@Clive_A Thanks a lot for your feedback. 

Unfortunately one of the sites is behind CGNAT, so I can only do VPN connection from one site to another. Only one of the site has public IP. 

I can maybe workaround and I can achieve what the requirement is if I can fix the VPN IP address of the OpenVPN client.  Is it possible to do that? Can I force this from client side? Is the default openvpn server configuration allowing that on the ER8411? 

Or is there a way to fix the VPN IP or make it static for an OpenVPN client ?

  @lkakas 

lkakas wrote

  @Clive_A Thanks a lot for your feedback. 

 

Unfortunately one of the sites is behind CGNAT, so I can only do VPN connection from one site to another. Only one of the site has public IP. 

 

I can maybe workaround and I can achieve what the requirement is if I can fix the VPN IP address of the OpenVPN client.  Is it possible to do that? Can I force this from client side? Is the default openvpn server configuration allowing that on the ER8411? 

Or is there a way to fix the VPN IP or make it static for an OpenVPN client ?

 

 

 

Consider SD-WAN, then. 

There is no routing for the VLAN interface. So, that's not possible to set a routing to define the destination or whatsoever. 

  @Clive_A Thanks, 

Still my question wasn't answered is it possible to make VPN IP of client static? With OpenVPN and not with Wireguard. Either on the router side or if the router allows any client option to push this?

Thanks.

  @lkakas 

lkakas wrote

  @Clive_A Thanks, 

 

Still my question wasn't answered is it possible to make VPN IP of client static? With OpenVPN and not with Wireguard. Either on the router side or if the router allows any client option to push this?

 

Thanks.

None of the VPN can set a static IP for the client. I don't know why this is important. 

Except for Wireguard, for which you are required to manually set the interface IP. So that is static. 

  @Clive_A 

Because I can do NAT-ing and port forward on the client side. But having the client IP always changed it is difficult to manage and reach the systems behind the VPN client. 

  @lkakas 

Which client are you using on the CGNAT side? Is it a router or another type of client? As Clive says, only Wireguard has a fixed IP. If it is a router, there are also options with Site to site even if one of the routers is behind a CGNAT, it is just a little more complicated. You can use SD-WAN IPsec and Wireguard for this. I use a number of Unifi routers for both wireguard and IPsec site to site against Omada routers. If you have two Omada routers, it is very simple even if one of the routers is behind a NAT

  @MR.S 

Its a Linux based OpenVPN client / router. I can do anything on that basically its a plain Linux OS.  

  @lkakas 

ok, a linux openvpn client, i haven't tested it. i have used other routers as a client and managed site to site, but it hasn't been easy but it has worked. but wireguard is probably a slightly easier VPN to work with when you are going to have site to site., then you have more control over which ip will go in the tunnel on both client and server, that way i have managed to get full site to site from a wireguard client on routers.

If you have the opportunity, you can install an Omada router and use SD-WAN or IPSec, it is the fastest and most efficient way to get a site to site, you can use an ER650v2 for this and the speed in VPN is quite good.