WMC Extender Over VPN

Talk about setting up your home network.
Post Reply
SalmonSurprise

Posts: 45
Joined: Thu Jul 28, 2016 1:42 am
Location:

HTPC Specs: Show details

WMC Extender Over VPN

#1

Post by SalmonSurprise » Tue Nov 15, 2022 1:28 am

Any idea if it is possible to run a WMC server at home where I also have a VPN server, and connect to my home VPN from a remote location and watch recordings and live TV via an xbox360 extender that is connected to my home VPN? Assuming I can get around 10mbps? (HD should be around 5mbps I think)

dab2kab

Posts: 46
Joined: Thu Dec 10, 2015 6:03 am
Location:

HTPC Specs: Show details

#2

Post by dab2kab » Mon Jan 16, 2023 3:28 am

It's been awhile since this was asked, but I laughed at this question. Is it possible? Maybe. But I have had difficulty using xbox extenders with a directly connected ethernet cable to the extender from the pc (configuration error anyone?). I cant imagine the issues you'd run into getting the damn things to connect over vpn lol.

SalmonSurprise

Posts: 45
Joined: Thu Jul 28, 2016 1:42 am
Location:

HTPC Specs: Show details

#3

Post by SalmonSurprise » Wed Dec 20, 2023 6:06 am

Wanted to revisit this but doing things differently. I have two locations. I want to have WMC box at one location, and network tuners (hdhr prime) at the other location. Do you think WMC could use remote tuners over something like tail scale?

Kevin Chalet

Posts: 122
Joined: Mon Oct 08, 2018 12:00 pm
Location:

HTPC Specs: Show details

#4

Post by Kevin Chalet » Wed Dec 20, 2023 1:50 pm

My parents were having OTA reception issues from time to time so I reused one of their old PCs lying around and installed Tvheadend on it (see https://kevinchalet.com/2023/07/05/conn ... o-dvblink/ for more information on how to use Tvheadend as your TV source for WMC).

Instead of directly receiving OTA TV via a physically attached tuner, their HTPC now uses that Tvheadend server, which is also configured to access the tuners shared by my own Tvheadend server via SAT>IP through an OpenVPN L2 VPN that links our two places: when TV can't be received by their own tuner, it falls back to one of mine completely transparently.

Our houses are very far from each other (completely different regions) but both are equipped with fiber connections, so the VPN link has an average latency of ~15ms: it's so low it's almost impossible to tell when they're not accessing TV via their local OTA emitter :mrgreen:

You should be able to do something similar directly with HDHomeRun but it's worth noting many of their tuners are known to set the TTL (time-to-live) of all the IP stream packets to 1, which means they are typically blocked by the first router forwarding them. A layer-2/bridged VPN (flowing Ethernet frames instead of IP packets) instead of a layer-3/routed VPN should fix that easily (and make all broadcast/multicast scenarios possible).

For live TV, 10Mbps should be enough, but I'd recommend 100Mbps or more for recorded TV if you want to have a great fast-forward experience (fast-forwarding at the maximum speed is very demanding and results in huge spikes of network traffic: if you have limited bandwidth, the video won't be as smooth as if it was recorded locally). Alternatively, you could buy a tiny NAS and copy all the recorded TV shows from your remote machine to your NAS, so they can be accessed locally in a much more efficient way.

SalmonSurprise

Posts: 45
Joined: Thu Jul 28, 2016 1:42 am
Location:

HTPC Specs: Show details

#5

Post by SalmonSurprise » Thu Dec 21, 2023 4:37 am

Kevin Chalet wrote: Wed Dec 20, 2023 1:50 pm My parents were having OTA reception issues from time to time so I reused one of their old PCs lying around and installed Tvheadend on it (see https://kevinchalet.com/2023/07/05/conn ... o-dvblink/ for more information on how to use Tvheadend as your TV source for WMC).

Instead of directly receiving OTA TV via a physically attached tuner, their HTPC now uses that Tvheadend server, which is also configured to access the tuners shared by my own Tvheadend server via SAT>IP through an OpenVPN L2 VPN that links our two places: when TV can't be received by their own tuner, it falls back to one of mine completely transparently.

Our houses are very far from each other (completely different regions) but both are equipped with fiber connections, so the VPN link has an average latency of ~15ms: it's so low it's almost impossible to tell when they're not accessing TV via their local OTA emitter :mrgreen:

You should be able to do something similar directly with HDHomeRun but it's worth noting many of their tuners are known to set the TTL (time-to-live) of all the IP stream packets to 1, which means they are typically blocked by the first router forwarding them. A layer-2/bridged VPN (flowing Ethernet frames instead of IP packets) instead of a layer-3/routed VPN should fix that easily (and make all broadcast/multicast scenarios possible).

For live TV, 10Mbps should be enough, but I'd recommend 100Mbps or more for recorded TV if you want to have a great fast-forward experience (fast-forwarding at the maximum speed is very demanding and results in huge spikes of network traffic: if you have limited bandwidth, the video won't be as smooth as if it was recorded locally). Alternatively, you could buy a tiny NAS and copy all the recorded TV shows from your remote machine to your NAS, so they can be accessed locally in a much more efficient way.
Kevin, thank you so much for your very informative response. You saved me a lot of time troubleshooting with the TTL issue on HDHR!

The live tv would be recorded into the local buffer, so performance shouldn’t be an issue.

Zerotier seems to support layer 2, so I’m looking into that.

I am sending you a pm as well.

Kevin Chalet

Posts: 122
Joined: Mon Oct 08, 2018 12:00 pm
Location:

HTPC Specs: Show details

#6

Post by Kevin Chalet » Thu Dec 21, 2023 3:08 pm

SalmonSurprise wrote: Thu Dec 21, 2023 4:37 am Zerotier seems to support layer 2, so I’m looking into that.
I've never used ZeroTier but I've heard good things about it. Curious to see how it goes :mrgreen:

SalmonSurprise

Posts: 45
Joined: Thu Jul 28, 2016 1:42 am
Location:

HTPC Specs: Show details

#7

Post by SalmonSurprise » Thu Dec 21, 2023 4:32 pm

Kevin Chalet wrote: Thu Dec 21, 2023 3:08 pm
SalmonSurprise wrote: Thu Dec 21, 2023 4:37 am Zerotier seems to support layer 2, so I’m looking into that.
I've never used ZeroTier but I've heard good things about it. Curious to see how it goes :mrgreen:
Do you use OPNsense or PFsense by any chance?

Kevin Chalet

Posts: 122
Joined: Mon Oct 08, 2018 12:00 pm
Location:

HTPC Specs: Show details

#8

Post by Kevin Chalet » Thu Dec 21, 2023 4:39 pm

I indeed use OPNsense, but only for my core router. The site-to-site VPN link is managed by 2 Debian VMs running the latest OpenVPN version (that supports TLS + peer-fingerprint, which replaces the now-deprecated static key feature).

SalmonSurprise

Posts: 45
Joined: Thu Jul 28, 2016 1:42 am
Location:

HTPC Specs: Show details

#9

Post by SalmonSurprise » Thu Dec 21, 2023 7:01 pm

I purchased 2 routers from Protectli, model VP4630. I am planning on having the WMC on it's own LAN that is always connected to a dedicated LAN at the other location with 2 HDHR Prime boxes. Was thinking of installing the Zerotier package on both routers.

Do you have a particular reason for choosing OPNsense over PFsense? I am still at a stage where I can decide.

Kevin Chalet

Posts: 122
Joined: Mon Oct 08, 2018 12:00 pm
Location:

HTPC Specs: Show details

#10

Post by Kevin Chalet » Thu Dec 21, 2023 8:01 pm

SalmonSurprise wrote: Thu Dec 21, 2023 7:01 pm Do you have a particular reason for choosing OPNsense over PFsense? I am still at a stage where I can decide.
Yep, two reasons actually:
  • Orange France, my ISP, requires sending DHCP requests in 802.1Q Ethernet frames with an explicit Class of Service = 6: if you don't do that, the DHCP server simply ignores you and you're unable to connect. When I had to decide between the two, only OPNsense included a DHCP client patched to support that (I don't know if pfSense now supports it natively) so the choice was easy :mrgreen:
  • pfSense is known to be much slower to include recent drivers. The motherboard I chose for my router included a Realtek 2.5G network adapter and it wasn't supported by pfSense when I built the machine.
Nice choice BTW: likely overkill for now (can't blame you, I went with an i5-11600K :oops:), but definitely a box that you'll be able to keep many years.

SalmonSurprise

Posts: 45
Joined: Thu Jul 28, 2016 1:42 am
Location:

HTPC Specs: Show details

#11

Post by SalmonSurprise » Thu Dec 21, 2023 8:09 pm

When configuring OPNsense from the beginning, is everything secure by default, or were there a bunch of things that had to be changed from default for it to be safe as an edge router? Since I am not familiar with it, I am hoping if I do tinker around I won't be accidentally setting up a network that isn't NATed by default or leave WAN config pages enabled that were defaults.

Kevin Chalet

Posts: 122
Joined: Mon Oct 08, 2018 12:00 pm
Location:

HTPC Specs: Show details

#12

Post by Kevin Chalet » Thu Dec 21, 2023 8:15 pm

Yep, the defaults are quite secure: LAN-side, all connections are allowed but from WAN, every unsolicited packet is rejected.

(note: despite what most people think, NAT is not a security feature and is definitely not something you'll want to use for IPv6, even if OPNsense supports NPTv6 and NAT66)

SalmonSurprise

Posts: 45
Joined: Thu Jul 28, 2016 1:42 am
Location:

HTPC Specs: Show details

#13

Post by SalmonSurprise » Thu Dec 21, 2023 11:49 pm

Are the default WAN firewall rules sufficient for most users? If you make a second WAN for failover does it automatically apply sufficient firewall rules or does this need to be implemented by the user? Sorry to ask so many questions, but this is part of what has been preventing me from starting the project and I don’t want to create vulnerabilities through ignorance.

Kevin Chalet

Posts: 122
Joined: Mon Oct 08, 2018 12:00 pm
Location:

HTPC Specs: Show details

#14

Post by Kevin Chalet » Fri Dec 22, 2023 5:57 pm

Like many firewalls, OPNsense and pfSense apply a "reject everything by default" policy for incoming traffic: if you don't explicitly add a rule to allow specific traffic, it will be rejected, whether the interface to which the rule is attached is the default WAN or a second WAN interface you manually created.

I'd recommend taking a look at the OPNsense/pfSense forums, you'll find precious information there.

Post Reply