Relatively new here but not to the channel, and I don’t really post on forums for help so bear with me if I drop a few noob mistakes initially. I’ll try to describe what I’m trying to achieve as best that I can, no doubt there will be questions.
I have Site A with a full Unifi setup consisting of a UDMP head end, and a raspberry PiVPN Wireguard server for 3 clients. I have Site B with a full Unifi setup of the same.
Site A is a small business setup with a fixed IP internet IP address, Site B is a home environment with no fixed IP address. I have two Synology NAS devices, one at each location. Using the Synology software i want to run their snapshot replication service to backup Site A to Site B.
The Synology devices can do this over the internet apparently, however it requires a number of ports to be punched through the firewall which I’m not really a fan of doing. I would rather setup a permanent tunnel for them to communicate over using the wireguard PI’s if possible.
This is where my knowledge of VPN and Wireguard ends, and where I’m looking for help.
- Is what im looking to do possible?
- Will both Sites still be able to use their own Internet? By this I mean i only want the VPN for these two units to communicate on, no other traffic to traverse the VPN.
- As both sites already have incoming clients configured to access the sites respectively, does this mess them up? or is my understanding that it would be another “adapter”
- How the hell do i do it
As much as i want to get this up and running fast, I would really love to fully understand what I’m doing.
I get the very basics of how it will work, but I would love to fully understand what I’m actually configuring if someone has that time to help.
If i need to add anything else please let me know
It is possible to setup split tunnel VPN’s which are VPN tunnels that only route traffic destined to the other side of the VPN. I cover that in my Wiregaurd setup Getting Started Building Your Own Wireguard VPN Server
Since are running wireguard on a PI and not your firewall you will have to also create the additional static routes to get the connection to go from the Pi over to the Synology.
Not an impossible solution, just a much more complex setup that doing a site to site VPN via the firewall. (which is problematic with routing equipment UnFi anyways)
Im not adverse to using better routers/firewalls to be honest. The UDMPs are not doing ANYTHING special as … well … they dont do anything special.
@LTS_Tom I have 2x SG-2100 Netgate devices. would this maybe be a better units to have in place? Maybe to use its built in functionality. Leaving the wireguard Pi’s to run the clients for now, and the site to site for the pfSense boxes?
Thanks so much for your reply, your channel is amazing and your way of explaining things really helps me understand things where others have failed.
Thanks and yes, site to site using the pfsense systems would work out much better.
Thus starts my revisit of all your pfSense videos Thanks so much
@UK_TechDad I am running into a similar kind of thing in this post on these forums: VPN to secondary network
I’ve gotten part of the way to what you describe. But, yes, wishing I just had pfSense on both ends. Then I could do TAP ports with OpenVPN, apparently. If you get this working, either way, post here please and let know how it works out!
@LTS_Tom where is a good place to start when doing the additional starting routes? I have a post in this same forum where I am trying to accomplish this, but am missing something along the way.