Network different physical location and subnets

[sstixx]

Hi all,

At the moment i have a bit of a strange situation where I'm stuck.
My situation is as follows: Some time ago I moved abroad. But to stay in touch with back home, I created a VPN between my place abroad and my parents place back home. This resulted in the following setup.

Back home:
Asus router RT-AC66U
with the following settings: 192.168.1.1 / 255.255.255.0
OpenVPN server for the second Asus router

Abroad I have two routers
First a linksys EA3500 connected to my ISP
with the following settings 192.168.3.1 / 255.255.255.0
This one is broadcasting my internet connection from abroad

Secondly another Asus router RT-AC66u
with the following settings 192.168.4.1 / 255.255.255.0
It's connected to the linksys router (lan port to Wan port)
This one is the VPN client and is broadcasting the VPN connection from back home

So far all is working well, but i would like to be able to access all of the computers, no matter to what subnet they are connected.
I tried several things but none with the effect I want. At this point i could use some help, as i don't know how to proceed.
Should I continue with the setup above or redesign it all (which I don't mind as long as i get it all working and can connect both places and all the computers together).

 

[bill001g]

You can get partial connectivity with VPN as you have found but the way it is done in most cases the remote device gets a new IP on the remote network. This has pretty much the same restrictions as NAT when you have multiple machine behind a vpn router.

Your main problem is you need a device called a router to connect multiple subnet. The devices you buy in the consumer store are not actually routers even though they print that on the box. They are best called gateways since they in general do not support multiple subnets.

Your best option is to load third party firmware on your routers. Your asus routers have many options for third party firmware. asus merlin tends to be the simplest to use but I am not sure if it support the proper vpn type. You can load dd-wrt on it but dd-wrt has so much stuff it tends to be confusing until you use it for a while.

The key to making this work is to put in static routes for the other network on each router telling it that the other subnet exist on the far end of the vpn connection.

In a simple case where the 2 asus routers directly had internet you could build full connectivity between the 2 subnets behind them. The linksys routers you have in your case make things harder. I am somewhat unclear where these are located in the path but if you have end machines on those networks this is more of a NAT issue than a VPN issue. You likely have issues between those subnets even without the vpn active. Again this is a issue solved by actual router rather than gateways.

 

[sstixx]

You can get partial connectivity with VPN as you have found but the way it is done in most cases the remote device gets a new IP on the remote network. This has pretty much the same restrictions as NAT when you have multiple machine behind a vpn router.

Your main problem is you need a device called a router to connect multiple subnet. The devices you buy in the consumer store are not actually routers even though they print that on the box. They are best called gateways since they in general do not support multiple subnets.

Your best option is to load third party firmware on your routers. Your asus routers have many options for third party firmware. asus merlin tends to be the simplest to use but I am not sure if it support the proper vpn type. You can load dd-wrt on it but dd-wrt has so much stuff it tends to be confusing until you use it for a while.

The key to making this work is to put in static routes for the other network on each router telling it that the other subnet exist on the far end of the vpn connection.

In a simple case where the 2 asus routers directly had internet you could build full connectivity between the 2 subnets behind them. The linksys routers you have in your case make things harder. I am somewhat unclear where these are located in the path but if you have end machines on those networks this is more of a NAT issue than a VPN issue. You likely have issues between those subnets even without the vpn active. Again this is a issue solved by actual router rather than gateways.

Hi bill001g,

Thank you for your reply. I can try to find a solution where the Asus router is directly connected with the internet. And the Linksys behind it
I just want to make sure that i have 2 separate WiFi networks abroad, one broadcasting the isp from abroad and one with the signal from back home.

I was already playing with the idea of putting static routes in place. The issue i'm running against is that i don't know how to put a static route in place that point to the network on the other side of the VPN.
Do you maybe have any idea how i can accomplish this?

 

[bill001g]

It is all done with the command prompt. Last time I did this with dd-wrt I followed some guide I can not find now. It is done with a combination of route and iptables commands.

It will not be a problem with the linksys between the asus routers as long as you never need to get between the networks behind the asus routers and the network between the linksys and the asus. Then again if you work at it you can configure the VPN to allow traffic to bypass the vpn and go straight to that network but you likely have the standard NAT issue. This also is done at the command line with iptables.

VPN I find a huge pain on any linux platform. The person that invented the Iptables command seem to like to inflict pain on people though confusion....then again a lot of linux command line I feel was designed to intentionally confusing. The command line on commercial router and firewall from cisco and juniper are complex but do not have the feel of masses inconsistency between commands.

I have very old commercial equipment that I use to do the function you describe and cisco has great sample configs so I forget how to use dd-wrt. If I even need more bandwidth I will have to go shopping on ebay I guess since my units are extremely old.