Need Recommendations for remote controller and S2S VPN setup
Hello great people of the forum,
I need recommendation on how to setup my S2S VPN. Here is my current setup
HQ:
OC200
ER605
Have static IP
Branch:
ER605
No static IP
The goal is to have Site to Site WireGuard VPN setup so devices from branch can connect to servers in HQ.
I also want the OC200 in the HQ to be able to manage the ER605 in branch
How do you suggest to configure this?
Should I connect the ER605 in the branch to the controller in HQ first using this guide: https://www.tp-link.com/us/support/faq/3087/
or should I setup VPN first like this guid: https://community.tp-link.com/en/business/forum/topic/620506, and the ER605 in the branch would be automatically detected?
Also, should I setup the ER605 in the branch office in standalone mode first before doing any of the above?
I want to have as little downtime as possible since both sites are already running.
Thank you beforehand.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Nikolassss
Thanks for posting in our business forum.
This way but via WG VPN. Pre-configuring the site is required.
Got the VPN tunnel up and preconfigure the second site with the same VPN parameters. Input the Controller inform URL.
Adopt it over the tunnel and the settings will be applied to the device and will reconnect the VPN tunnel.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A , thanks for the reply! I've followed the guide, but I am stuck on the device adoption phase. I just can't get the router to pop up for adoption. Is there any common mistakes when setting it up? I've tried setting the Inform URL with both my WAN public IP, and the internal IP of my controller device. Both doesn't work and I still cannot see the device for adoption.
- Copy Link
- Report Inappropriate Content
Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
Hi @Clive_A , thanks for the reply! I've followed the guide, but I am stuck on the device adoption phase. I just can't get the router to pop up for adoption. Is there any common mistakes when setting it up? I've tried setting the Inform URL with both my WAN public IP, and the internal IP of my controller device. Both doesn't work and I still cannot see the device for adoption.
This should not be public IPs. It is S2S VPN so it should be the LAN IP of the controller.
I think you should check if the S2S is up and running. Ping and Wireshark if necessary to verify if the packets are forwarded through the tunnel.
- Copy Link
- Report Inappropriate Content
@Clive_A Yes, I've tried setting that as the controller LAN IP also, but still no luck.
I can confirm that WireGuard is running since I can access the server in my HQ from the branch site.
I can just leave it leave it like this and be happy honestly, but I don't understand why I can't adopt it with the same controller...
- Copy Link
- Report Inappropriate Content
Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
@Clive_A Yes, I've tried setting that as the controller LAN IP also, but still no luck.
I can confirm that WireGuard is running since I can access the server in my HQ from the branch site.
I can just leave it leave it like this and be happy honestly, but I don't understand why I can't adopt it with the same controller...
You are actually on a different site and trying to adopt it, correct?
- Copy Link
- Report Inappropriate Content
@Clive_A Correct, my setup is more or less like the picture in the guide:
The difference is that I'm using OC200 controller instead of a Software Controller
- Copy Link
- Report Inappropriate Content
Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
@Clive_A Correct, my setup is more or less like the picture in the guide:
The difference is that I'm using OC200 controller instead of a Software Controller
Can you please try the IPsec first to meet what you need at least? I need some time to confirm if the WG VPN can do it.
If possible, can you provide the Wireshark result about the Inform URL? Because when you put the IP/URL, it should send the packet to the remote controller directly. I would like to learn if it is actually sent.
- Copy Link
- Report Inappropriate Content
@Clive_A I'll try this out when I have the time. For now, my priority is to have the VPN going, and is achieved using WG. Thank you for the help, and please update if there's anything new from your end.
- Copy Link
- Report Inappropriate Content
Not sure if relevant, but this is shown on the login page to the ER605 router on the branch office.
BUT, I still can't see the device for adoption....
Still no opportunity to test wireshark package/IPsec yet
- Copy Link
- Report Inappropriate Content
Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
Not sure if relevant, but this is shown on the login page to the ER605 router on the branch office.
BUT, I still can't see the device for adoption....
Still no opportunity to test wireshark package/IPsec yet
You should resolve this issue first. It should not be adopted yet. If it displays like this, as it writes literally, it has been adopted and you should reset it to erase the settings from it.
I am not sure why that happened because I was not involved in your adoption QA. Probably you need to walk through the setup again.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 580
Replies: 10
Voters 0
No one has voted for it yet.