Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VPN Setup Help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VPN Setup Help

randvegetarandvegeta Member, Host Rep

Hi all,

I'm trying to setup a VPN with some specific requirements.

Imagine site A and site B. 2 separate locations.

I'd like to establish some kind of VPN/Tunnel connection between the 2 sites such that devices on a switch in either location can access other devices on the other side of the tunnel as if it were in it's own local network.

What I have setup at the moment is router on each end, connected together via GRE tunnel. The routers connect to the switches at either site, and there the interface is bridged with the the tunnel.

Server A = 10.0.0.20
Router A = 10.0.0.50

Router B = 10.0.0.60
Server B = 10.0.0.90

Server A can reach Router A, but not Router B or Server B
Router A can reach Router B and Server A but not Server B.
Router B can reach Router A and Server B but not Server A.
Server B can reach Router B but not Router A or server A.

So my bridge doesn't seem to work as expected.

Any one have any suggestions?

Comments

  • How about using tinc?

    @rm_

  • exception0x876exception0x876 Member, Host Rep, LIR

    Make sure you are using GRETAP instead of GRE as type of your tunnel in order for bridging to work.

  • rm_rm_ IPv6 Advocate, Veteran

    How about using tinc?

    Yeah, Tinc should work (in the Switch mode), or you could use WireGuard and instead of bridging set up real routing instead (using different subnets at both sites). WireGuard is much faster than Tinc, if speed/CPU load will happen to be an issue.

    Make sure you are using GRETAP instead of GRE

    I believe GRE (if you mean the L3 tunnel mode, not L2) wouldn't join the bridge at all, if that was the issue.

    Thanked by 1ErawanArifNugroho
  • randvegetarandvegeta Member, Host Rep

    @rm_ said:

    How about using tinc?

    Yeah, Tinc should work (in the Switch mode), or you could use WireGuard and instead of bridging set up real routing instead (using different subnets at both sites). WireGuard is much faster than Tinc, if speed/CPU load will happen to be an issue.

    Make sure you are using GRETAP instead of GRE

    I believe GRE (if you mean the L3 tunnel mode, not L2) wouldn't join the bridge at all, if that was the issue.

    I'm using GRE-Bridge, which is layer 2.

    I'm using VyOS as the router. Not sure if this makes a difference, but the GRE-Bridge is being run over OpenVPN because one side of the bridge is behind another router and dynamic IP.

  • All you need is static routes on opposite sites, site A route point towards site B and other way around

    Thanked by 1TimboJones
  • randvegetarandvegeta Member, Host Rep

    @oliviaisla said:
    All you need is static routes on opposite sites, site A route point towards site B and other way around

    static routes for IPs on the same subnet?

  • If you add the destination mac address to your arp table, does it ping through? If not, problem is at the router/gre-tunnel.
    Are you following specific instructions or a guide you found online? My experience is limited to transparent bridges that required no special routing and always used routing different private subnets (which require static routes) whenever I've used site to site VPN's.

  • FHRFHR Member, Host Rep

    Stretching an L2 is a bad idea IMO, you should use different subnets for different sites and L3 route between them.

  • randvegetarandvegeta Member, Host Rep

    @TimboJones said:
    If you add the destination mac address to your arp table, does it ping through? If not, problem is at the router/gre-tunnel.
    Are you following specific instructions or a guide you found online? My experience is limited to transparent bridges that required no special routing and always used routing different private subnets (which require static routes) whenever I've used site to site VPN's.

    I am not following any specific guide. I have not tried to manually enter MAC addresses into the ARP table, nor have I head of any way to route traffic based on ARP... but I will look at this as an option.

    @FHR said:
    Stretching an L2 is a bad idea IMO, you should use different subnets for different sites and L3 route between them.

    This is for quite a specific application. It's not a normal network setup that can use different subnets and a simple static route between the 2 points.

    This application needs to be able to directly communicate and send broadcast packets to the network from a great distance.

  • You could use wireguard ?

    Thanked by 1vimalware
  • randvegetarandvegeta Member, Host Rep

    @Learntolive said:
    You could use wireguard ?

    Wireguard does such magical things?

  • TimboJonesTimboJones Member
    edited May 2020

    Perhaps http://neorouter.com/ Mesh or Pro if you're not married to the GRE-tunnel? Need more details on use case to be more helpful, sorry.

    Since you're using VyOS, maybe this will be helpful? https://help.ui.com/hc/en-us/articles/204961754-EdgeMAX-Layer-2-bridge-over-GRE-tunnel

    Thanked by 1randvegeta
  • randvegetarandvegeta Member, Host Rep

    @TimboJones said:
    Perhaps http://neorouter.com/ Mesh or Pro if you're not married to the GRE-tunnel? Need more details on use case to be more helpful, sorry.

    Since you're using VyOS, maybe this will be helpful? https://help.ui.com/hc/en-us/articles/204961754-EdgeMAX-Layer-2-bridge-over-GRE-tunnel

    My setup with VyOS is basically identical to the one described on the UBNT article. Unfortunately it doesn't work and I'm not sure why. Perhaps because my routers are VMs? Not sure. I have a couple of UBNTs somewhere, so I may give it a try.

    Okay so here's a little more detail about what I'm trying to do.

    I have some diagnostic software on my laptop. It performs diagnostics on a particular device and it connects to this device over Ethernet. The device and diagnostic computer are expected to be on the same network, and the software also does some network broadcasts and so it is important that the device and the laptop can communicate with each other without any routing policies in the way. So having 2 different subnets static routes between them is not a possibility. The software is hard coded to speak to the device on a specific IP, and broadcast on a specific subnet. Likewise, the device is hard-coded to receive from and respond do specific IPs.

    Normally I would just drive to the location and plug in the laptop directly. But a combination of travel restrictions and distances required make this unfeasible or prohibitively expensive. So the VPN, I hope, will solve this problem.

    My current solution is:

    Device <--> Remote Laptop <--> VPN Server <--> My laptop

    Where both my and remote laptops have VMs running with routers installed to connect to the VPN.

    Thanked by 1TimboJones
  • @randvegeta said: The device and diagnostic computer are expected to be on the same network, and the software also does some network broadcasts and so it is important that the device and the laptop can communicate with each other without any routing policies in the way.

    So you're essentially in need of a layer 2 VPN equivalent - so that your laptop "magically" appears on the same (remote) network of the device in question.

    What you need on the remote end is a bridge into the LAN and your laptop sits on that bridge (presumably with its own MAC or can that be spoofed/changed?) having an IP in the same subnet etc.

    Your routers will typically NOT route ARP traffic and that's why this isn't working is what I assume.

    In the interest of simplicity have you tried something like Softether that should pretty much give you what you need at the remote end?

  • randvegetarandvegeta Member, Host Rep

    nullnothere said: Your routers will typically NOT route ARP traffic and that's why this isn't working is what I assume.

    That is my assumption as well. But I was hoping a L2 VPN would 'route' ARP tables/traffic given ARP is layer 2. Seems not.

    nullnothere said: So you're essentially in need of a layer 2 VPN equivalent - so that your laptop "magically" appears on the same (remote) network of the device in question.

    Yes basically.

    nullnothere said: What you need on the remote end is a bridge into the LAN and your laptop sits on that bridge (presumably with its own MAC or can that be spoofed/changed?) having an IP in the same subnet etc.

    The MAC address is not important, so spoofing is acceptable, but not sure how that would be helpful. The software does not care about the MAC address, neither does the device.

    nullnothere said: In the interest of simplicity have you tried something like Softether that should pretty much give you what you need at the remote end?

    I have not tried it. I will look into it :-)

  • randvegetarandvegeta Member, Host Rep

    nullnothere said: In the interest of simplicity have you tried something like Softether that should pretty much give you what you need at the remote end?

    I setup an extremely simple network, and it certainly seems to work! Thanks for letting me know of this networking tool gem.

    I'll test it on a 'production network' later this week, but initial results look very promising.

Sign In or Register to comment.