Connect two routers

[Nesalex]

I need a secure connection between two routers. Both routers have the latest Merlin firmware. On my home router- GT-AX6000, I have a VPN server running. At home, I have a public dynamic IP address. My second router, the RT-AC68U, will be placed at a different location. There, an ISP router with a local IP address is already present. I want to connect my RT-AC68U to this ISP router, and I need remote access to the RT-AC68U.


I’m looking for the most secure way to set this up. I’m thinking of creating a second VPN server on the GT-AX6000 with access restricted to the LAN, and on the RT-AC68U, I would configure a VPN client to connect to the VPN server running on the GT. However, how can I do this as securely as possible? How can I ensure that if the RT-AC68U network gets compromised, the attacker won’t simply gain access to my home network on the GT-AX6000?


My goal is only to be able to access the RT-AC68U remotely to configure certain settings. No one and nothing else should be able to access my home network from the RT-AC68U. One more thing: all traffic on the RT-AC68U should continue to function as it does now. The VPN should serve only for remote access and configuration.


I know this is a bit extensive, but I’d appreciate some advice, at least in terms of the steps I need to take. I’ll try to implement it myself; I just need to know what to consider. Thx

 

[bennor]

Why not just configure one Asus router as the VPN server and configure the second Asus router as a VPN Client that connects to the Asus VPN Server router. Aka Site-to-Site VPN. For example...

Tutorial - Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode

The Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode - Part 1 This guide will help you connect two ASUS routers in Site To Site (also know as Point To Point) mode. I'm listing literally every step I take so you should be able to just follow along...

www.snbforums.com

 

[Nesalex]

Why not just configure one Asus router as the VPN server and configure the second Asus router as a VPN Client that connects to the Asus VPN Server router. Aka Site-to-Site VPN. For example...

Tutorial - Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode

The Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode - Part 1 This guide will help you connect two ASUS routers in Site To Site (also know as Point To Point) mode. I'm listing literally every step I take so you should be able to just follow along...

www.snbforums.com

The Rt-ac68u router will be located in a student apartment where "anyone" can come and that someone can have something on their computer. If a tunnel is created between both routers, can't everything get from one network to the other? Even now I thought of the possibility of creating a guest network, and everyone who visits Rt-ac68u would not have access to the intranet. That could be nice. I will look at the procedure you sent me

 

[bennor]

You can probably use VPN director to control who accesses the VPN tunnel between the two site to site configured routers.

Or just configure the student apartment asus router with a VPN server so you can access it remotely to configure the router using an VPN client on your own computer. Yes you would have access to any open devices on the student apartment asus router, but you would still have access to the student router itself to control it.

 

[Nesalex]

You can probably use VPN director to control who accesses the VPN tunnel between the two site to site configured routers.

Or just configure the student apartment asus router with a VPN server so you can access it remotely to configure the router using an VPN client on your own computer. Yes you would have access to any open devices on the student apartment asus router, but you would still have access to the student router itself to control it.

The student router is behind a double NAT in the provider's local subnet. I'm not an expert but I think it wouldn't work to create a server there. Or am I wrong?

 

[bennor]

The student router is behind a double NAT in the provider's local subnet. I'm not an expert but I think it wouldn't work to create a server there. Or am I wrong?

Depends on the setup of the double nat. May be ways to port forward or route through the double nat.