@Steffffi 

it should work, but you should consider ER707-M2 for example, ER605 is quite slow with OpenVPN.

 

That was quick, thx. My plan is to have at least one common VPN of the same kind on every client (different Androids, Win, etc.), which works the same way with the same software. Speed is not a concern as it is mainly used to check some server status or copy a file from here to then. I will try with my backup er605 and use wireguard, as there is only one port to forward and no special settings to make. When it works, I can get rid of all those ipsec, l2tp, sslvpn, etc. Just thinking of that makes me puke 🤣

 

Lat questions: for the local IP address in the wireguard menu of er605, I use the external one, right, the one my Fortigate gets from the provider, the public ipv4? And in the peers tab of er605 wireguard config, I use another subnet, like x.x.3.x, different to my current LAN subnet x.x.1.x and then, I also add a VPN pool with like x.x.3.80 to x.x.3.90, for example?

 

That is how it works now with my er605 at home

  @Steffffi 

 

Tried it now in my home network: I can logon on in my LAN to my second er605, but when trying to enter a default gateway, so the er605 knows how to get into the web, the filled in ip address keeps disappearing and under diagnostics, I can't ping 8.8.8.8, request timed out.

 

Is there any thing to change further more so the second er605 (the one behind the first er605) knows it must act as a switch, not a gateway and nothing more?

  @Steffffi 

 

what does your config file look like?

 

try  Allowed ip

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

or

AllowedIPs = 0.0.0.0/0

 

thx, will check later. But as I can use the webinterface of the second er605, I think, that should be ok.

 

Acc. to this link, it should not be possible to use the er605 as a switch:

 

https://community.tp-link.com/en/business/forum/topic/559846

  @Steffffi 

 

no, the tp-link routers are not switches, but as I see it, you only need to connect to the WAN on the ER605. I have some similar solutions with other manufacturers and there I have only connected the router to the WAN, it is the WAN interface that is the vpn server interface

then try to connect only WAN to the router, there is no need to connect anything to LAN,

 

But how does the second er605 find its way to the lan without being told?

 

I guess that is not the right solution for me. Will try to look further.

As the er605 is not switching and it wont find a way into the lan behind the other er605, I dont think, it can or will work as a VPN Server per port forwarding.

 

Thank you very much for your help! Appreciate this very much.

  @Steffffi 

 

because you are routing back to the LAN with this configuration.

 

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

or

AllowedIPs = 0.0.0.0/0

 

so you have to connect like this

 

internett ---- WAN first ER605 LAN -------  WAN second ER605 LAN dont connect this port.

 

then you do a port nat to second ER605 WAN interface.

Please point to "do a port nat" I have it now physically on another switch in another room, but I see now what you mean. Use a lan port of the internet er605 into the wan port of the second one. The problem with this is: if this works, that is ok, but I dont think, it will work this way with my Fortigate. This here, this config, with 2 er605, is just some trial at home. I better bail on this one before nothing works any more :-)

  @Steffffi 

 

You probably have port NAT on fortigate :-)
you NAT the wireguard port on the first ER605 to the second ER605 WAN interface so that you can reach it from the internet.