VPN client to LAN-to-LAN routing
Hello! This has been bugging me since I have established LAN-to-LAN VPN connection on my two properties. Now, if I am away, I VPN in to one of the ER605's to check on my LAN in that subnet. My problem is I cannot traverse through the LAN-to-LAN connection to login to devices on the other node. My current solution is to disconnect from the one node and connect to the other so I can have access to the devices behind the ER605 in that location.
What can I do to both so that I can traverse through the LAN-to-LAN connection to be able to access devices on the far side of the VPN tunnel? Thanks in advance. Both locations are connected using Wireguard. The client is using a PC with OpenVPN.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I haven't tested with WireGuard Site to Site but you may need to add the OpenVPN IP pool to the allowed IP on WireGuard. I don't know
- Copy Link
- Report Inappropriate Content
In theory I've tested that config with wireguard without VPN IP Pool added and it still worked with Full Mode.
But it's never a bad idea to give it a try.
- Copy Link
- Report Inappropriate Content
All:
The official implementation of Wireguard VPN server has a setting for "Allowed local subnets" so that clients from anywhere are allowed access to these defined local subnets.
The Wireguard setup in the ER605 has nothing for defining local networks. Where, in ER605, can these be defined? In the static routing?
- Copy Link
- Report Inappropriate Content
RaRu wrote
In theory I've tested that config with wireguard without VPN IP Pool added and it still worked with Full Mode.
But it's never a bad idea to give it a try.
The "Full Mode" in ER605 tunnels all traffic. I don't think I will go for that because I want Split Tunneling.
Unlike iPSec where you can enumerate Local Networks, TP-Link's implementation of Wireguard in the ER605 does not allow for "Allowed Networks".
- Copy Link
- Report Inappropriate Content
It's not called L2L but S2S or Ipsec site to site.
But IPsec site to site is a better solution for you, it is faster than wireguard too. much faster..
use this encryption to get the most secure and fastest communication on ER605v2
IKEv2
Phase1
SHA-256 - AES256 - DH14
phase2
ESP - SHA-256 - AES256
i am not very familiar with how to configure this in stand alone, i only use controllers.
And OpenVPN server config is like this when configured on Omada Controller and Splitt tunnel
As you can see in the client log, all the necessary routes are added.
0 [route] [192.168.60.0] [255.255.255.0]
1 [route] [192.168.30.0] [255.255.255.0]
2 [route] [10.87.65.0] [255.255.255.0]
3 [dhcp-option] [DNS] [1.1.1.2]
4 [route] [1.1.1.2] [255.255.255.255]
5 [dhcp-option] [DNS] [1.0.0.2]
6 [route] [1.0.0.2] [255.255.255.255]
7 [comp-lzo] [no]
8 [route] [10.87.65.0] [255.255.255.0]
- Copy Link
- Report Inappropriate Content
I looked at a TP-Link emulator and you can't use split tunnel when you're in stand alone if you're going to reach more than one network. So you have to use full tunnel to get it to work.
IPsec site to site settings so you can define multiple networks in stand alone.
- Copy Link
- Report Inappropriate Content
I do a test with Wireguard site to site and splitt tunnel and OpenVPN server, no change on OpenVPN server config, you have to add routes like this in your wireguard config.
but I recomand you to upgrade to controller to get splitt tunnel to work with OpenVPN
OR you can use Wireguard and split tunnel, that might be the easiest for you. then you add allowd ip in the configuration file of the wireguard client like this.
AllowedIPs = 192.168.60.0/24, 192.168.30.0/24
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
ALL: I have switched to IPsec LAN-to-LAN (Site-to-Site). In IPsec, I can specify the Local Networks allowed but not in Wireguard (Stand alone ER605).
All is well now. OVPN client can now reach the farthest devices.
Question: I've been seeing/reading "controller" - is it another hardware to buy? Or is it cloud services? If it is another hardware to purchase, well, I'm retired and I'd rather be happy with my "stand-alone" ER605's.
- Copy Link
- Report Inappropriate Content
Hi,
There are multiple versions of controllers:
1. You can buy additional HW - OC200 - which is phisical controller
2. You can set up Cloud COntroller directly in TP-Link Omada Cloud Environment (there are paid and free (essential) plans for that)
3. You can host your own controller on your server / NAS / docker container / Raspberry Pi or whatever that can handle it - free of charge if you have the device to run it.
I'm using that cuz it allows me to handle multiple devices and differen sites, change their configuration remotely even if those don't have public IP address from ISP.
If it's worth using - it's totally up to you and your needs ;)
BTW. I'm glad you made it work for yourself in the end ;)
Cheers
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 431
Replies: 22
Voters 0
No one has voted for it yet.