Lan-to-Lan VPN between 2 homes

[jkopatich]

This seems like a pretty easy thing to do, but my head is spinning with terminology and I just can't get my arms around it.

There are 2 homes each with high speed internet. Both have modem/router supplied by provider which provide landline and wireless connections. One is Google Fiber (which doesn't seem to allow you do much in the way of configuration) and the other does provide a bit more networking options. My goal is simple. I want to be able to ping a device from home A that is inside home B. Now, that device in home B will be a wireless device. I tried to study about Lan-to-Lan VPN using IPSEC, but Google Fiber's router doesn't seem to support it. So, I bought a TP-LINK ER605 router to put inside the home network. Actually I bought 2 so each home would have them. I figured I could use them to set up the VPN, but settings and terminology just got too confusing.

If I plug the cable from the provider's router into the WAN port of the ER605, then it has an IP of 192.168.0.1, which is different than provider's network which is 192.168.1.1. Now I have seen some videos where I can force my ER605 to be on the same 192.168.1.1 subnet, but then I get lost in how to configure the ER605 to create a VPN.

Now I think I could probably get the VPN set up if I plugged both ER605's into the WAN port and follow some videos to configure IPSEC. However, now I'm stuck because neither router can see anything on the wireless network, because that is a different subnet.

First..does any of this make sense? Second, if I do use WAN ports and configure a VPN between them, how can I get the ER605 routers to see the devices on the wireless network (192.168.1.X subnet), or can I configure them so that they are all on the same subnet and still create a VPN?

I know this is a hail mary, but if anyone has done this or can point me to some videos so i can educate myself I would appreciate it.

 

[eibgrad]

Implicit in your description is the belief (perhaps true, perhaps NOT) that in order for the VPN to work, it must be via the WAN of the ER605. But I can tell you that, at least w/ many third-party firmware, this isn't necessarily the case. With my ASUS RT-AC68U running FreshTomato, I can place the router in a LAN only configuration (i.e., WAN disabled) *and* establish an OpenVPN connection on the LAN side. That keeps the VPN on the same private IP network as the primary router. IOW, the RT-AC68U becomes just another LAN device, no different than if it was a desktop, NAS, etc.

Since I know *nothing* about the ER650, I don't know if the same applies to it. You might very well be forced to establish the VPN over the WAN. However, it might not matter *provided* the router is willing to route *upstream* to the primary router's private network via the ER650 WAN! Once again, I just don't know what the ER605 router will allow.

And therein lies the problem w/ using OEM firmware. Once you're using OEM firmware, your stuck w/ whatever the OEM decides is proper, leaving you w/ few options. You get what you get.

Of course, the other option is to use the ER650 routers as primary routers, ideally by placing the existing routers in bridge mode (if supported). Of course, you lose the existing APs and will need to establish them back on the ER650 as standalone APs. That's why it might have been better to ask your questions before committing to the ER605s, which do NOT support wireless.

 

[jea101]

I am not a VPN expert, but this is the first example I have seen of running a VPN server on LAN instead of the WAN.
It appears to me that this approach each client still needs a static route to the remote subnet via the LAN IP of the VPN server.
It appears that your approach may work for IPsec site to site on an Edgerouter.

However, this is what I did with an Edgerouter x (erx) behind a Spectrum router.
Connect the erx WAN port to the LAN.
Reserve the erx WAN IP address in the Spectrum router.
Set the erx LAN subnet to one that doesn’t conflict with either the Spectrum LAN
subnet or the remote subnet. I generally use /24s from the 172.16 to 172.31 private range.
Connect an erx LAN port to the LAN. Note the LAN MAC address of the erx must be different than its WAN MAC address. You now have two cables from the erx to
the rest of the LAN.

I think a better alternative would be to add the new subnet to the LAN port of the erx and only use one cable.

Enable NAT traversal on both VPN servers.
On the Spectrum router forward the IPsec and Nat traversal ports to the WAN IP of the erx.
On each Windows PC set “dhcpstaticipcoexistence” enabled and add a non-conflicting static IP in the new subnet.

Windows 10 : Multiple IP address while first IP is given by DHCP

Микро Мега ООД - Компютрите нямат тайни

www.mmega.net

On each Windows PC add a static route to the remote subnet.

 

[sfx2000]

This seems like a pretty easy thing to do, but my head is spinning with terminology and I just can't get my arms around it.

Draw a picture of what you want to do...