Router to Router Routing help

[CaptnDanLKW]

The need - remote router to be able to 'reach' my local router, via an established OVPN connection.

remote network - 192.168.2.0/24
remote router - br0 - 192.168.2.1
OVPN Server - tun21 10.8.0.1

local network - 192.168.1.0/24
local router - br0 - 192.168.1.1
OVPN Client - tun11 - 10.8.0.2

The TL;DR is that I simply want routing and no router firewall blocking so I can ping or \\w.x.y.z\smbshare, or any other service listening on a port to be reachable.

Current need:
I want the remote router's syslog to be able to dump its logs to my syslogd, which is set up for remote listening and running Scribe, which is based on syslog-ng. The remote router is running the basic syslogd and the remote log server is set to 10.0.8.2.

Logs are not being sent, so I verified connectivity with ssh access on 192.168.1.1 can ping 10.8.0.1 (Server) and ssh on the remote router, running OVPN Server, I can ping 10.8.0.2 (the client).

The only thing I can think of, is that the listener can only listen on the 192.168.1.0/24 network, so my idea is to add a route statement for each side.

Future need:
To be able to connect directly to IP cameras on the remote side; (e.g. 192.168.2.220:9001) from devices on my local 192.168.1.0/24 network

My idea - I want to route 192.168.1.0/24 traffic over the OVPN connection; and without a new route entry it will try to go out the default GW which obvioudly wont work.

There seems to be a few ways that make syntax sense like: route add 192.168.1.0/24 dev tun11 or route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.8.2. (Vice versa for the other side)

1) will either of these work? Is one more preferred over the other?
2) are there any firewall implications? (i.e. will I need additional iptables commands to open ports)?


Thanks in advance.

 

[Digilog]

The need - remote router to be able to 'reach' my local router,

Thanks in advance.

The correct method to use is IPSEC in your instance as this works on the network layer and ties both networks together. OpenVPN is a remote client software and works on the transport layer to connect one client to a remote network.

 

[JGrana]

Possibly consider Tailscale instead? There is even an Addon under amtm that installs tailscale and has an option to enable site-to-site mode. It’s called Tailmon.

 

[ColinTaylor]

Make sure that in your VPN client settings you have "Inbound Firewall" set to Allow.

Check your syslog-ng config to see which interfaces it's listening on (and if you can change it if necessary). There's no point chasing additional routing if there's no need. The server already pushes it's own route, so at most you would only need to do it for the client side. (There's already many guides on these forums explaining how to do that)

 

[Digilog]

strongSwan is the popular ipsec for Linux/BSD.

 

[Tech9]

The correct method to use is IPSEC in your instance

strongSwan is the popular ipsec for Linux/BSD

Unrelated to the requirements and hardware/software used by the OP.

 

[visortgw]

1. Create OVPN server on local and remote networks.
2. Connect networks using OVPN clients to connect networks bidirectionally.
3. Use VPN Director on local and remote routers to manage access.

It works!

 

[raven-au]

Not sure this is what you are looking for but does it help?

Tutorial - Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode

The Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode - Part 1 This guide will help you connect two ASUS routers in Site To Site (also know as Point To Point) mode. I'm listing literally every step I take so you should be able to just follow along...

www.snbforums.com

But I would think using Wireguard would be a better option than OpenVpn.

[Wireless Router] How to set up site to site VPN with WireGuard®? | Official Support | ASUS Global

Not sure the commentary of either of these links works but looks viable (the former looks like it's heavy going).

 

[Digilog]

Unrelated to the requirements and hardware/software used by the OP.

Since BSD11 ipsec was baked into the kernel, so why use a client software that is designed for temporary connections?

You could use one of those client software, but its not going to be as good as ipsec in performance.

Client software like wireguard & openvpn were designed for a client device. IPsec is for a client network. So why waste the time making openvpn connections for each remote point that is going to bog down the router cpu when one ipsec connection that has been optimized by the operating system can take care of all of it?

That is why it doesn't make sense to me.

 

[elorimer]

The remote router is running the basic syslogd and the remote log server is set to 10.0.8.2.

On the remote router I think you need to set the remote log server to 192.168.1.1:514, and then have a syslog-ng source defined for it. Either add source net { udp(ip(192.168.1.1) port(514)); }; or add udp(ip(192.168.1.1) port(514)); to source src.

 

[Digilog]

if its one server, its easier to run an instance of open VPN and connect to the remote router that way. One of the issues with running vpn on the router is its using the router's wimpy cpu so you will be limited in what you can do network wise.
You can run a server with the instance, then bridge to an interface that has a static ip, then DHCP, and run one dhcp server with 1/2 of the ip pool locally and the other is an ip pool of the remote. But this is going to take more programming and computer resources than just using ipsec that is already built into the os of the routers and join the two IP tables on the sub-level.

I ran out of time this morning and have to go to work, but I will post a guide on how to connect these two router via ipsec instead of VPN. In the meantime, you should look as why people use IPsec instead of VPN for this.

 

[Tech9]

already built into the os

Home routers don't run on full blown Linux/BSD. The question is about specific home routers.