Need Recommendations for remote controller and S2S VPN setup

Need Recommendations for remote controller and S2S VPN setup

Need Recommendations for remote controller and S2S VPN setup
Need Recommendations for remote controller and S2S VPN setup
2024-07-10 04:56:59 - last edited 2024-07-11 01:39:57
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version:

Hello great people of the forum,

 

I need recommendation on how to setup my S2S VPN. Here is my current setup

HQ:
OC200

ER605

Have static IP

Branch:
ER605

No static IP

 

The goal is to have Site to Site WireGuard VPN setup so devices from branch can connect to servers in HQ.
I also want the OC200 in the HQ to be able to manage the ER605 in branch

How do you suggest to configure this?

Should I connect the ER605 in the branch to the controller in HQ first using this guide: https://www.tp-link.com/us/support/faq/3087/

or should I setup VPN first like this guid: https://community.tp-link.com/en/business/forum/topic/620506, and the ER605 in the branch would be automatically detected?

Also, should I setup the ER605 in the branch office in standalone mode first before doing any of the above?

I want to have as little downtime as possible since both sites are already running.

 

Thank you beforehand.

  1      
  1      
#1
Options
10 Reply
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-11 01:15:58

Hi @Nikolassss 

Thanks for posting in our business forum.

This way but via WG VPN. Pre-configuring the site is required.

How to Manage Omada Devices at Different Sites Using Omada SDN Controller via VPN (Controller 5.0 or Above)

 

Got the VPN tunnel up and preconfigure the second site with the same VPN parameters. Input the Controller inform URL.

Adopt it over the tunnel and the settings will be applied to the device and will reconnect the VPN tunnel.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-16 08:53:20 - last edited 2024-07-16 08:53:49

Hi @Clive_A , thanks for the reply! I've followed the guide, but I am stuck on the device adoption phase. I just can't get the router to pop up for adoption. Is there any common mistakes when setting it up? I've tried setting the Inform URL with both my WAN public IP, and the internal IP of my controller device. Both doesn't work and I still cannot see the device for adoption.

  0  
  0  
#3
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-16 09:04:41

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

Hi @Clive_A , thanks for the reply! I've followed the guide, but I am stuck on the device adoption phase. I just can't get the router to pop up for adoption. Is there any common mistakes when setting it up? I've tried setting the Inform URL with both my WAN public IP, and the internal IP of my controller device. Both doesn't work and I still cannot see the device for adoption.

This should not be public IPs. It is S2S VPN so it should be the LAN IP of the controller.

I think you should check if the S2S is up and running. Ping and Wireshark if necessary to verify if the packets are forwarded through the tunnel.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-16 09:09:57

  @Clive_A Yes, I've tried setting that as the controller LAN IP also, but still no luck.

I can confirm that WireGuard is running since I can access the server in my HQ from the branch site.

I can just leave it leave it like this and be happy honestly, but I don't understand why I can't adopt it with the same controller...

  0  
  0  
#5
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-16 09:13:05

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

  @Clive_A Yes, I've tried setting that as the controller LAN IP also, but still no luck.

I can confirm that WireGuard is running since I can access the server in my HQ from the branch site.

I can just leave it leave it like this and be happy honestly, but I don't understand why I can't adopt it with the same controller...

You are actually on a different site and trying to adopt it, correct?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-16 09:17:38

  @Clive_A Correct, my setup is more or less like the picture in the guide:

 

The difference is that I'm using OC200 controller instead of a Software Controller
 

  0  
  0  
#7
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-17 01:31:34

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

  @Clive_A Correct, my setup is more or less like the picture in the guide:

 

The difference is that I'm using OC200 controller instead of a Software Controller
 

Can you please try the IPsec first to meet what you need at least? I need some time to confirm if the WG VPN can do it.

If possible, can you provide the Wireshark result about the Inform URL? Because when you put the IP/URL, it should send the packet to the remote controller directly. I would like to learn if it is actually sent.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#8
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-17 02:00:38

  @Clive_A I'll try this out when I have the time. For now, my priority is to have the VPN going, and is achieved using WG. Thank you for the help, and please update if there's anything new from your end.

  1  
  1  
#9
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-18 09:21:43

Not sure if relevant, but this is shown on the login page to the ER605 router on the branch office.

 

BUT, I still can't see the device for adoption....

 

Still no opportunity to test wireshark package/IPsec yet
 

  0  
  0  
#10
Options
Re:Need Recommendations for remote controller and S2S VPN setup
2024-07-22 03:25:23

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

 

Not sure if relevant, but this is shown on the login page to the ER605 router on the branch office.

 

BUT, I still can't see the device for adoption....

 

Still no opportunity to test wireshark package/IPsec yet
 

You should resolve this issue first. It should not be adopted yet. If it displays like this, as it writes literally, it has been adopted and you should reset it to erase the settings from it.

I am not sure why that happened because I was not involved in your adoption QA. Probably you need to walk through the setup again.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#11
Options