VPN client to LAN-to-LAN routing
Hello! This has been bugging me since I have established LAN-to-LAN VPN connection on my two properties. Now, if I am away, I VPN in to one of the ER605's to check on my LAN in that subnet. My problem is I cannot traverse through the LAN-to-LAN connection to login to devices on the other node. My current solution is to disconnect from the one node and connect to the other so I can have access to the devices behind the ER605 in that location.
What can I do to both so that I can traverse through the LAN-to-LAN connection to be able to access devices on the far side of the VPN tunnel? Thanks in advance. Both locations are connected using Wireguard. The client is using a PC with OpenVPN.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
ALL: I have switched to IPsec LAN-to-LAN (Site-to-Site). In IPsec, I can specify the Local Networks allowed but not in Wireguard (Stand alone ER605).
All is well now. OVPN client can now reach the farthest devices.
Question: I've been seeing/reading "controller" - is it another hardware to buy? Or is it cloud services? If it is another hardware to purchase, well, I'm retired and I'd rather be happy with my "stand-alone" ER605's.
- Copy Link
- Report Inappropriate Content
Wireguard is already creating a proper routing between those two routers, therefore if the VPN configuration is proper, you should be able to easily access any device.
My guess is that your OpenVPN configuration is incorrect.
Can you share some screenshots on your OpenVPN server configuration? Blur out any sensitive data ofc.
Cheers
- Copy Link
- Report Inappropriate Content
This is the sever OVPN configuration of the 192.168.5.0/24 server where that client on the picture is connected to.
- Copy Link
- Report Inappropriate Content
And on the other side:
- Copy Link
- Report Inappropriate Content
IMO problem is with Local Network setting of OpenVPN server. In order to access other location (192.168.4.0) while being connected to your primary location via OpenVPN (192.168.5.0) you should have added also the network of the other location (192.168.4.0) to your server's config.
But I just checked in ER605 firmware emulator that in Standalone Mode you can include only one Local Network... Such limitation do not exist in Controlled mode... weird.
As a workaround, have you tried to enable "Full Mode" on that server to route whole traffic from OVPN client via your ER605?
Cheers
- Copy Link
- Report Inappropriate Content
Thanks for your suggestion. I just enabled Full Mode. Still cannot traverse to the 192.168.4.0/24 network from client in 192.168.5.0/24 network!
- Copy Link
- Report Inappropriate Content
Just to clarify cuz I wa confused by your last answer.
1. I understood that if you are in 192.168.5.0/24 network, you can easily reach devices from 192.168.4.0/24 network and vice versa since those are connected via WireGuard, is that correct?
2. And I understood that you have a problem when you are connecting via OpenVPN to 192.168.5.0/24 network - then you can reach devices in 192.168.4.0/24 network (the same when you are connected via OVPN to 192.168.4.0/24 network and try to access 192.168.5.0/24 network), right?
If that's the case, I just tested that "problem" and everything works fine while using "Full Mode" option in OpenVPN server. The devices in external network (behing WireGuard connection) were fully accessible.
Make sure you have saved the changes to OpenVPN server, try to disable the server and enable it again.
Let me know if I understood you properly and if anything changed.
Cheers
- Copy Link
- Report Inappropriate Content
you haven't said anything about how lan-lan is connected, but in my case I'm using ipsec site to site. to achieve what you want you have to include the vpn ip pool in the site to site configuration on both routers. here I'm showing how the configuration is on the router with openvpn server, i.e. the router the client connects to.
and the remote router
- Copy Link
- Report Inappropriate Content
RaRu wrote
Just to clarify cuz I wa confused by your last answer.
1. I understood that if you are in 192.168.5.0/24 network, you can easily reach devices from 192.168.4.0/24 network and vice versa since those are connected via WireGuard, is that correct? Correct. No problem reaching the devices from all sides of the wireguard VPN connection.
2. And I understood that you have a problem when you are connecting via OpenVPN to 192.168.5.0/24 network - then you can reach devices in 192.168.4.0/24 network (the same when you are connected via OVPN to 192.168.4.0/24 network and try to access 192.168.5.0/24 network), right?
Right. When OVPN client is connected to the 192.168.5.1 router, that client cannot access the devices in the 1992.168.4.0/24.
If that's the case, I just tested that "problem" and everything works fine while using "Full Mode" option in OpenVPN server. The devices in external network (behing WireGuard connection) were fully accessible. Not in my case!
Make sure you have saved the changes to OpenVPN server, try to disable the server and enable it again.
Let me know if I understood you properly and if anything changed. I thought when clicking Ok, it restarts the OVPN server because when I enabled the "Full" mode, my client OVPN connection restarted at that moment.
Cheers
- Copy Link
- Report Inappropriate Content
MR.S wrote
you haven't said anything about how lan-lan is connected, but in my case I'm using ipsec site to site. to achieve what you want you have to include the vpn ip pool in the site to site configuration on both routers. here I'm showing how the configuration is on the router with openvpn server, i.e. the router the client connects to.
The last two sentences of my Original Post: L2L is on Wireguard. Client is OVPN.
Let me look at the Wireguard configuration again. With this Wireguard connection, one side can connect to any device connected to the other side and vice versa. However if a remote OpenVPN client is connected to either side, that client cannot access the devices on the far side of the Wireguard L2L.
- Copy Link
- Report Inappropriate Content
In Wireguard configuration in the current firmware version of the ER605, there is no setting for "Local Networks".
Shall I switch to ipSec L2L?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 387
Replies: 22
Voters 0
No one has voted for it yet.