VPN to secondary network

chrisfonte · January 11, 2021, 9:59pm

Will try to keep this explanation as simple as I can.

I work with a lot of radio gear that used IP networking to communicate between devices. Usually, these devices are segregated onto their own network, untouched by a Firewall or Router. When a device needs to connect for management, like a Windows PC, it is usually only on that isolated network, or has dual NICs. In bigger installations, routers can be used to allow communication from other networks on certain ports. Typical stuff. More info on the gear itself found at https://www.wheatstone.com/, though the gear itself does not so much matter for this situation.

Some of these devices can run their own custom programs. These programs must be uploaded into the devices. These are typically written and compiled on a Windows PC, and the binaries sent via a GUI program that runs on Windows.

As part of my business, I write these programs. And in today’s world, I am doing this more remotely. While it’s easy to remote into a PC, paste my code into the GUI, and upload to a device…it makes debugging complicated. As most of these programs react to button presses, fader movements, etc…

The program I am now writing is for a radio station in Oregon. I am in South Carolina. The company that has sold the program has a test lab in Minnesota. The radio station in Oregon has shipped the device to me that the program will live on. It is a little radio mixer.

I need to make the mixer communicate from my house in SC to the test lab in Minnesota. So, basically, I need to extend a 192.168.87.x network in Minnesota into my home office. I have pfSense and a Ubiquit Unifi switch in my office. The test lab has a consumer router / firewall. In the Minnesota test lab, there is a standard network for internet, and simply a switch (probably unmanaged) for the WheatNet network (the 192.168.87.x/24 network). There is one Windows PC I can get into and it has two NICs…one for each of these networks.

I have looked into using ZeroTier to bridge back to my home office, but I don’t believe this will work as bridging only seems to be supported on the same interface that provides Internet access to ZeroTier, as far as I can tell. I imagine Nebula is the same, though I have not investigated it fully.

I think my best option is to ship a pfSense to the Minnesota test lab and have someone connect it to both networks, then use OpenVPN to get the WheatNet network into my home office via my pfSense here.

Does anyone have any thoughts of how I could accomplish this in some other way? Any pitfalls with going the OpenVPN / pfSense route?

Chris

neogrid · January 11, 2021, 10:23pm

Here’s an idea though I don’t know if it will work.

You could set up an OpenVPN client on the remote machine, which then connects to your OpenVPN server, now you have a tunnel. Now there might be a setting in the OpenVPN server that will allow traffic to be bi-directional. I believe this is similar to a peer to peer server setup. I’ve not done this but it sounds reasonable.

If you can suss out the above then you can just RDP into the windows machine.

chrisfonte · January 11, 2021, 10:33pm

Good thoughts. But, I need the device on this endin Minn to connect to devices on the other end on a different subnet than the “Internet” network itself. No issues getting into the Windows Machine as I use Screenconnect for that.

Doing a bit more research - Wireguard might be the solution! I could run Wireguard on the Windows PC in Minnesota, Wireguard on a machine here (I would create a 192.168.87.x network on my switch), then use Wireguard to join the two Private LANs together… I dunno, we’ll see if I can put that off!

egftechman · January 11, 2021, 10:44pm

I do that in a SCADA environment using the OpenVPN TAP interface for devices that work best on the same layer 2 network (or more precisely, systems integrator doesn’t understand networking, so you just give them the same network at every location) . Just bridge the OpenVPN TAP interface with an OPT port on a pfSense box on both sides.

egftechman · January 11, 2021, 10:46pm

Also have to set rules to allow everything on those bridged interfaces.

egftechman · January 11, 2021, 10:51pm

Another solution would be to look at VPLS/MPLS over IPSEC or something…MikroTik would be the platform of choice for that.

chrisfonte · January 12, 2021, 5:41am

Yeah, after a neck-breaking evening of messing around with Wireguard (I found this: https://www.reddit.com/r/WireGuard/comments/fm07wj/trying_to_bridge_two_networks_with_wireguard/) I may try the OpenVPN method… Thanks for the tip.

neogrid · January 12, 2021, 9:49am

There was a similar question earlier on how to connect to a second network over vpn. That was solved by adding the second subnet to the destination networks in openVPN, so in theory it sounds like it will work.

egftechman · January 12, 2021, 2:38pm

Here are pfSense docs on the setup…I recommend keeping the LAN port a traditional NAT’d LAN and the OpenVPN bridge interface on a different port

neogrid · January 12, 2021, 2:50pm

That’s an excellent spot!

chrisfonte · January 13, 2021, 6:45pm

So, I got this working, sort of, with Wireguard.

I set up a VM on my office server. Ubuntu running Wireguard. It accepts a connection from Minnesota. I did have the PC in Minnesota running Wireguard for Windows…but that did not completely work…more on that later. So, it is running Ubuntu with Wireguard in a VM on Virtualbox (remember, I am not on site and so there is only so much I can get into). The house network and WheatNet network from this Windows PC are bridged to Ubuntu/Wireguard in Virtualbox.

In my office, port forwarding in pfSense sends traffic for Wireguard to the Wireguard VM. The WheatNet network comes out of this VM as a vlan (for unrelated reasons) and ultimately appears on some ports of my Unifi switch.

Minnesota’s IPs are 192.168.70.2/32 for the Wireguard network. Wheatnet network is 192.168.87.0/24. House network, for Internet, is irrelevant.

My office networks, on the Wireguard VM are 192.168.70.1/32 for Wireguard, 192.168.80.0/24 for WheatNet, house network for Internet is irrelevant.

Each WheatNet network on either side are included in the allowed IPs of each other’s Wireguard configuration. I can ping devices on the opposing WheatNet network from one side to the other, both ways. BUT, this is not working for other devices on these networks on either side. I can ping them, they can’t ping me, both ways, if that makes sense.

On both sides, the Wireguard server is assigned as the Gateway on the WheatNet networks. I thought this might work, but I am apparently missing something. On Windows devices, I also manually added routes to the opposing subnets via the Wireguard VMs, but this is not working either.

So, it is working for each of the two Wireguard devices in both ways, but not for all of the other devices on their networks.

I know this is not necessarily the best use case for the tools I am using - there are other ways of doing this that are much more solid and tested. But, in the real world, I am working with what I have, and it will only be used for testing and development…so it’s more of just a means to an end.

Does anyone how I could get these routes to propagate out to other devices on the WheatNet subnets?

Back to the Windows Wireguard issue… I could ping devices from the allowed IPs generated by Wireguard in both directions. But for the allowed IPs that were physical (WheatNet), I could only ping from the Windows side (Minnesota) to the Linux side (my office). I could not ping from the office side (Linux) to the Windows side (Minnesota).

chrisfonte · January 13, 2021, 6:56pm

Here is a down-and-dirty diagram to help visualize this better.