Site to Site VPN

---

@lensman wrote:

I have two houses, both with Orbis.  I would very much like to stand up a site-to-site VPN between the two.  Everything I see though indicates support only for VPN clients rather than site-to-site.  Am I missing something or is this an Orbi limitation?  I know OpenWRT supports this so maybe there is a backup config that will work (two OpenWRT routers connected to ISP and then Orbi connects to those.

---

You are correct that Orbi firmware supports only one type of host mode VPN (OpenVPN) and does not support client mode VPN.

Establishing a VPN connection between two sites is more of a corporate feature.

It would be possible using third party firmware (not Netgear approved or supported) to set up one Orbi router as a VPN client and use the stock (or third party) firmware on the other end as a VPN host.  The downside of this sort of thing is that every packet to/from every device on the local LAN will travel across the VPN to the remote site, out to the internet and back, and back across the VPN to the local host.  This is almost certainly not the desired behavior. Imagine streaming video through this pathway!

Orbi does have the ability to set up static routes which force traffic to a specific IP subnet to a device on the Orbi LAN.

If the local Orbi LAN is 192.168.1.x and the remote Orbi LAN is 10.0.0.x, then a static route on this side would force 10.0.0.x to a certain device and a static route onn the other side would force traffic to 192.168.1.x to a device.

The tricky part is that there needs to be a device on each end which can have an open port on the Orbi LAN and can set up a link to a similar device on the other end.  I have seen posts on the Ubiquiti Edgerouter forums describing this sort of thing. My first thought is that it would also require a second ISP link to connect these two devices.  Or, maybe there is some way to tell the Edgerouter "Packets to 10.0.0.x go through the VPN and packets to anywhere else do not."

This is quickly getting complicated and possibly expensive.

Not sure it has to be expensive or involve the second ISP.  The static route idea is intriguing.  

As I mentioned earlier, the site-to-site features seem to be supported in OpenWRT.  I still have my old routers (that Orbi replaced) and both run OpenWRT.  So static route as you describe to the OpenWRT device for site to site traffic and default path to the local ISP router for everything else.  Sounds like a fun experiment.  Going to run this by my network team and see what they think.

Thanks for the suggestion!

Having two routers on hand definitely reduced the cost. And, using OpenWRT routers removes the need for two ISP connections.

Having never done anything like this myself, my thought is the following:

• The two LAN's must have different IP subnets. For example:
  * The near LAN could be 192.168.1.x and
  * The far LAN could be 192.168.2.x
• Connect the OpenWRT router WAN port to the Orbi LAN side (on each end, near and far).
• Connect one OpenWRT LAN port to the Orbi LAN side.
• (I would allocate specific IP's to these ports inthe Orbi LAN setup.)
• Nothing else connected to the OpenWRT routers.
• The ports needed for OpenWRT will need to be forwarded through the Orbi to the OpenWRT routers on each end.
  I believe these are UDP 1193 and 1194: https://openvpn.net/vpn-server-resources/advanced-option-settings-on-the-command-line/ 
  One is for tun and one for tap.
• Disable WiFi on the OpenWRT routers (or not if there is some reason to have competing WiFi's)
• Define the LAN to LAN VPN from near to far (and test it somehow?)
• On Near side Orbi, create a static route for the far side IP subnet pointing to the OpenWRT LAN port.
• On Far side Orbi, create a static router for the near side IP subnet pointint to the OpenWRT LAN port.
• Devices on each end will behave as normal.
  * Traffic to devices on the local LAN till stay within the local Orbi LAN
  * Traffic to the internet will go out the Orbi WAN port as normal.
  * Traffic to the other site will be directed to the OpenWRT router which sends it though a tunnel to the far end OpenWRT router, which puts it on the far LAN.

At this point, it might be worth considering what type of VPN connection is desired, i.e. tun vs. tap. This is based on:

• What the intended use is and
• How much LAN traffic do you want "leaking" from one site to the other. (broadcasts, ARP's, etc.)

If you actually give this a try, please return and update the post with the results.

Will do.  Still weighing pros and cons.  I was thinking the routes would be defined on the OpenWRT router rather than the Orbi though no?  Everything go from Orbi to OpenWRT and then route based on destination.  If 192.168.[1,2 based on which side].0/24 - VPN, anything else, ISP.  My concern there is performance since the OpenWRT would be a passthrough and older hardware might not be as quick (500mbit links).  Still just a thought experiment for now.

My only concern with that is the incomming traffic, unless the Orbi is put into Access Point (AP) mode.  To the OpenWRT router, it knows where it's own LAN is and the Orbi is one of the devices on that LAN.  It might need another static route to say that traffic to the Orbi LAN goes to the Orbi WAN port.  AP mode would mean there is no "Orbi LAN", only the OpenWRT LAN.

This is Waaaay over my head.  Good Luck.

I'm stretching here too but fortunately have an entire team of network engineers working for me so you know I'll be hashing it out with them 🙂

As I was drawing this out just now, I realized it was leading to having the Orbis in AP mode.  Not happy about that.

The end goal is to share the Drobo files in one location with the other location.  That and RDP to a system in NJ when in FL.  Might need to look at a plan B.

 Drobo?  RDP into a desktop screams out "OpenVPN on the Orbi".  With a laptop containing the VPN config files for both NJ and FL, the laptop can reach either LAN from anywhere.

I had wandered off into the thoughts of making daily database backups from site to site, send things to printers, streaming videos (probably not a business need).

Yes, OpenVPN would be the simple approach if it was just me but dealing with the whole family.  All the other things you were mentioning are important too.  perhaps not remote printing but the backups for sure.  Don't want to pay for cloud when I have 15T sitting right here.

This is more about personal use than business but being an IT guy, I was opting for a more elegant solution for other end users 🙂

Rpi?

While I haven't tried it, I wonder if you could put a Raspberry Pi at the SiteB, give it a static IP (from SiteB), connect the Rpi via OpenVPN to SiteA, and then add a static route on SiteB's Orbi that any traffic going to SiteA goes through the Rpi's IP?

Granted it doesn't have to be a Rpi. I'm just thinking something that you can leave on 24x7 which doesn't waste heat and energy. Why run a 400W PC 24x7 when you can run a 35W device? If you have a spare PC lying about you could use that for the mock-up and then migrate to a Rpi for the final setup.

Also, the use case here is residential. Do not plan on this as a business solution.

Jason

Not using a PC, just existing wifi routers that can run OpenWRT so power consumption is not an issue.  Absolutely residential.  Would never dream of something like this in my corp environment (where we run Palo Alto FWs that do this kind of thing).

Hadn't considered the Rpi option.  Only concern there would be throughput.

---

@NevadaTech wrote:

While I haven't tried it, I wonder if you could put a Raspberry Pi at the SiteB, give it a static IP (from SiteB), connect the Rpi via OpenVPN to SiteA, and then add a static route on SiteB's Orbi that any traffic going to SiteA goes through the Rpi's IP?

---

This is another way to solve one direction of the project: Site B accessing Site A.  What it does not solve is the other direction: Site A accessing Site B.  The full solution requires OpenVPN client at each end.

Personally, I adore my Pi's.  Others may find the setup process a challenge.  In terms of cost, routers for OpenWRT are available on eBay for less than the cost of a Pi 3 b+ and there is no Pi learning curve.