Please help with noob friendly guide to create a working VPN in my network
Please help with noob friendly guide to create a working VPN in my network
Hello everyone!
I have tried to follow the VPN guidelines for my device (ER605) but for some reason, the VPN doesn't work. I have tried it multiple times with few different settings.
Could anyone please help me setting up a Wireguard or OpenVPN for my network? I have made a PDF/word file to show my network with best of my capabilities. PFA.
I have two ISPs, both with Dyamic IP (I can get a static IP from one ISP, if that is a must have to enable VPN). I have enabled NO-IP in all three routers with different hostnames (2 from ISPs and one is ER605).
At the moment, my end goal is to enable easy and unattended remote access with RDP.
If more info is needed, please let me know.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@ALL
Here's a screenshot of the PDF, just in case anyone is not ok with downloading a PDF.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PushkarYadav wrote
@ALL
Here's a screenshot of the PDF, just in case anyone is not ok with downloading a PDF.
Great that you have posted the screenshot. That would save us time.
You should address this NAT issue first. You might need to port forward on the ISP routers.
Fix the NAT by port forwarding the correct ports on ISP routers. And make sure you are actually getting a public IP address on the ISP routers. On the port, you should see a public IP address. Not from whatsmyip likewise webs.
ISPs are using dynamic IP, you need to configure DDNS on the ISP routers. If you can set the ISP routers into bridge mode, it would save you time configuring NAT and DDNS on them.
ER605 does not need to set up the DDNS. It is not connected to the public Internet as it is behind the NAT.
Configure the VPN server on the ER605 and make use of the ports that are correctly port forwarded.
- Copy Link
- Report Inappropriate Content
@Clive_A Hello! Thank you for your reply.
Fortunately, I was able to resolve most of the issues myself after spending 2 days on weekend with several hit and trials. The main issue was that I had DDNS in the routers given by the ISP's.
As per my PDF/screenshot, ISP 1 (airtel) router has an WAN IP starting with 100.86.xxx.xxx and as per my web searches, I think that this is ISP is using something called CGNAT and hence I'm facing issues with VPN/ports. I cannot ping my airtel webhop hostname address.
Whereas the ISP 2 (Spectra) router was reporting its WAN IP as 10.205.xxx.x and as per my web searches, this is like an internal (LAN) IP given to it by the main modem.
Once I removed the DDNS from both ISP's routers and connected the same NO-IP hostanames directly in the ER605 DDNS sections, I was getting the correct/actual public IP, at least from the ISP 2 (WAN 2 of ER605) and I was able to ping my hostname (spectra webhop) from CMD.
So, at the moment, my OpenVPN and Wireguard are both working as long as I am using the spectra webhop hostname. I still have to sort the CGNAT issues with the 1st ISP. Also, I am still a bit confused about two wireguard related settings but will open a new thread once I am done with my web searches. Confused about "Local IP Address" in Wireguard settings, "Allowed address" in wireguard peer settings.
Now, the bigger question is how can I access Windows RDP using OpenVPN/Wireguard as if I am sitting at the site?!
Once again, I Thank you for your patience and help!
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PushkarYadav wrote
@Clive_A Hello! Thank you for your reply.
Fortunately, I was able to resolve most of the issues myself after spending 2 days on weekend with several hit and trials. The main issue was that I had DDNS in the routers given by the ISP's.
As per my PDF/screenshot, ISP 1 (airtel) router has an WAN IP starting with 100.86.xxx.xxx and as per my web searches, I think that this is ISP is using something called CGNAT and hence I'm facing issues with VPN/ports. I cannot ping my airtel webhop hostname address.
Whereas the ISP 2 (Spectra) router was reporting its WAN IP as 10.205.xxx.x and as per my web searches, this is like an internal (LAN) IP given to it by the main modem.
Once I removed the DDNS from both ISP's routers and connected the same NO-IP hostanames directly in the ER605 DDNS sections, I was getting the correct/actual public IP, at least from the ISP 2 (WAN 2 of ER605) and I was able to ping my hostname (spectra webhop) from CMD.
So, at the moment, my OpenVPN and Wireguard are both working as long as I am using the spectra webhop hostname. I still have to sort the CGNAT issues with the 1st ISP. Also, I am still a bit confused about two wireguard related settings but will open a new thread once I am done with my web searches. Confused about "Local IP Address" in Wireguard settings, "Allowed address" in wireguard peer settings.
Now, the bigger question is how can I access Windows RDP using OpenVPN/Wireguard as if I am sitting at the site?!
Once again, I Thank you for your patience and help!
You basically cannot set up the VPN if you get those two kinds of IP addresses on the WAN of the ISP routers.
You should get a real public IP address from them. You are now actually in a bigger LAN. Everything we discussed like VPN and DDNS is based on the public Internet.
So, fix this first. Get a public IP address from your ISP which might require your purchase. Then set up the DDNS binding on your ISP router, and port forward the VPN server from the ER605 to the public Internet.
- Copy Link
- Report Inappropriate Content
@Clive_A Thank you for confirmation, I'll talk to ISP 1 (Airtel) to get a static IP as I'm sure that this ISP is using CGNAT. I cannot ping the NO-IP hostname in CMD either.
Sorry to doubt you but are you sure about the ISP 2 (spectra) too? This ISP has two mandatory devices as shown in the screenshot (One modem where the fiber cable connects, I cannot access this device at all AND another router {TP-Link A7} which is connected to LAN of modem to WAN of this router). My NO-IP hostname for this ISP is resolving/providing the correct IP address which matches with the address that I'm seeing at whatismyip[dot]com.
Also, if I use the wireguard VPN in mobile when using mobile data, my mobile also shows the ISP 2's IP when I visit whatismyip[dot]com on my mobile.
There is also OpenVPN feature in A7 router and I was able to connect to it too but that is besides the point of this discussion.
Once again, I'm sorry to bother you again. Please answer the ISP2 question, meanwhile I'll get a static IP from ISP 1 and get back to you in a few days time.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PushkarYadav wrote
@Clive_A Thank you for confirmation, I'll talk to ISP 1 (Airtel) to get a static IP as I'm sure that this ISP is using CGNAT. I cannot ping the NO-IP hostname in CMD either.
Sorry to doubt you but are you sure about the ISP 2 (spectra) too? This ISP has two mandatory devices as shown in the screenshot (One modem where the fiber cable connects, I cannot access this device at all AND another router {TP-Link A7} which is connected to LAN of modem to WAN of this router). My NO-IP hostname for this ISP is resolving/providing the correct IP address which matches with the address that I'm seeing at whatismyip[dot]com.
Also, if I use the wireguard VPN in mobile when using mobile data, my mobile also shows the ISP 2's IP when I visit whatismyip[dot]com on my mobile.
There is also OpenVPN feature in A7 router and I was able to connect to it too but that is besides the point of this discussion.
Once again, I'm sorry to bother you again. Please answer the ISP2 question, meanwhile I'll get a static IP from ISP 1 and get back to you in a few days time.
10.X is not a public IP address. You can research it. So I don't repeat it here. Google has this explained better than my typing. CGNAT is also correct. You got this.
- Copy Link
- Report Inappropriate Content
Hi again!
I have finally got a static IP from ISP 1 (Airtel). Their router is in "bridge-mode" now. The ISP has disabled WiFi in this router and has provided the static IP via it's LAN port 4. So at the moment, the ethernet cable goes from LAN 4 port of ISP router to WAN 1 of ER605.
Also, I cannot access the "http://192.168.1.1/" directly, might be able to access ISP router when connected through LAN ports other than 4.
At ER605's System status page, I see that WAN 1 is static, connection status is "LINK UP" and the IP address starting with 122.xxx.xxx.xxx is exactly the same what I see when I visit whatismyipaddress[dot]com.
ER605 is accessible at 192.168.11.1.
Could you please help me setup the wireguard VPN now?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PushkarYadav wrote
Hi again!
I have finally got a static IP from ISP 1 (Airtel). Their router is in "bridge-mode" now. The ISP has disabled WiFi in this router and has provided the static IP via it's LAN port 4. So at the moment, the ethernet cable goes from LAN 4 port of ISP router to WAN 1 of ER605.
Also, I cannot access the "http://192.168.1.1/" directly, might be able to access ISP router when connected through LAN ports other than 4.
At ER605's System status page, I see that WAN 1 is static, connection status is "LINK UP" and the IP address starting with 122.xxx.xxx.xxx is exactly the same what I see when I visit whatismyipaddress[dot]com.
ER605 is accessible at 192.168.11.1.
Could you please help me setup the wireguard VPN now?
You can try this guide out:
How to Configure WireGuard VPN on Omada Controller
It is universal for the parameter settings in standalone mode. You can search the related topics about the configuration guide on the forum or the official FAQ. They always help answer questions like this.
- Copy Link
- Report Inappropriate Content
Hello!
When using my mobile data hotspot in my laptop, I was able to connect to wireguard VPN created by me in ER605. I was able to access ER605 (192.168.11.1) by using my mobile data. When visiting the whatismyipaddress[dot]com using mobile data on my laptop, I'm seeing my static IP address. Speedtest and fast websites were throwing errors most of the time though.
But I am not able to see other PC's in Windows Network, not able to use wireless printers nor I am able to remote desktop to PC's using their system names.
Could you please help from this point onwards? Most probably, the issue is something related to the internal IP selection. I am pasting the screenshots of the settings below, please have a look.
Router Wireguard Settings
Router Peer Settings
Windows Wireguard Settings
On another note, during my short testing, the WG tunnel losing internet connection after a short while, even though in the windows app it still says connected and windows wifi says that the VPN has internet access.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PushkarYadav wrote
Hello!
When using my mobile data hotspot in my laptop, I was able to connect to wireguard VPN created by me in ER605. I was able to access ER605 (192.168.11.1) by using my mobile data. When visiting the whatismyipaddress[dot]com using mobile data on my laptop, I'm seeing my static IP address. Speedtest and fast websites were throwing errors most of the time though.
But I am not able to see other PC's in Windows Network, not able to use wireless printers nor I am able to remote desktop to PC's using their system names.
Could you please help from this point onwards? Most probably, the issue is something related to the internal IP selection. I am pasting the screenshots of the settings below, please have a look.
Router Wireguard Settings
Router Peer Settings
Windows Wireguard Settings
On another note, during my short testing, the WG tunnel losing internet connection after a short while, even though in the windows app it still says connected and windows wifi says that the VPN has internet access.
Network discovery may not work as it is a different kind of protocol. It could be the multicast or broadcast. This kind of -cast does not go/travel through the VPN tunnel.
But they actually work and can communicate.
As you are using 0.0.0.0/0, this will forward all the traffic to the VPN server. It is actually proxing your network. So, a temp loss is normal. It should be happening only during the process of VPN establishment.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 950
Replies: 14
Voters 0
No one has voted for it yet.