VPN client to LAN-to-LAN routing

VPN client to LAN-to-LAN routing

22 Reply
Re:VPN client to LAN-to-LAN routing
2 weeks ago

  @firefox111 

 

I haven't tested with WireGuard Site to Site  but you may need to add the OpenVPN IP pool to the allowed IP on WireGuard. I don't know

 

 

 

  0  
  0  
#12
Options
Re:VPN client to LAN-to-LAN routing
2 weeks ago

  @MR.S 

 

In theory I've tested that config with wireguard without VPN IP Pool added and it still worked with Full Mode.

 

But it's never a bad idea to give it a try.

  0  
  0  
#13
Options
Re:VPN client to LAN-to-LAN routing
2 weeks ago - last edited 2 weeks ago

All:

 

The official implementation of Wireguard VPN server has a setting for "Allowed local subnets" so that clients from anywhere are allowed access to these defined local subnets.

 

The Wireguard setup in the ER605 has nothing for defining local networks.  Where, in ER605, can these be defined? In the static routing? 

  0  
  0  
#14
Options
Re:VPN client to LAN-to-LAN routing
2 weeks ago

RaRu wrote

  @MR.S 

 

In theory I've tested that config with wireguard without VPN IP Pool added and it still worked with Full Mode.

 

But it's never a bad idea to give it a try.

  @RaRu 

The "Full Mode" in ER605 tunnels all traffic.  I don't think I will go for that because I want Split Tunneling.

 

Unlike iPSec where you can enumerate Local Networks, TP-Link's implementation of Wireguard in the ER605 does not allow for "Allowed Networks".

  0  
  0  
#15
Options
Re:VPN client to LAN-to-LAN routing
2 weeks ago - last edited 2 weeks ago

  @firefox111 

 

It's not called L2L but S2S or Ipsec site to site.smiley

 

But IPsec site to site is a better solution for you, it is faster than wireguard too. much faster..
use this encryption to get the most secure and fastest communication on ER605v2

 

IKEv2
Phase1
SHA-256 - AES256 - DH14
phase2
ESP - SHA-256 - AES256

 

i am not very familiar with how to configure this in stand alone, i only use controllers.

 

And OpenVPN server config is like this when configured on Omada Controller and Splitt tunnel

 

 

 

As you can see in the client log, all the necessary routes are added.

0 [route] [192.168.60.0] [255.255.255.0]
1 [route] [192.168.30.0] [255.255.255.0]
2 [route] [10.87.65.0] [255.255.255.0]
3 [dhcp-option] [DNS] [1.1.1.2]
4 [route] [1.1.1.2] [255.255.255.255]
5 [dhcp-option] [DNS] [1.0.0.2]
6 [route] [1.0.0.2] [255.255.255.255]
7 [comp-lzo] [no]
8 [route] [10.87.65.0] [255.255.255.0]

 


 

 

  1  
  1  
#16
Options
Re:VPN client to LAN-to-LAN routing
2 weeks ago

  @firefox111 

 

I looked at a TP-Link emulator and you can't use split tunnel when you're in stand alone if you're going to reach more than one network. So you have to use full tunnel to get it to work.
IPsec site to site settings so you can define multiple networks in stand alone.

 

 

  1  
  1  
#17
Options
Re:VPN client to LAN-to-LAN routing
2 weeks ago - last edited 2 weeks ago

  @firefox111 

 

I do a test with Wireguard site to site and splitt tunnel and OpenVPN server, no change on OpenVPN server config, you have to add routes like this in your wireguard config.

 

but I recomand you to upgrade to controller to get splitt tunnel to work with OpenVPN

 

OR you can use Wireguard and split tunnel, that might be the easiest for you. then you add allowd ip in the configuration file of the wireguard client like this.

 

AllowedIPs = 192.168.60.0/24, 192.168.30.0/24

 

 

  1  
  1  
#18
Options
Re:VPN client to LAN-to-LAN routing
2 weeks ago

  @firefox111 

 

ok, I see, in stand alone they have called it LAN to LAN, ;-)

 

 

  0  
  0  
#20
Options
Re:VPN client to LAN-to-LAN routing-Solution
2 weeks ago - last edited 2 weeks ago

ALL:  I have switched to IPsec LAN-to-LAN (Site-to-Site). In IPsec, I can specify the Local Networks allowed but not in Wireguard (Stand alone ER605).

 

All is well now.  OVPN client can now reach the farthest devices.

 

Question: I've been seeing/reading "controller" - is it another hardware to buy? Or is it cloud services? If it is another hardware to purchase, well, I'm retired and I'd rather be happy with my "stand-alone" ER605's.

Recommended Solution
  0  
  0  
#21
Options
Re:VPN client to LAN-to-LAN routing
2 weeks ago

  @firefox111 

 

Hi,

 

There are multiple versions of controllers:

1. You can buy additional HW - OC200 - which is phisical controller

2. You can set up Cloud COntroller directly in TP-Link Omada Cloud Environment (there are paid and free (essential) plans for that)

3. You can host your own controller on your server / NAS / docker container / Raspberry Pi or whatever that can handle it - free of charge if you have the device to run it.

 

I'm using that cuz it allows me to handle multiple devices and differen sites, change their configuration remotely even if those don't have public IP address from ISP.

If it's worth using - it's totally up to you and your needs ;)

 

BTW. I'm glad you made it work for yourself in the end ;) 

 

Cheers

  0  
  0  
#22
Options