Go-Bruins
asked on
Simple site-to-site VPN using two Asus routers
Hi all,
I'm trying to set up a simple site-to-site VPN using a couple of Asus routers that support OpenVPN.
Let's say the Office router has been set up with a LAN IP Address / Subnet Mask of:
192.168.1.1
255.255.255.0
Does the Home router have to use different IP Address and Subnet Mask entries? Or can it use the same IP address with a different Subnet Mask?
Thanks in advance.
I'm trying to set up a simple site-to-site VPN using a couple of Asus routers that support OpenVPN.
Let's say the Office router has been set up with a LAN IP Address / Subnet Mask of:
192.168.1.1
255.255.255.0
Does the Home router have to use different IP Address and Subnet Mask entries? Or can it use the same IP address with a different Subnet Mask?
Thanks in advance.
this guide should help you with openvpn..
http://www.smallnetbuilder.com/other/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn
http://www.smallnetbuilder.com/other/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn
ASKER
From the research I've been doing, the two routers should be setup to be on the same subnet. For example:
Office router = 192.168.1.1 // 255.255.255.0
Home router = 192.168.1.2 // 255.255.255.0
DHCP should be split among the two routers. So the DHCP pool for the Office router could be something like:
192.168.100 - 192.168.1.150
DHCP pool for the Home router could be something like:
192.168.151 - 192.168.1.200
That appears to be the typical way. But what if i were to deviate and set up the Home router to be something like: 10.0.0.1 // 255.255.255.0? Would there be drawbacks to something like that?
Office router = 192.168.1.1 // 255.255.255.0
Home router = 192.168.1.2 // 255.255.255.0
DHCP should be split among the two routers. So the DHCP pool for the Office router could be something like:
192.168.100 - 192.168.1.150
DHCP pool for the Home router could be something like:
192.168.151 - 192.168.1.200
That appears to be the typical way. But what if i were to deviate and set up the Home router to be something like: 10.0.0.1 // 255.255.255.0? Would there be drawbacks to something like that?
I am not sure about Open VPN. Commercial VPN will not support two ends with the same subnet.
There shouldn't be any drawbacks as long as the subnets that you are using are listed as "to be encrypted" in the configuration, otherwise known as "interesting" traffic... i dont know if openvpn will allow you to overlap. i have done this with cisco routers and asas though... this other guide should help with accessing shares from different subnets ....
http://www.npcglib.org/~stathis/blog/2013/02/18/windows-task-sharing-files-across-different-subnets/
http://www.npcglib.org/~stathis/blog/2013/02/18/windows-task-sharing-files-across-different-subnets/
ASKER
Thank you. So it sounds like the simplest way would be to keep both routers on the same subnet. That way, I won't have to deal with the "interesting" traffic and such?
Office: 192.168.1.1
Home: 192.168.1.2
Office: 192.168.1.1
Home: 192.168.1.2
it be best to do different subnets..within the openvpn settings you put your local network and remote network..give it a try and put the same subnet, i dont think it will allow you as john mentioned or at least i havent tried to overlap....the interesting traffic is the local and remote network subnet you are stating in the configuration.
Yes, the two have to have different segments
192.168.1.0 255.255.255.0 office
192.168.2.0 255.255.255.0 home
192.168.1.0 255.255.255.0 office
192.168.2.0 255.255.255.0 home
ASKER
Thanks. I'm a network newbie, so perhaps i don't even understand the diff between subnet and segment. So from an ease of use standpoint, is:
192.168.1.0 255.255.255.0 office
192.168.2.0 255.255.255.0 home
better than something like:
192.168.1.0 / 255.255.255.0 office
10.0.0.1 / 255.255.255.0 home
Or does it not make any diff at all in terms of functionality?
192.168.1.0 255.255.255.0 office
192.168.2.0 255.255.255.0 home
better than something like:
192.168.1.0 / 255.255.255.0 office
10.0.0.1 / 255.255.255.0 home
Or does it not make any diff at all in terms of functionality?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to everyone.
It turns out that I can't fiddle with the IP address of the office router. So it has to stay:
192.168.1.1
I'd like to be able to perhaps use my home router to connect to other VPN's using the same method. So for expansion's sake, I'm guessing that i won't want my home router to be part of the same segment? Or, does every new VPN not care about other VPN's?
A little confusing for me. Bottom line is, i'd like to choose an IP for my home router that makes it as simple as possible with expansion in mind.
Thanks.
It turns out that I can't fiddle with the IP address of the office router. So it has to stay:
192.168.1.1
I'd like to be able to perhaps use my home router to connect to other VPN's using the same method. So for expansion's sake, I'm guessing that i won't want my home router to be part of the same segment? Or, does every new VPN not care about other VPN's?
A little confusing for me. Bottom line is, i'd like to choose an IP for my home router that makes it as simple as possible with expansion in mind.
Thanks.
Usually, the flexibility is to change the home network segment.
Do not use common home router segments
No:
192.168.0.0
192.168.1.0
192.168.2.0
Companies with some scale often use IPs based on scale larger 10.x.x.x., 172.16.0.0/19 255.255.224.0
Do not use common home router segments
No:
192.168.0.0
192.168.1.0
192.168.2.0
Companies with some scale often use IPs based on scale larger 10.x.x.x., 172.16.0.0/19 255.255.224.0
ASKER
So the IP i'm currently using is 10.0.0.1. From the posts, it seems to imply that i have a massive network at home (obviously not). Is that a bad idea? Does it sacrifice speed or add complexity?
If you were deploying this simple setup, what specific IP would you choose?
Thanks.
If you were deploying this simple setup, what specific IP would you choose?
Thanks.
The idea is not bad. It is just more prone to addressing errors.
You can use the 10.10.10.0/24 network on one end,i havent had any issues when i have configured simple configs like yours...just make sure thats the local network.its more for network identification purposes.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Done! From the research I've done, 10.X.X.X seems to imply a Class A network, which i don't want/need.
As per Arnold's suggestion, I'm going to choose a Class C address of 192.168.10.1 for my home router.
Do we have a quorum?
As per Arnold's suggestion, I'm going to choose a Class C address of 192.168.10.1 for my home router.
Do we have a quorum?
I think simple (192.168.x.x) is always better.
ASKER
Thanks everyone.
thats what we mentioned yesterday. .john uses 192.168
25.0 and 192.168.26.0 ...i usually use 192.168.10.0& 192.168.20.0 on simple configs..i think the word massive seemed more intimidating ..lol..good luck
25.0 and 192.168.26.0 ...i usually use 192.168.10.0& 192.168.20.0 on simple configs..i think the word massive seemed more intimidating ..lol..good luck
Thanks and I also wish you good luck with this.
ASKER
One more question: If i wanted to VPN to another office location, that IP could be 192.168.10.0 as well, correct?
The two offices could have the same IP's because they are "blind" to each other, correct?
The two offices could have the same IP's because they are "blind" to each other, correct?
No. Even though "blind" to each other, they need different subnets (192.168.2.x)
ASKER
Ok. So it would be something like this:
Home: 192.168.10.0
NY office: 192.168.20.0
LA office: 192.168.30.0
XX office: 192.168.40.0
.....
Home: 192.168.10.0
NY office: 192.168.20.0
LA office: 192.168.30.0
XX office: 192.168.40.0
.....
Yes, that will work properly.
No, when you connect any location to another they MUST not use the same networks. They must all be unique.
while you might not currently be interested in connecting location A to Location B, if they are related, try to use different IP segments at each location.
while you might not currently be interested in connecting location A to Location B, if they are related, try to use different IP segments at each location.
You cannot use the same IP address for both ends of a VPN. It will not know how to resolve traffic.
You need better routers to do what you want.