Home

Forums

Stories

Knowledge Base

Business Community > Controllers > Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

< Controllers

Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

BLite

2022-05-04 12:44:32

Posts: 21

Helpful: 4

Solutions: 0

Stories: 0

Registered: 2020-03-09

Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

2022-05-04 12:44:32

Model: ER605 (TL-R605)

Hardware Version:

Firmware Version:

Hello,

I'm trying to create a manual site-to-site VPN and am failing miserably - and with no logging to diagnose the issue, I'm at a loss. I've read the support document, but it doesn't help much if things don't work.

First question - is it even possible to create a site to site VPN if one of the ends is behind NAT and cannot be port mapped (LTE connection)? I was wondering if I set this end as "initiator" and the end without a NAT problem as "responder" if that would solve the problem. Even if this is an issue, I may have an alternative connection I can use for this purpose, so it isn't necessarily a deal breaker.

Second question - This seems dumb, but... do I need to map UDP 500/4500 (off the top of my head, if those are the wrong numbers, ignore them - I'm using what the documentation says) - do I need to map those, on the ER605, back to itself? Or, is it smart enough to allow those ports through if I have turned on a site-to-site VPN?

If anyone is willing to share screenshots of a site-to-site manual setup with Omada-controlled routers, that would be great. Everything 'looks' ok to me, but there definitely isn't a connection being made.

Thanks,

John

3 Reply

d0ugmac1

LV5

2022-05-05 02:29:28

Posts: 2113

Helpful: 771

Solutions: 191

Stories: 0

Registered: 2022-03-05

Re:Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

2022-05-05 02:29:28

@BLite

Hi John,

Yes it's possible. I do exactly this, a pair of ER605 each managed by their own controller (one OC200 and one docker based image). However a site-site VPN is not possible with the current state of Omada SDN without both sides having public fixed IPs. The answer is client-site. Follow the setups in this post https://community.tp-link.com/en/business/forum/topic/545420?page=1

Your site behind the NAT *MUST* be the initiator. I recommend L2TP/IPSEC client for the NAT'd site because it will allow multi-client and multi-net routing across the tunnel. OpenVPN isn't fully implemented in this regard. Leave the VPN server on the site with the public static IP. You may wish to proactively reduce the MTU as many carrier NAT solutions don't do a good job of MTU/MSS, soI would reduce your WAN MTUs to 1450 each to start your testing....you can experiment later and see if returning them to 1500 breaks the connection.

Since you're going ER605 to ER605 you don't need to map any ports. I have an OpenVPN server internal to my network and I forward those ports...but I digress.

<< Paying it forward, one juicy problem at a time... >>

BLite

LV2

2022-05-19 21:51:54

Posts: 21

Helpful: 4

Solutions: 0

Stories: 0

Registered: 2020-03-09

Re:Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

2022-05-19 21:51:54

@d0ugmac1

Going to give this a shot this weekend. I see from the other forum that you're a Starlink user - that's also my scenario, and I also run OpenVPN in the middle of all of it.

My remote site is my 84yo mothers house in the middle of nowhere with nothing but very weak LTE available. She's surprisingly adept for 84, but occasionally I need to do troubleshooting and it's nice to have access to cameras at the location, etc. I currently have a ER605 at my house (plenty of ISPs where I'm at), and one at my mothers. Hers is connected to Starlink and 2 LTE modems (Netgear MR5100 and a Mofi5500). It's a heavily wooded area, so I'm not sure how Starlink will work out in the long run. Anyway, on the top of the Omada hardware at her place, I run an OpenVPN router (tomato) that has a static IP thru StrongVPN - I then use dnsmasq to selectively route some clients on the Omada network thru my OpenVPN connection so I can get UPNP and some other things working.

Anyway, it would be helpful to get my house connected to hers... sounds like it's doable, but I'm so paranoid of messing things up and knocking her offline.

thanks again,

John

d0ugmac1

LV5

2022-05-19 22:34:24

Posts: 2113

Helpful: 771

Solutions: 191

Stories: 0

Registered: 2022-03-05

Re:Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

2022-05-19 22:34:24

@BLite

Hi John,

I had Starlink for a few months and then FTTH came knocking, I couldn't say no. But, that said, I did have a VPN knocked up between my Starlink site and another cable ISP site for months, and I was able to route multiple subnets back and forth...for instance I could reach my 192.168.100.1 dish address from a home private IP, and I could reach devices on different SSIDs/VLANs as well, and vice versa. I was even able to create a port on my switch (and an SSID if I'm honest) that routed everything back over the VPN to leverage the remote ISPs WAN.

Two things you MUST do.

1. Reduce the MTU of your Starlink-side ER605 WAN port (I used 1400 which is a couple of dozen bytes lower than I probably needed to, you'll notice no difference really)

2. Use L2TP, Client-Site but without the IPSEC ppp session (because that's what Starlink blocks, those ESP packets)

I've posted screen shots of my setup elsewhere on this board.

Some extra detail on the L2TP setup:

- make the server end the non-Starlink side, configure it for 'auto encryption' in case Elon ever changes his mind (or you want to use it from other sites that support encryption)

- add the local subnets to be advertised from the server end, pick any unused subnet as the IP pool at the server, you can use 172.16.1.1 /24 to keep it visually differed :)

- at the Starlink side, use Client-Site and routed mode to make it the tunnel initiator and disable encryption

- add local subnet(s) at the Starlink side

OpenVPN isn't ready for anything but single client at this time on ER605's, so don't waste your time.

<< Paying it forward, one juicy problem at a time... >>

Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

Manual Site to Site VPN between two Omada-controlled ER605s - Assistance appreciated

Information

Voters 0

Tags