ER8411 site-to-site VPN with OpenVPN

ER8411 site-to-site VPN with OpenVPN

ER8411 site-to-site VPN with OpenVPN
ER8411 site-to-site VPN with OpenVPN
a week ago - last edited a week ago
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.2.3 Build 20241121 Rel.21021

I'm running an OpenVPN server instance on ER8411. The ER8411 is running in standalone mode and configured over web UI. 

Is it possible to configure site-to-site VPN on it?

I tried to add a static route on the ER8411 to point the VPN client internal network via the VPN client IP but it seems it doesn't work. I can't reach / ping systems behind the VPN client, however I can reach the VPN client from my networks connected to the ER8411. 

IP forwarding is enabled on the VPN client between tunnel and internal interface. 

  0      
  0      
#1
Options
1 Accepted Solution
Re:ER8411 site-to-site VPN with OpenVPN-Solution
a week ago - last edited a week ago
Recommended Solution
  1  
  1  
#2
Options
9 Reply
Re:ER8411 site-to-site VPN with OpenVPN-Solution
a week ago - last edited a week ago
Recommended Solution
  1  
  1  
#2
Options
Re:ER8411 site-to-site VPN with OpenVPN
Thursday - last edited Thursday

  @Clive_A Thanks a lot for your feedback. 

 

Unfortunately one of the sites is behind CGNAT, so I can only do VPN connection from one site to another. Only one of the site has public IP. 

 

I can maybe workaround and I can achieve what the requirement is if I can fix the VPN IP address of the OpenVPN client.  Is it possible to do that? Can I force this from client side? Is the default openvpn server configuration allowing that on the ER8411? 

Or is there a way to fix the VPN IP or make it static for an OpenVPN client ?

 

 

 

  0  
  0  
#3
Options
Re:ER8411 site-to-site VPN with OpenVPN
Friday

  @lkakas 

lkakas wrote

  @Clive_A Thanks a lot for your feedback. 

 

Unfortunately one of the sites is behind CGNAT, so I can only do VPN connection from one site to another. Only one of the site has public IP. 

 

I can maybe workaround and I can achieve what the requirement is if I can fix the VPN IP address of the OpenVPN client.  Is it possible to do that? Can I force this from client side? Is the default openvpn server configuration allowing that on the ER8411? 

Or is there a way to fix the VPN IP or make it static for an OpenVPN client ?

 

 

 

Consider SD-WAN, then. 

There is no routing for the VLAN interface. So, that's not possible to set a routing to define the destination or whatsoever. 

  1  
  1  
#4
Options
Re:ER8411 site-to-site VPN with OpenVPN
Friday - last edited Friday

  @Clive_A Thanks, 

 

Still my question wasn't answered is it possible to make VPN IP of client static? With OpenVPN and not with Wireguard. Either on the router side or if the router allows any client option to push this?

 

Thanks.

  0  
  0  
#5
Options
Re:ER8411 site-to-site VPN with OpenVPN
Friday

  @lkakas 

lkakas wrote

  @Clive_A Thanks, 

 

Still my question wasn't answered is it possible to make VPN IP of client static? With OpenVPN and not with Wireguard. Either on the router side or if the router allows any client option to push this?

 

Thanks.

None of the VPN can set a static IP for the client. I don't know why this is important. 

Except for Wireguard, for which you are required to manually set the interface IP. So that is static. 

  0  
  0  
#6
Options
Re:ER8411 site-to-site VPN with OpenVPN
Friday

  @Clive_A 

 

Because I can do NAT-ing and port forward on the client side. But having the client IP always changed it is difficult to manage and reach the systems behind the VPN client. 

  0  
  0  
#7
Options
Re:ER8411 site-to-site VPN with OpenVPN
Saturday

  @lkakas 

 

Which client are you using on the CGNAT side? Is it a router or another type of client? As Clive says, only Wireguard has a fixed IP. If it is a router, there are also options with Site to site even if one of the routers is behind a CGNAT, it is just a little more complicated. You can use SD-WAN IPsec and Wireguard for this. I use a number of Unifi routers for both wireguard and IPsec site to site against Omada routers. If you have two Omada routers, it is very simple even if one of the routers is behind a NAT

 

 

  0  
  0  
#8
Options
Re:ER8411 site-to-site VPN with OpenVPN
Saturday

  @MR.S 

 

Its a Linux based OpenVPN client / router. I can do anything on that basically its a plain Linux OS.  

  0  
  0  
#9
Options
Re:ER8411 site-to-site VPN with OpenVPN
Saturday

  @lkakas 

 

ok, a linux openvpn client, i haven't tested it. i have used other routers as a client and managed site to site, but it hasn't been easy but it has worked. but wireguard is probably a slightly easier VPN to work with when you are going to have site to site., then you have more control over which ip will go in the tunnel on both client and server, that way i have managed to get full site to site from a wireguard client on routers.

 

If you have the opportunity, you can install an Omada router and use SD-WAN or IPSec, it is the fastest and most efficient way to get a site to site, you can use an ER650v2 for this and the speed in VPN is quite good.

 

 

 

 

  0  
  0  
#10
Options