I need to setup a VPN between 2 sites.  

Routers are
Site A 2862 known fixed IP
Site B 2865 fixed Ip not yet known

So I can set this up with B dialling into A for testing using 4G as the WAN for the Site B router.

I've never used the VPN_Matcher service.  Is it best to use that, or setup the VPN manually?


 

I'll answer my own question.

With site B's router using a mobile phone hotspot for config and therefore a NAT'd WAN IP, the only way I could even get a VPN to work was using VPN_Matcher service.

Hi John,

I would just set it up manually, especially if you have one end with a static public address. I know that DrayTek suggests using the VPN Matcher for non-static setups, but you have one static address so, as you say, get the non static to dial into the static side.

I always use IPSec myself, unless it’s a Windows dial-in user, then I’ll use the ‘Smart Client’ and the ‘SSL Tunnel’ connection, but for LAN-to-LAN I use IPSec (IKEv1or2) and for Apple iPhone dial-in, I use IPSec XAuth.

The LAN-to-LAN will happily connect through a 4G Dongle too, you’ll just need to keep track of the 4G Dongle’s public IP address; which you can do via DDNS or by setting up a reverse-profile from the site with the 4G Dongle connecting to your static site but only enabling the profile (at the static site) when you want it to dial-in and then you can grab its IP, or just leave it connected.

Thanks for your reply.
I did indeed use IPsec for the site-to-site VPN.
The 'matcher' made setup quite easy, but I'll probably drop that once the 2865 moves too its target location.
Don't use VPN client machines other than for occasional testing so that's not an issue.

One curious thing is that every device on the site A subnet is visible from the site B subnet except a Synology NAS.
I suspect some security setting that I've not found yet.

Hi John,

Yeah, that is kind of the thing with a VPN LAN-to-LAN connection, the two LANs are connected together.

Because the router is routing traffic between the two locations and therefore the two subnets, both subnets are effectively inter-LAN linked, so to block the flow and control specific traffic, you'll need to setup some firewall rules. This can be done at one end, or both, depending on what you want to block and what you want to allow through.

The Synology probably has a firewall running on it already, or is on a separate subnet within that site/location and therefore not reachable from the remote subnet.

Well, yes indeed, one does expect the subnets to be visible from each other, so why the NAS didn't was rather curious.

Turned out to be the load-balancer config that was routing packets from NAS to the non-VPN WAN interface.