCAL have the same 2 firewall rules in them.
-
As an added note, I never added an IP address in the DHCP settings for "Unifi Controller". Can't see it causing issues, but perhaps remove that entry until we've resolved the AP-Lite connectivity issues.
-
haven't tried restarting DHCP as of yet, but new devices are picking up IPs in the lease range, so would assume that is working as expected.
but i have now restarted DHCP via the CLI.
pppoe0 shows my plusnet IP address (212.x.x.x)
my firewall screen looks the same as yours.
-
As an added note, I never added an IP address in the DHCP settings for "Unifi Controller". Can't see it causing issues, but perhaps remove that entry until we've resolved the AP-Lite connectivity issues.
i only added that at the very end after the problems were already in place.
i thought/hoped adding that would kick the unifi controller back into life.
-
The only thing I can suggest at this stage is reboot the Edgerouter and power off the AP-Lite for a few minutes. Rebooting the router does not cause the modem to perform a re-sync with the cabinet/dslam/exchange etc. So no worries with regards to being negatively impacted for interleaving etc.
-
forget about the AP-lite for now, that's working (it's just not visible in the controller).
the primary problem is the firewall and inaccessible LAN items, and ports not openeing on WAN.
the edgerouter has been rebooted since the firewall rules were added.
-
Just doing some checking online. On the Port Forwarding page click "Show advanced options" and ensure "Enable auto firewall" is enabled.
Failing that I'll keep digging.
-
How savvy are you with SSH commands? SSH in to the router and list the configuration with the command "show configuration | no-more" Once that's output scroll up a little and find the section heading "port-forward" If you can paste that section I can take a further look.
Amongst the port-forward settings the following should be present and not read any differently.
auto-firewall enable
hairpin-nat enable
lan-interface switch0
wan-interface pppoe0
-
Just doing some checking online. On the Port Forwarding page click "Show advanced options" and ensure "Enable auto firewall" is enabled.
Failing that I'll keep digging.
yeah that's ticked and was ticked when the rules were applied
-
How savvy are you with SSH commands? SSH in to the router and list the configuration with the command "show configuration | no-more" Once that's output scroll up a little and find the section heading "port-forward" If you can paste that section I can take a further look.
Amongst the port-forward settings the following should be present and not read any differently.
auto-firewall enable
hairpin-nat enable
lan-interface switch0
wan-interface pppoe0
fine with using SSH, use it on my Pis.
-
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
rule 1 {
description http
forward-to {
address 192.168.1.2
port 80
}
original-port 80
protocol tcp
}
rule 2 {
description plex
forward-to {
address 192.168.1.2
port 32400
}
original-port 32400
protocol tcp
}
rule 3 {
description sql2000
forward-to {
address 192.168.1.5
port 1433
}
original-port 1433
protocol tcp
}
rule 4 {
description ftp
forward-to {
address 192.168.1.6
port 21
}
original-port 21
protocol tcp
}
wan-interface eth0
}
-
Apologies, I've been completely blind with the original Port Forward page screenshot you posted. Change the "WAN Interface" on the Port Forwarding page to pppoe0.
-
ah ok.
i picked eth0 as that's what the modem is connected to, not thinking that pppoe0 would be the correct option.
i can now access the required devices from outside the network, and internal traffic appears to be fully accessible.
that will let me concentrate on the unifi side of things now.
i'll also get the modem accessable on the LAN using the instructions posted earlier.
also, on the screen for DNS, there are only 2 fields, with 1 populated with the IP of the router.
i usually enter the 2 google DNS servers, but this only allows me to use 1.
is it possible to get it to have both google DNS servers entered?
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi63.tinypic.com%2F2s9t0t4.jpg&hash=e3f186472f56c558181cdd750a59152c2b8bcaf1)
-
With regards to the DNS, when in the Edgerouter UI click the System button right at the bottom of the page. That will bring up a menu. Here enter your desired nameservers in the boxes provided. Once done scroll to the bottom of this page and press the Save button.
With my setup, on the DCHP settings page that you posted a screenshot of, I only have the 1 IP of the Edgerouter itself. Then in the nameservers page I mentioned above I set the custom external nameservers.
I also recommend clicking the button on the System page to download a copy of the config. Speeds up the recovery time in the event you need to reset the Edgerouter / replace it for whatever reason. I actually tested it a while back and it worked perfectly.
-
nice once. job done i've amended it to that.
i'll play tonight and get the unifi controller and AP working correctly again, will just reset it required.
then once that's done i can have a think about the vlan for guest wifi.
-
ok after some testing all is still not quite right.
internally i still can't go to http://192.168.1.2:8787 (for example).
i can get ot 192.168.1.2:80 though.
-
Strange, as you shouldn't have any problems accessing services on the same LAN with the default setup that you have on the Edgerouter. Have you verified that the service is running OK locally on the device that's listening on IP 192.168.1.2 and the port number that you can't access?
Just to verify, on the Firewall page for WAN_IN and WAN_LOCAL does the interfaces column read "pppoe0/in" and "pppoe0/local" respectively?
-
yes the service is running fine, as it i connect to it from outside my network it loads fine, so that external firewall is allowing the connection thru the open port that has been set. yet if i try to connect internally it fails.
and yes firewall page matches what you say
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi67.tinypic.com%2F2va1nrs.jpg&hash=8ccd39ed21ef70cbac5b9f348b5d7c421b97fc85)
-
i have moved forward a bit.
local devices are now accessible using their IP address
however i try to connect to my server using the FQDN it fails.
http://192.168.1.2:7878 works
http://blah.com/service doesn't work (i use nginx to reverse proxy it to 192.168.1.2:7878), i get a 404 error when on the LAN.
however http://blah.com/service does work when on WAN.
port 80 is open and points to 192.168.1.2
-
I'm afraid I'm not sure with this particular issue. Not that I think anything is incorrectly configured with the routers DNS service, but do check under Services > DNS and ensure it's the "switch0" interface that's on the listening list.
-
Something to look at tomorrow.
What do you know about the blanks for guest WiFi?
At the moment I have 2 WiFi ssids. 1 main and 1 guest.
Both give out the same IP range from DHCP.
I want the guest to be totally isolated, and for the guest to be in its own ip range via a vlan from the edgerouter, and for each device to not see any other device on the network (including the router).
Can that be done without having to set a specific physical port on the router for that vlan?
-
Can that be done without having to set a specific physical port on the router for that vlan?
The Edgerouter also has a built in switch, so VLAN's can be sent down multiple ports.
A quick messy guide to creating VLAN's on the Edgerouter and assigning them to the AP-Lite.
I have set up 2 VLAN's. One for my main home network (vlan id 99, IP range 192.168.99.1/24) and for my guest Wi-Fi (vlan id 10, IP range 192.168.10.1/24).
From the main Dashboard click Add Interface > VLAN. Here's my example - https://i.imgur.com/oY6dueq.png (https://i.imgur.com/oY6dueq.png)
Once you've created your vlan's, then locate the switch0 interface click Actions > Config. Click the VLAN tab and enable VLAN Aware. See my example - https://i.imgur.com/5qL5KKM.png (https://i.imgur.com/5qL5KKM.png) Disable VLAN on eth0 which is what your modem is connected to. My AP-Lite is connected to eth2. "pvid" traffic is untagged vlan traffic, "vid" is tagged vlan traffic. This is important for the setup in the in the Unifi controller later.
You'll need to add new entries in the DHCP server and DNS tabs. See my examples - https://i.imgur.com/S2UXYTc.png (https://i.imgur.com/S2UXYTc.png) https://i.imgur.com/xg7PR4a.png (https://i.imgur.com/xg7PR4a.png)
As posted previously, this guide takes you through creating the firewall rules to block users on the guest Wi-Fi (in my case VLAN ID 10), from accessing other VLAN's - https://help.ubnt.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch0-with-Inter-VLAN-Firewall-Limiting
My main firewall rules page once done - https://i.imgur.com/r1500I6.png (https://i.imgur.com/r1500I6.png)
Now in the Unifi controller go to Settings > Wireless Networks and edit the SSID that you wish to use for guest Wi-Fi. Expand Advanced Options, check "Use VLAN" and enter the VLAN ID for your guest Wi-Fi network, in my case 10.
-
ok, so it's currently set up like this
192.168.1.x - main network
192.168.1.1 - edgerouter
main network on 192.168.1.x (dhcp lease from 100-253)
192.1658.1.2 - Windows server
192.168.1.10 - Unifi AP on eth4
modem connected to eth0 for DSL
guest IP range will be 192.168.2.x
so do i need to create a VLAN for 192.168.1.x too? or does that already exist as it stands?
-
so do i need to create a VLAN for 192.168.1.x too? or does that already exist as it stands?
As it stands you do not have any VLAN's created. I feel that with the desired setup that you described, you should only need to create 1 VLAN for your guest network for the 192.168.2.x range. In my setup that I described, it's a little more complex as I'm planning to add a VLAN aware switch into the mix for additional ports around the home.
Go ahead and create 1 VLAN for the 192.168.2.x range. Then in the Actions > Config menu for "switch0" check the VLAN Aware option and only check the box for eth4 leaving the other ports un-checked. Then in "vid" enter the VLAN ID number that you used for the 192.168.2.x VLAN. Leave "pvid" blank. This will send the tagged VLAN traffic to the AP-Lite whilst hopefully still send your 192.168.1.x traffic to the AP-Lite for your non-guest Wi-Fi network.
If this doesn't work how I feel it will in my head, then the 2 VLAN setup might be required. But that will get a little tricky as you can't create a VLAN for the 192.168.1.x range as it's already assigned to the switch0 interface. You'll first have to change the IP range for switch0 to a temporary range e.g. 192.168.3.x, then create a VLAN for 192.168.1.x range.
-
while i remember.
i remember you saying the edgerouter could be powered by the POE injector supplied with the UAP.
so to confirm i have this right.
modem PPPoE ethernet to POE injector and then POE injector to eth0?
then eth4 with POE passthru enabled and UAP connected to eth4?
then end result being the edgerouter is powered from eth0 and the UAP is powered from eth4?
currently i have the edgerouter powered by a PSU and the UAP powered by the POE injector.
-
modem PPPoE ethernet to POE injector and then POE injector to eth0?
then eth4 with POE passthru enabled and UAP connected to eth4?
then end result being the edgerouter is powered from eth0 and the UAP is powered from eth4?
Yes, that is correct. Works great for me right now.
-
As for modem stats, I used the following guide under heading 5 on this page. My router is on 192.168.99.1 and modem is listening on 192.168.99.2 which is the IP that dslstats connects to. I use the 2 ethernet cable setup described in the following guide. Lan 1 from the Zyxel modem goes in to eth0 of the Edgerouter which is the PPPoE. Lan 2 from the Zyxel goes in to Eth1 on the Edgerouter for modem stats. The PPPoE connection on the Edgerouter has an MTU of 1492 due to the Zyxel not supporting baby jumbo frames (long thread on this forum discussing this).
https://kitz.co.uk/routers/zyxel_VMG8324-B10A_bridge.htm
i've tried to follow that guide but came stuck at the "Configure VMG8324 access from the LAN to get line stats" bit.
Mines actually a Zyxel VMG1312-B10A, and the options i have are differnet to those on the guide.
there is no menu structure of
Network Settings > Interface Group
Broadband > WAN Interface :
and i don't have PTM type > VDSL/ppp1.1 as an option in the closest option of Network settings > Interface group
(https://preview.ibb.co/jL0VOy/Capture.jpg) (https://ibb.co/c8vaqd)
(https://preview.ibb.co/db5KGJ/Capture2.jpg) (https://ibb.co/isSoAd)
-
In the menu on your 2nd screenshot select the PTM type "VDSL/ptm0.1". Here's my settings page for reference - https://i.imgur.com/lYj9Mps.png
-
got that working now.
will play with the VLAN stuff over the weekend.
here's what i have
(https://image.ibb.co/jq6LbT/Drawing1.jpg)
-
As it stands you do not have any VLAN's created. I feel that with the desired setup that you described, you should only need to create 1 VLAN for your guest network for the 192.168.2.x range. In my setup that I described, it's a little more complex as I'm planning to add a VLAN aware switch into the mix for additional ports around the home.
Go ahead and create 1 VLAN for the 192.168.2.x range. Then in the Actions > Config menu for "switch0" check the VLAN Aware option and only check the box for eth4 leaving the other ports un-checked. Then in "vid" enter the VLAN ID number that you used for the 192.168.2.x VLAN. Leave "pvid" blank.
i tried this, and it totally borked the edgerouter, complete loss of all network connectivity.
had to factory reset it. didn't have a backup of the config so had to rebuild.
i've now created a back file so can try again, but maybe the suggested method won't work?
(https://image.ibb.co/byd4ko/Capture.jpg)
the point it failed was when i did
Then in the Actions > Config menu for "switch0" check the VLAN Aware option and only check the box for eth4 leaving the other ports un-checked. Then in "vid" enter the VLAN ID number that you used for the 192.168.2.x VLAN. Leave "pvid" blank.
-
Apologies, I didn't see that you updated your last post with more information. Are you still unable to get it working, or did you have success?
-
i haven't re-attempted yet.
it's currently sitting as the previous post.
the "guest" VLAN has been created but i haven't attempted to turn VLAN aware on, as that's where it went wrong last time.
-
well i finally managed to get the 2 LAN setup working
main LAN 192.168.1.x, VLAN for guest wifi 192.168.2.x
all devices getting the correct IP for the network they are connected to.
haven't attempted setting the firewall yet so that anything on 192.168.2.x is totally device isolated.
-
As posted previously, this guide takes you through creating the firewall rules to block users on the guest Wi-Fi (in my case VLAN ID 10), from accessing other VLAN's - https://help.ubnt.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch0-with-Inter-VLAN-Firewall-Limiting
My main firewall rules page once done - https://i.imgur.com/r1500I6.png (https://i.imgur.com/r1500I6.png)
@MrMike i've pretty much got this going now.
could you show me a screengrab of the 1 rule in BLOCK_LAN_IN and the 3 rules in BLOCK_LAN_LOCAL ?
so i can compare with mine?
-
I have included all relevant screens in the image below. The "Allow ICMP" rule was added because one of my devices were complaining it couldn't ping the router, so it's not a mandatory requirement.
https://i.imgur.com/LNajWiY.jpg
-
yeah i might allow ICMP as a default as you never know later on when something might not like it being disabled.
-
ah ok, i was 90% there, but is the Firewall/Nat Group i didn't have.
i'm not sure which IP address i'm supposed to put in there.
in the Allow ICMP rule, i put the 192.168.2.x variant (as opposed to 192.168.1.x), as 2.x is the IP range of the VLAN that is being restricted.
-
i worked out the firewall group.
i used 192.168.0.0/16 as all my local LANs are in the 192.168.1.x range.
so that seems like the local LAN side of things is now all working as required.
192.168.1.x full local LAN access and internet
192.168.2.x fully isolated LAN and internet
now i'm going to look at the OpenVPN server side of things.
-
Good to hear that you're all up and running on the VLAN side of things. Be sure to take a config backup to make restoring nice and straight forward in the case of an emergency.
I've got a dedicated OpenVPN server on my network, so no need to run it on the EdgeRouter itself. But the videos I linked earlier in this thread should get you up and running.
-
yeah i've got two backup (1 LAN config & VLAN config).
yeah i've got a pi zero running just OpenVPN, but if i can get that on the Edgerouter then it's one less thing to need powered up :)