Setup Router for VPN

If you are just evaluating Nebula on a local network and the devices will not leave the network or go mobile, you don’t have to do any setup to your router.

The most important element of a VPN is for devices to be able to connect with each other. If the IP address of a device changes for any reason the device can no longer be accessed by other VPN devices. For Nebula all devices verify their IP address on startup and if it has changed the device will update all other devices with the new address. Additionally while running, APK devices listen for an Android Broadcast that indicates that the address has changed. Nebula JAR devices poll, on a background thread, to check their IP address every 10 minutes. It’s anticipated that Android devices, because they can go mobile, will frequently change and at times of no service, will be “off-the-grid” entirely. JAR and BIN devices typically remain stationary and if they are moved, then Nebula will be restarted and the distributed database will be updated.

Device private Internet Protocol (IP) addresses are assigned by your router. The VPN public IP address is assigned by your Internet Service Provider (ISP). If your router experiences a power failure or hard reset your (ISP) may issue a new and different public IP address. For a VPN this can be catastrophic. Device 1 and thus all home devices become unreachable from outside devices. Having a DNS reference to your public IP address solves this issue and is highly recommended for long term stability of your VPN. Also if local devices receive their address from a router using DHCP their local address may change. This is not nearly as bad as the public address changing however both situations can be avoided completely by using a Dynamic DNS (DDNS) as a reference to your VPN public address and setting all Nebula devices to use static addresses in your router.

Nebula implements a NewPublicIp command to try and recover from a VPN public IP change but the change will not be discovered unless or until Device 1 is restarted.

Set DDNS for VPN Public IP

First, don’t confuse a router with a modem. With a modem you must use a separate WiFi router or connect to it via Ethernet for internet access. Some ISPs provide an all-in-one device others provide separate devices and you can get a modem from your ISP and use your own WiFi router. Most personal routers will offer a free DDNS service. For my Netgear R6700, under Advanced Setup there is a Dynamic DNS section. I supplied a unique name and Netgear supplied me with the “uniqueName.netgear.com” DNS name. Netgear uses the free no-ip service which is available to anyone. There are other services available but it’s beyond the scope of Nebula documentation to try and cover all routers. Just know that having DDNS is highly recommended, fast and easy to setup.

Set Devices With Static IP

By default routers use DHCP to assign an IP address to a device. Each time a device connects with the router it might receive the same address but it is not guaranteed with DHCP. All routers have the ability to match a device with a specific address in the DHCP range. Routers have different ways of setting up this feature so if your unfamiliar, do an internet search for your specific router and look for “device static address” or “LAN setup” or “address reservation”. After setting the devices to receive a static address, you will probably have to reset your router to get them assigned.

Port Forwarding

Port forwarding also referred to as “opening a port” or “pin holing” allows a computer on your private network to act as a server receiving requests from the public internet. It is commonly used in gaming, security cameras and downloading files.

To allow a remote or mobile Nebula device access to other Nebula devices on your home network, at least the one Base Port must be opened. If you want to stream data to/from your home network, then the next two consecutive ports to the Base Port must also be forwarded. The open ports will only go to Device 1, who in turn acts as a relay hub to all the other Nebula devices that you want to monitor or control. While the 2 streaming ports are forwarded, Device 1 does not use or listen for a connection on them unless a Nebula streaming operation is in progress.

Port forwards are setup in your router. The difficulty is that routers have unique ways to access their port forward capability. This website lists many routers and their specifics of port forwarding.

A typical setup is:

1. Use your browser and go to the login address of your router.
  • Addresses 192.168.1.1 or 192.168.1.254 are common defaults.
2. Enter your user name and password.
  • User Name “admin” is commonly used.
  • Password “admin” or “password” are commonly used as original defaults.

3. Navigate to the port forwarding section. Look for WAN or LAN settings typically in Advanced Settings. Port forwarding might also be called Virtual Server.

4. Create the 3 port forward entries. You may have to first enable the feature. Also may have to select User Defined instead of Well Known. You can enter the ports individually but it is more convenient to enter the port range and name it Nebula. For individual entry:

4.1 Command Port:
  • Name or Description can be “Nebula commands”
  • Incoming Port or Port Range AND Local Port is the command port you assigned to Device 1. It appears on the Running screen top line after the colon. Default for Nebula is 50500.
  • Local IP is the IP address of Device 1. Your router may let you select the computer by name or MAC address.
  • Protocol is TCP or BOTH, it is not UDP only.
4.2 Stream Port1:
  • Name or Description can be “Nebula stream1”
  • Incoming Port or Port Range AND Local Port is the Base Port you assigned to Device 1 + 1. The default for Nebula is 50501.
  • Local IP is the IP address of Device 1.
  • Protocol is TCP or BOTH, it is not UDP only.
4.3 Stream Port2:
  • Name or Description can be “Nebula stream2”
  • Incoming Port or Port Range AND Local Port is the Base Port you assigned to Device 1 + 2. The default for Nebula is 50502.
  • Local IP is the IP address of Device 1.
  • Protocol is TCP or BOTH, it is not UDP only.

5. Save your router setup.

6. Test your ports are forwarded correctly.
  • Turn off WiFi on your phone or mobile Nebula device.
  • Send commands to, and stream video or move files from devices at home.

Router Bridging

Some Internet Service Providers (ISP), in particular AT&T U-Verse, use firmware in their supplied router that prevents reliable port forwarding on all available ports. Their port-forward appears to last some fixed period of time, then it is canceled. I had personal experience with this situation and the permanent fix was to bridge my own WiFi router, a Netgear Nighthawk AC1750/R6400, to the AT&T/Arris router. The final setup, outlined in the following steps, left the AT&T/Arris router to handle just AT&T equipment. The Netgear router, via the bridge, handles my home WiFi including all computers, phones, pads, streaming devices and most importantly my Nebula home control and security devices. Based on just family usage, I would say the network is now faster, more reliable and possibly (data mining?) better secured than before the change.

Here is the guide I used to do the setup. While the steps in this guide focus on an AT&T/Arris BGW-210 scenario, it is applicable to most any situation where you want to use your own WiFi router instead of the one supplied by your ISP.

Make sure you know the make, model, user name, and password for the routers you are working with. ISP routers may have this labeled on their equipment. Log into your router and familiarize yourself with their setting screens before making changes. Don’t be afraid, if your not familiar with router settings they are probably set to factory conditions. All routers have some method of restoring to factory conditions.

1. Set your personal router to use a private LAN subnet other than 192.168.1. You should not have 2 local routers using the same subnet address, they will conflict.

1.1 Power up your personal router and connect to it via WiFi or Ethernet. Then go to its login/setup page. Your router manual or an internet search will tell you what address to use. A new router or factory reset cures most login issues.

1.2 Set its LAN (subnet) address. It can be any of the following. See note 2 for possible conflicts.

192.168.(>1 <=254).1
10.1.1.1 – 10.254.254.254
172.16.1.1 – 172.31.254.254

NOTE: WiFi modules use 192.168.4.1 for setup and Beagleboards use 192.168.6.1 & 7.1 locally. So don’t use those. Best to use something obscure like 192.168.(>=10 - <=250).1

1.3 Subnet mask is typically 255.255.255.0 will allow 254 usable hosts on the subnet. Network(.0) and Broadcast(.255) address are reserved.

1.4 Set your router DHCP with an address range +1 above its own to the end of the range.

Example:
Network address: 192.168.111.0/24 –>First 24 bits are Network ID last 8 bits are hosts.
Router(gateway) address: 192.168.111.1 –>New address of your router and its setup page.
Subnet mask: 255.255.255.0 –>Allow 254 usable hosts.
DHCP range: 192.168.111.2 - 192.168.111.254 –>Assignable addresses for connecting WiFi and/or Ethernet devices.
Broadcast address: 192.168.111.255 –>All hosts on the subnet receive same message. Used for finding subnet hosts, like a printer, without having to contact every address.

1.5 Setup your SSID (network connect name), password, Guest network etc. as you want.

1.6 You can set the port forwarding as described above and a reserved address for Device 1 now or come back later.

1.7 Make sure to save all your setups.

2. Disconnect all your personal devices ie. computers, phones streaming devices etc. from AT&T/Arris WiFi. Either turn off their WiFi or power them down.

3. Disconnect any Ethernet cables leaving only the main DSL or fiber input to the AT&T router. All the disconnects are important as the AT&T/Arris router did not allow bridging with established connections.

4. Factory reset the AT&T/Arris router. Hold the reset button 10 or more seconds until the Power LED is steady green. Don’t worry, AT&T uses a private subnet to find all its own devices once they are reconnected.

5. Connect a computer, I used my laptop, to a LAN port on the AT&T router with an Ethernet cable. Open a browser, I use Firefox, and go to 192.168.1.254. The AT&T setup page should appear.

6. Look on the bottom of the router and note the passphrase. You’ll be asked for it to get into some of the setup screens.

7. Connect your router to an AT&T router LAN port with an Ethernet cable.

8. Under Home Network > WiFi

8.1 Set Home and Guest SSID enable Off.
8.2 Click on Advanced Options and set both 2.4 and 5.0 GHz Wi-Fi Operation to Off.
8.3 You are going to use your router for WiFi not AT&T and you don’t want any conflicts.
8.4 Click Save

9. Under Firewall > IP Passthrough

9.1 Set Allocation Mode to Passthrough
9.2 Default Server Internal Address is blank
9.3 Set Passthrough Mode to DHCPS-fixed
9.4 Set Passthrough Fixed MAC Address to Choose from list and select your router not the laptop your working from.
9.5 Set Passthrough DHCP Lease to 98 days. The time is limited with DHCPS-fixed. See notes in the side panel.
9.6 Click Save

10. Disconnect the laptop and reconnect any AT&T Ethernet cables removed in step 3.

11. Power up any remote AT&T devices that you shut-down in step 2 or 3. They should all reconnect automatically. If any fail to reconnect, make sure all AT&T devices are powered-up then do a soft reset on the A&T router, just click the reset button don’t hold it down like in step 4. A hard or factory reset will restore all original settings.

12. Lastly go one-by-one and connect all your WiFi computers, phones etc. to your router’s SSID with its password. They should all get an IP address in your new subnet’s range. Any personal computers or devices that connected via Ethernet should now be connected to your router’s LAN ports.

13. You can monitor and set options on the AT&T/Arris router at address 192.168.1.254 and monitor and set additional options on your router at address 192.168.111.1 (used in the example not necessarily the one you used).

14. Two issues I had after the setup.

  1. Slow webpage load caused by DNS. To resolve I set computers network connection to use Google DNS at 8.8.8.8 and 8.8.4.4. The DNS addresses could probably be set in my WiFi router, rather than getting them from the AT&T router, instead of the individual computers. No problem with phones or other SBC devices.

  2. Dell XPS - Ubuntu 18.04 development computer would occasionally drop WiFi. Resolution, can’t explain but worked, was based on a link I found where others had the same issue. My REGDOMAIN= in /etc/default/crda was blank. No other computers, not other Ubuntu 18.04, Windows 10 laptop or iMac OSX 10.15 had this issue.

    2.1 sudo nano /etc/default/crda
    2.2 one line in the file: REGDOMAIN=US
    2.3 reboot