Setup Site to Site VPN

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

JGrana

Very Senior Member
I have finally gotten Fios installed at my cabin. I am using an AX58U at this remote location. I have an AX88U at my house.

I have been researching how to setup a site to site OpenVPN link especially now that 386.3 has VPN Director.
Unfortunately, many of the FAQ's/Readme's are older and some seem to conflict information.

Ideally I would like to be able to put an older NAS at the remote site and do daily backups to it. I would also like to be able to manage the remote AX58U and not have the WebUI exposed.
Additionally, it would be great if I could access a few devices on my home network (AX88U) from the remote site.

A few questions/observations (and an ask ;-)

1) I believe I should have the LAN addresses different on each router (AX88U is 192.168.1.0, the AX58U is 192.168.2.0)
2) Both routers have DDNS enabled and working.
3) Should I make the home router the OpenVPN server and the remote the client?
4) TUN or TAP?

Last, any pointers would be appreciated!
 

ColinTaylor

Part of the Furniture
3) Why not run the VPN server on the remote router and then use a desktop VPN client to connect to it when required. Do you really need a permanently active site to site link?

EDIT: OK I think I understand. When you said you wanted to do daily backups at the remote site I thought you meant they were local backups. But I guess you mean you want to backup from your home network to the remote site.

4) Must be TUN if you're using the router's VPN client IMHO. Using TAP would mean both networks were part of the same subnet and the client would be dependent on the server always being connected. That's very unreliable over a public network and almost guaranteed to break in my experience.
 
Last edited:

JGrana

Very Senior Member
3) Why not run the VPN server on the remote router and then use a desktop VPN client to connect to it when required. Do you really need a permanently active site to site link?

EDIT: OK I think I understand. When you said you wanted to do daily backups at the remote site I thought you meant they were local backups. But I guess you mean you want to backup from your home network to the remote site.

4) Must be TUN if you're using the router's VPN client IMHO. Using TAP would mean both networks were part of the same subnet and the client would be dependent on the server always being connected. That's very unreliable over a public network and almost guaranteed to break in my experience.
Thanks, TUN it is.
Sorry for the confusion. I do want to backup from my home NAS to the remote one in the cabin. Just a photo directory, using rsync ideally. Off-site backup strategy.
 

ColinTaylor

Part of the Furniture
The server side is the simplest so I would run that at the location where you spend the least time at. Presumably that's the cabin. Run two VPN servers so that if you need to remotely reconfigure one you have an alternative way back in if you mess it up.

There's an option in the VPN client settings to enable traffic through the "Inbound Firewall". That would enable connections back the other way.

Bear in mind that each network will regard devices on the other network as "not local". Therefore you might have to alter any local firewalls (e.g. Windows) to allow for this.
 

JGrana

Very Senior Member
Thanks Colin. Great idea about two servers!
 

maxbraketorque

Very Senior Member
I've had a site-to-site setup running for about 1.5 years now. I found it better for the server to be at the less occupied location. You're going to need to generate real certificates rather than self-signed, at least that's what I had to do. Here is a very in-depth how-to:


And here is a more brief how-to that I wrote based on the thread above and what worked for me:

 

JGrana

Very Senior Member
I've had a site-to-site setup running for about 1.5 years now. I found it better for the server to be at the less occupied location. You're going to need to generate real certificates rather than self-signed, at least that's what I had to do. Here is a very in-depth how-to:


And here is a more brief how-to that I wrote based on the thread above and what worked for me:

Thanks @maxbraketorque . I had read the long version, but your brief description helped quite a bit. I am likely going to try the setup over the next few days.
 

JGrana

Very Senior Member
@maxbraketorque , as a follow up, I have successfully setup my bidirectional site-to-site network.
Luckily just one client (my home router). Thanks to you and @ColinTaylor for the help!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top