2 site OVPN design check please.

chrisjs

Occasional Visitor
Hi all and thanks for lots of good reading on SNB.

I have been running a 2 site home network for a few years using OpenVPN as the connection between the two sites and as a personal internet access VPN which has worked well enough for us. Changes in hardware and software have occurred from time to time and, as long as it all kept going, I haven't worried too much. This year Site B moved to FTTP and a BT SmartHub2, plus I started using a PiHole there, but all the key functions seemed to survive the changes for several months, until some of them stopped! Stepping back and looking at the overall configuration, I think that there are some flaws but would really appreciate a sanity check on the design so that I can fix what I have got and then move on to some more changes.

Below is a tabulation of whats where, how it is setup and what it does. When everything worked, I could access all the expected interfaces at Site H (web, SSH, Ping etc); now, I can access the Site H router over OVPN as usual but cant reach the Device 1 server at all (it works as usual locally). In concept, I had intended to divide the 192.168.5.x network across the two sites but I see now (orange text) that I have glitched on implementation at some point; is this my only problem?

In case it helps, when I ping 5.223 over either a TCP or UDP tunnel I get a reply from the tunnel IP saying that the destination host is unreachable.

Have a good weekend.
Chrisjs

Site H
Site B
ISP Connection​
FTTC​
FTTP​
Router
ASUS AC86U​
SmartHub2​
IP​
192.168.5.1​
192.168.5.254​
DHCP pool​
192.168.5.2 – 254
Off​
Mode​
Modem router​
Router​
O/S​
Merlin 386.5_2​
BT​
Functions​
Skynet, OpenVPN​
-​
Device 1
SBC​
ASUS AC86U​
IP​
192.168.5.223
192.168.5.215​
Functions​
SyncTrayzor​
Access Point​
O/S​
Ubuntu 20.04​
Merlin 386.5_2​
Device 2
SBC​
IP​
192.168.5.224​
Functions​
Pihole, (DHCP 192.168.5.64-254)​
O/S​
Ubuntu 20.04​
All Router and Device IP are static.​
 

eibgrad

Part of the Furniture
It might be useful to know which site is the OpenVPN client vs. OpenVPN server. It's NOT obvious from the description.

One potential problem I see immediately is that both sides are using the same IP network (192.168.5.x), so I assume this is a *bridged* (TAP) OpenVPN tunnel. But both sides of the tunnel have their own DHCP server, and which overlap! That's going to be a problem unless you've also blocked DHCP across the tunnel.

Also, the SmartHub2's IP (192.168.5.254) falls within the scope of both DHCP servers. Yet another risk for multiple assignments of the same IP.

Looking at this more broadly, bridged (TAP) OpenVPN tunnels are meant to be used where the two sides are logically part of the same IP network. For example, a company that has various departments separated due to physical limitations (e.g., different buildings on the same campus). The fact they can't communicate via the same hardware is just the result of physical limitations, but otherwise, there's no point in having them on *different* IP networks. They're all part of the same organization serving the same purposes and ends.

That's why a routed (TUN) OpenVPN tunnel, each side w/ its own unique and non-overlapping IP network, is so much more common. Each side acts independently for most purposes, except on occasion they need to share resources. And usually only *specific* resources, so they filter access using their respective firewalls.

I don't know where YOU fall within the above, but as I said, a bridged (TAP) tunnel is uncommon because it assumes a MUCH closer relationship between the two sides than a routed (TUN) tunnel.
 
Last edited:

chrisjs

Occasional Visitor
Thanks for the rapid and helpful reply eibgrad.
To clarify, Site H is running the VPN server.
Yes, agree the two sites need to have better division of the IP pools to avoid future problems (hence the orange text), though its less clear to me what role that has in today's problem, especially given that it worked for several months.

The two sites are part of the same household so trust is high and the purpose is common with people going between them but, from a network point of view, they are mostly independent with occasional sharing. I chose to use TUN rather than TAP because, rightly or wrongly, I saw that and network sharing as making matters better / easier for devices that moved between sites.

Taking your point that my setup is somewhat unconventional, if I divide the 192.168.5.x network between the two sites cleanly, would you expect it to work?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top