NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Site to Site VPN
Greetings fellow Orbi owners. I have two houses, both with Orbis. I would very much like to stand up a site-to-site VPN between the two. Everything I see though indicates support only for VPN c...
Not sure it has to be expensive or involve the second ISP. The static route idea is intriguing.
As I mentioned earlier, the site-to-site features seem to be supported in OpenWRT. I still have my old routers (that Orbi replaced) and both run OpenWRT. So static route as you describe to the OpenWRT device for site to site traffic and default path to the local ISP router for everything else. Sounds like a fun experiment. Going to run this by my network team and see what they think.
Thanks for the suggestion!
Having two routers on hand definitely reduced the cost. And, using OpenWRT routers removes the need for two ISP connections.
Having never done anything like this myself, my thought is the following:
- The two LAN's must have different IP subnets. For example:
* The near LAN could be 192.168.1.x and
* The far LAN could be 192.168.2.x - Connect the OpenWRT router WAN port to the Orbi LAN side (on each end, near and far).
- Connect one OpenWRT LAN port to the Orbi LAN side.
- (I would allocate specific IP's to these ports inthe Orbi LAN setup.)
- Nothing else connected to the OpenWRT routers.
- The ports needed for OpenWRT will need to be forwarded through the Orbi to the OpenWRT routers on each end.
I believe these are UDP 1193 and 1194: https://openvpn.net/vpn-server-resources/advanced-option-settings-on-the-command-line/
One is for tun and one for tap. - Disable WiFi on the OpenWRT routers (or not if there is some reason to have competing WiFi's)
- Define the LAN to LAN VPN from near to far (and test it somehow?)
- On Near side Orbi, create a static route for the far side IP subnet pointing to the OpenWRT LAN port.
- On Far side Orbi, create a static router for the near side IP subnet pointint to the OpenWRT LAN port.
- Devices on each end will behave as normal.
* Traffic to devices on the local LAN till stay within the local Orbi LAN
* Traffic to the internet will go out the Orbi WAN port as normal.
* Traffic to the other site will be directed to the OpenWRT router which sends it though a tunnel to the far end OpenWRT router, which puts it on the far LAN.
At this point, it might be worth considering what type of VPN connection is desired, i.e. tun vs. tap. This is based on:
- What the intended use is and
- How much LAN traffic do you want "leaking" from one site to the other. (broadcasts, ARP's, etc.)
If you actually give this a try, please return and update the post with the results.
Will do. Still weighing pros and cons. I was thinking the routes would be defined on the OpenWRT router rather than the Orbi though no? Everything go from Orbi to OpenWRT and then route based on destination. If 192.168.[1,2 based on which side].0/24 - VPN, anything else, ISP. My concern there is performance since the OpenWRT would be a passthrough and older hardware might not be as quick (500mbit links). Still just a thought experiment for now.
My only concern with that is the incomming traffic, unless the Orbi is put into Access Point (AP) mode. To the OpenWRT router, it knows where it's own LAN is and the Orbi is one of the devices on that LAN. It might need another static route to say that traffic to the Orbi LAN goes to the Orbi WAN port. AP mode would mean there is no "Orbi LAN", only the OpenWRT LAN.
This is Waaaay over my head. Good Luck.
I'm stretching here too but fortunately have an entire team of network engineers working for me so you know I'll be hashing it out with them :-)
As I was drawing this out just now, I realized it was leading to having the Orbis in AP mode. Not happy about that.
The end goal is to share the Drobo files in one location with the other location. That and RDP to a system in NJ when in FL. Might need to look at a plan B.