Solved

Simple site-to-site VPN using two Asus routers

Posted on 2016-09-15
28
51 Views
Last Modified: 2016-09-16
Hi all,

I'm trying to set up a simple site-to-site VPN using a couple of Asus routers that support OpenVPN.

Let's say the Office router has been set up with a LAN IP Address / Subnet Mask of:

192.168.1.1
255.255.255.0

Does the Home router have to use different IP Address and Subnet Mask entries? Or can it use the same IP address with a different Subnet Mask?

Thanks in advance.
0
Comment
Question by:Go-Bruins
  • 9
  • 8
  • 6
  • +1
28 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41800331
Your routers must have VPN firmware to do this (I have such routers here).

You cannot use the same IP address for both ends of a VPN. It will not know how to resolve traffic.

You need better routers to do what you want.
0
 
LVL 4

Expert Comment

by:El Fierro
ID: 41800350
0
 

Author Comment

by:Go-Bruins
ID: 41800366
From the research I've been doing, the two routers should be setup to be on the same subnet. For example:

Office router = 192.168.1.1 // 255.255.255.0
Home router = 192.168.1.2 // 255.255.255.0

DHCP should be split among the two routers. So the DHCP pool for the Office router could be something like:

192.168.100 - 192.168.1.150

DHCP pool for the Home router could be something like:

192.168.151 - 192.168.1.200

That appears to be the typical way. But what if i were to deviate and set up the Home router to be something like: 10.0.0.1 // 255.255.255.0? Would there be drawbacks to something like that?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41800370
I am not sure about Open VPN. Commercial VPN will not support two ends with the same subnet.
0
 
LVL 4

Expert Comment

by:El Fierro
ID: 41800382
There shouldn't be any drawbacks as long as the subnets that you are using are listed as "to be encrypted" in the configuration, otherwise known as "interesting" traffic...  i dont know if openvpn will allow you to overlap. i have done this with cisco routers and asas though... this other guide should help with accessing shares from different subnets ....
http://www.npcglib.org/~stathis/blog/2013/02/18/windows-task-sharing-files-across-different-subnets/
0
 

Author Comment

by:Go-Bruins
ID: 41800399
Thank you. So it sounds like the simplest way would be to keep both routers on the same subnet. That way, I won't have to deal with the "interesting" traffic and such?

Office: 192.168.1.1
Home: 192.168.1.2
0
 
LVL 4

Expert Comment

by:El Fierro
ID: 41800548
it be best to do different subnets..within the openvpn settings you put your local network and remote network..give it a try and put the same subnet, i dont think it will allow you as john mentioned or at least i havent tried to overlap....the interesting traffic is the local and remote network subnet you are stating in the configuration.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41800669
Yes, the two have to have different segments
192.168.1.0 255.255.255.0 office
192.168.2.0 255.255.255.0 home
0
 

Author Comment

by:Go-Bruins
ID: 41800672
Thanks. I'm a network newbie, so perhaps i don't even understand the diff between subnet and segment. So from an ease of use standpoint, is:

192.168.1.0 255.255.255.0 office
192.168.2.0 255.255.255.0 home

better than something like:

192.168.1.0 / 255.255.255.0 office
10.0.0.1 / 255.255.255.0 home

Or does it not make any diff at all in terms of functionality?
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 125 total points
ID: 41800702
There is no need for a massive 10. network. The two distinct 192.168 subnets will do. I would use 25 and 26 instead of 1 and 2 because 1 and 2 are so common .
0
 
LVL 4

Assisted Solution

by:El Fierro
El Fierro earned 125 total points
ID: 41800706
as john mentioned no need to go crazy on the config, simple is better.i usually use site 1 192.168.10.x and  site 2 192.168.20.x
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41800758
Your issue was that 192.168.1.1 255.255.255.0 and 182.168.1.2 255.255.255.0 are IPs on the same segment.
A subnet breakdown using 128 IPs on each side would be
192.168.1.0 255.255.255.128 first subnet 2-126 usable ips 1 presumed as gateway and 127 broadcast
192.168.1.128 255.255.255.128 second subnet 130-254 usable IPs 129 gateway 255 broadcast.

This is a single segment cut in half.  Look for netmask on the net and you'll see the breakdown of various and how many modes it can support reflecting the number of unique IPs in the block.
0
 

Author Comment

by:Go-Bruins
ID: 41801640
Thanks to everyone.

It turns out that I can't fiddle with the IP address of the office router. So it has to stay:

192.168.1.1

I'd like to be able to perhaps use my home router to connect to other VPN's using the same method. So for expansion's sake, I'm guessing that i won't want my home router to be part of the same segment? Or, does every new VPN not care about other VPN's?

A little confusing for me. Bottom line is, i'd like to choose an IP for my home router that makes it as simple as possible with expansion in mind.

Thanks.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41801653
Usually, the flexibility is to change the home network segment.
Do not use common home router segments
No:
192.168.0.0
192.168.1.0
192.168.2.0

Companies with some scale often use IPs based on scale larger 10.x.x.x., 172.16.0.0/19 255.255.224.0
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Go-Bruins
ID: 41801668
So the IP i'm currently using is 10.0.0.1. From the posts, it seems to imply that i have a massive network at home (obviously not). Is that a bad idea? Does it sacrifice speed or add complexity?

If you were deploying this simple setup, what specific IP would you choose?

Thanks.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41801674
The idea is not bad. It is just more prone to addressing errors.
0
 
LVL 4

Expert Comment

by:El Fierro
ID: 41801724
You can use the 10.10.10.0/24 network on one end,i havent had any issues when i have configured simple configs like yours...just make sure thats the local network.its more for network identification purposes.
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 41801728
Just because you use an IP range of 10.x.x.x is not an indication of a "massive."
The netmask you are using is 255.255.255.0 meaning it still represents a maximum of 253 possible unique IPs.
The 10.0.0.0 has a 256^3-3 unique IP if the network were flat.
256^2 segments of 253 unique IPs.
.......

If you expect to connect to other, business group, enterprise, pick a random number in the 192.168.x.0 where X is between 10 and 150 with a netmask of 255.255.255.0.
0
 

Author Comment

by:Go-Bruins
ID: 41801763
Done! From the research I've done, 10.X.X.X seems to imply a Class A network, which i don't want/need.

As per Arnold's suggestion, I'm going to choose a Class C address of 192.168.10.1 for my home router.

Do we have a quorum?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41801782
I think simple (192.168.x.x) is always better.
0
 

Author Closing Comment

by:Go-Bruins
ID: 41801790
Thanks everyone.
0
 
LVL 4

Expert Comment

by:El Fierro
ID: 41801794
thats what we mentioned yesterday. .john uses 192.168
25.0 and 192.168.26.0 ...i usually use 192.168.10.0& 192.168.20.0 on simple configs..i think the word massive seemed more intimidating ..lol..good luck
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41801800
Thanks and I also wish you good luck with this.
0
 

Author Comment

by:Go-Bruins
ID: 41801805
One more question: If i wanted to VPN to another office location, that IP could be 192.168.10.0 as well, correct?

The two offices could have the same IP's because they are "blind" to each other, correct?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41801820
No. Even though "blind" to each other, they need different subnets (192.168.2.x)
0
 

Author Comment

by:Go-Bruins
ID: 41801826
Ok. So it would be something like this:

Home:        192.168.10.0
NY office:   192.168.20.0
LA office:    192.168.30.0
XX office:    192.168.40.0
.....
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41801827
Yes, that will work properly.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41801828
No, when you connect any location to another they MUST not use the same networks. They must all be unique.
while you might not currently be interested in connecting location A to Location B, if they are related, try to use different IP segments at each location.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now