DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Setting up a new VPN
- John
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 30
- Thank you received: 2
26 Aug 2024 13:41 #103689
by John
Setting up a new VPN was created by John
I need to setup a VPN between 2 sites.
Routers are
Site A 2862 known fixed IP
Site B 2865 fixed Ip not yet known
So I can set this up with B dialling into A for testing using 4G as the WAN for the Site B router.
I've never used the VPN_Matcher service. Is it best to use that, or setup the VPN manually?
Routers are
Site A 2862 known fixed IP
Site B 2865 fixed Ip not yet known
So I can set this up with B dialling into A for testing using 4G as the WAN for the Site B router.
I've never used the VPN_Matcher service. Is it best to use that, or setup the VPN manually?
Please Log in or Create an account to join the conversation.
- John
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 30
- Thank you received: 2
26 Aug 2024 20:19 #103694
by John
Replied by John on topic Setting up a new VPN
I'll answer my own question.
With site B's router using a mobile phone hotspot for config and therefore a NAT'd WAN IP, the only way I could even get a VPN to work was using VPN_Matcher service.
With site B's router using a mobile phone hotspot for config and therefore a NAT'd WAN IP, the only way I could even get a VPN to work was using VPN_Matcher service.
Please Log in or Create an account to join the conversation.
- HodgesanDY
- Offline
- Member
Less
More
- Posts: 215
- Thank you received: 19
26 Aug 2024 20:20 - 26 Aug 2024 20:24 #103695
by HodgesanDY
Replied by HodgesanDY on topic Setting up a new VPN
Hi John,
I would just set it up manually, especially if you have one end with a static public address. I know that DrayTek suggests using the VPN Matcher for non-static setups, but you have one static address so, as you say, get the non static to dial into the static side.
I always use IPSec myself, unless it’s a Windows dial-in user, then I’ll use the ‘Smart Client’ and the ‘SSL Tunnel’ connection, but for LAN-to-LAN I use IPSec (IKEv1or2) and for Apple iPhone dial-in, I use IPSec XAuth.
The LAN-to-LAN will happily connect through a 4G Dongle too, you’ll just need to keep track of the 4G Dongle’s public IP address; which you can do via DDNS or by setting up a reverse-profile from the site with the 4G Dongle connecting to your static site but only enabling the profile (at the static site) when you want it to dial-in and then you can grab its IP, or just leave it connected.
I would just set it up manually, especially if you have one end with a static public address. I know that DrayTek suggests using the VPN Matcher for non-static setups, but you have one static address so, as you say, get the non static to dial into the static side.
I always use IPSec myself, unless it’s a Windows dial-in user, then I’ll use the ‘Smart Client’ and the ‘SSL Tunnel’ connection, but for LAN-to-LAN I use IPSec (IKEv1or2) and for Apple iPhone dial-in, I use IPSec XAuth.
The LAN-to-LAN will happily connect through a 4G Dongle too, you’ll just need to keep track of the 4G Dongle’s public IP address; which you can do via DDNS or by setting up a reverse-profile from the site with the 4G Dongle connecting to your static site but only enabling the profile (at the static site) when you want it to dial-in and then you can grab its IP, or just leave it connected.
Last edit: 26 Aug 2024 20:24 by HodgesanDY.
The following user(s) said Thank You: John
Please Log in or Create an account to join the conversation.
- John
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 30
- Thank you received: 2
26 Aug 2024 21:49 #103697
by John
Replied by John on topic Setting up a new VPN
Thanks for your reply.
I did indeed use IPsec for the site-to-site VPN.
The 'matcher' made setup quite easy, but I'll probably drop that once the 2865 moves too its target location.
Don't use VPN client machines other than for occasional testing so that's not an issue.
One curious thing is that every device on the site A subnet is visible from the site B subnet except a Synology NAS.
I suspect some security setting that I've not found yet.
I did indeed use IPsec for the site-to-site VPN.
The 'matcher' made setup quite easy, but I'll probably drop that once the 2865 moves too its target location.
Don't use VPN client machines other than for occasional testing so that's not an issue.
One curious thing is that every device on the site A subnet is visible from the site B subnet except a Synology NAS.
I suspect some security setting that I've not found yet.
Please Log in or Create an account to join the conversation.
- HodgesanDY
- Offline
- Member
Less
More
- Posts: 215
- Thank you received: 19
26 Aug 2024 23:00 - 26 Aug 2024 23:06 #103699
by HodgesanDY
Replied by HodgesanDY on topic Setting up a new VPN
Hi John,
Yeah, that is kind of the thing with a VPN LAN-to-LAN connection, the two LANs are connected together.
Because the router is routing traffic between the two locations and therefore the two subnets, both subnets are effectively inter-LAN linked, so to block the flow and control specific traffic, you'll need to setup some firewall rules. This can be done at one end, or both, depending on what you want to block and what you want to allow through.
The Synology probably has a firewall running on it already, or is on a separate subnet within that site/location and therefore not reachable from the remote subnet.
Yeah, that is kind of the thing with a VPN LAN-to-LAN connection, the two LANs are connected together.
Because the router is routing traffic between the two locations and therefore the two subnets, both subnets are effectively inter-LAN linked, so to block the flow and control specific traffic, you'll need to setup some firewall rules. This can be done at one end, or both, depending on what you want to block and what you want to allow through.
The Synology probably has a firewall running on it already, or is on a separate subnet within that site/location and therefore not reachable from the remote subnet.
Last edit: 26 Aug 2024 23:06 by HodgesanDY.
Please Log in or Create an account to join the conversation.
- John
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 30
- Thank you received: 2
26 Aug 2024 23:12 #103700
by John
Replied by John on topic Setting up a new VPN
Well, yes indeed, one does expect the subnets to be visible from each other, so why the NAS didn't was rather curious.
Turned out to be the load-balancer config that was routing packets from NAS to the non-VPN WAN interface.
Turned out to be the load-balancer config that was routing packets from NAS to the non-VPN WAN interface.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek