[GL.iNet] Site to Site feature is now available

We’re excited to announce that Site to Site feature is available now.
It allows offices in multiple locations to establish secure connections with each other over internet. It extends the company’s network, making computers resources from one location available to employees at other locations.

Senerio 1: A company has dozens of branch offices that they wish to join in a single private network to share resources.

Senerio 2: A company has a close relationship with a partner company, the Site to Site allows the companies to work together in a secure, shared network environment while preventing access to their separate internets.

Senerio 3: A family has IP camera and when they are not at home, the Site to Site allows to remote access the IP camera.

Condition:
One of the locations has a public static(or dynamic) ip, and two or more GL-iNet devices with v3.026

https://www.gl-inet.com/solutions/site-to-site/
https://docs.gl-inet.com/en/3/app/cloud/#site-to-site

So it’s a VPN server with clients connecting to it?.. How is this any different than just configuring OpenVPN server on one device then VPN clients on the other two? Or is the goal to just “simplify” the process of doing that?

Technically it is vpn server and client. We are using Wireguard, not openvpn.

But they are very different, in the following aspects:

  1. VPN client and server set up is complicated. So you have to set up server, get the config and set up client. Most people cannot get this done within 30 minutes. We Site2Site you can do this in minutes.
  2. It is about routing. Site2Site only links two networks into one. Each network will still have its own Internet. This is very different from a client/server concept which client’s Data will all go through the server.
  3. It is about automation. So you do not need to configure server then client. You can just create a network via cloud and all will be set up. And you can monitor the connections.
  4. I is about business concept. Linking multiple offices in different locations is not a technical concept, but rather business concept and it addresses productivity.

So all applications is some tools/platform/UI that is based on basic IT technologies.

1 Like

Here is my use case. Is site2site the best option for me? Hopefully you can answer this in simple words to make it easy to understand

I have a NAS at my house to record TV shows (using HDHomeRun DVR). The NAS is in my home LAN address space. When at home, I can use the HDHomeRun client on my tablet or phone to watch TV.

Now, I want a solution so that, when I am at a hotel, I can watch the same shows there, using the same HDHomerun client, as if I was on my home LAN.

I use GL routers throughout my home, including my main gateway and DHCP server. Assume I can bring another GL router with me to the hotel room.

What are the advantages or disadvantages of using site2site vs a Wireguard VPN setup?

I have a question: Does your HDHomeRun client needs to use a IP address to access the NAS?

For example, if you NAS is 192.168.1.5 and your tablet’s IP is on another router while having an IP 192.168.8.11, can the HDHomeRun work?

If yes then Site2Site is the correct way for you.

If you can set up Wireguard by yourself and set up the correct routing, then you can use that.

Advantages:

  • No cloud needed.
  • It is a great satisfaction for tech guys to DIY their own solution.

Disadvantages:

  • Too complicated. Even for one with good skills, it takes 30 minutes to configure everything.
  • If you failed to configure your server before you leave home, then you cannot do it on your travel.
  • Coping with routing is difficult. By default all your data goes to your home. So your internet is may be throttled.

But if you use Site2Site, you do not need to worry about setting up sever and client.

Advantages:

  • As long as you have the correct firmware, you can set up this in minutes. Server and client config will be distributed automatically.
  • You can set this up on your way. So if you failed to make it work before leaving home, you can set up anytime.
  • Your Internet data and your NAS access is in different route. So your Internet may not be throttled.
  • You can monitor how much data you used. There is only simple monitoring including totally traffic transmitted.
  • If you ISP changed your IP address, the Site2Site network will self-heal itself.

Disadvantages:

  • You have to use our Cloud to config this. Although we do not store any of your config and data, some users still have privacy concerns.
  • Now the default routing policy is splitting Internet and in-site access. So if you want to use vpn to protect your privacy this may not work for you now. But this is just routing policy so we will cope this later.

I don’t want this announcement thread to become my own private tech support channel, so please move this to a different thread if you think it is best.

As to your question, I don’t know. I have only tried this when my tablet and NAS are on the same subnet. I don’t think setting up a VPN client and server would be hard for me, but my assumption was that, by default, clients would be put in a different subnet than the server’s DHCP space. Perhaps there is an easy routing rule to handle this, but I have not figured that out. Any pointers to resources? Alternatively, is it better to force the VPN client to live in the same subnet as my home has?

To do this, you may need layer 2 bridging. Openvpn tap can do this job. Or a GRE tunnel.
We do not have this set up in the UI, but some people do this. Using Layer2 bridge, your device will be a client of you home network and all data goes there.

I have 2 AR750 in correctly connected to Cloud. (2 green lights)
But I cant connect it by site to site.
One of this is behínd a Fritzbox 6490.
What have I to do ?

many thanks
Thomas

please read this: https://docs.gl-inet.com/en/3/app/cloud/#site-to-site_1

  • One of routers has a public IP, either static public IP or dynamic public IP.
  • Port is open, default is 51830.
  • If the router is behind NAT, you may need to set up port forwading.

many thanks, leo
now it works after forwarding this port in UDP/TCP

Site are also connected :slight_smile:

How can I access then LANs behind this via VPN?

What do you mean “How can I access then LANs behind this via VPN?”?

I can reach both Login-Sites on the two GL-AR750 (192.168.191.1 und 192.168.191.2)
So I have set Open-VPN- Server- Profiles for both locations .

I can reach via Android -Phone Open-VPN client Lokation #1 (Master) but not #2.
#2 is behind a ASK4.com Student.Network.

This ist the Log for Site #2

removed, why not relevant 2019-11-14

and this for Site #1

Mon Nov 11 11:27:57 2019 Initialization Sequence Completed
Mon Nov 11 11:27:57 2019 MANAGEMENT: >STATE:1573468077,CONNECTED,SUCCESS,10.8.0.6,134.3.57.147,1194,
this is the screenshot of the Tunnel IP Adress Range:

(i can only add one jpg and reply only 3times)

Could you give a screenshot of your site to site topology, and a screenshot of the tunnel ip.

Topologie

Tunnel IP Adress Range in reply above

In the meantime I have learned, that it is only necessary to connect successful in main site on the left to access ressources on the right.

But I don’t see ressources an the right site e.g. 192.168.8.2 when I’m connected via Android open VPN client
I can access both admins in 192.168.191.1 and 192.168.191.2

hope for help

br
Thomas

  1. Turn off openvpn client in your phone, connect your phone connect AR750 Slicher wifi, can your phone access 192.168.18.1 ?

  2. What do your mean “not #2” in “I can reach via Android -Phone Open-VPN client Lokation #1 (Master) but not #2.”?
    Your phone run openvpn client to connect to Location #1(AR750 Slicher), then you try to access AR750 Conway by access 192.168.18.1?

For your reference

ad 1)
actualy I am at CONWAY location (#2) without Open VPN I can reach 192.168.18.1 and 192.168.17.1 as well. I can’t reach 192.168.9.x adresses . If I run OPen VPN Client I can reach 192.168.9.x adresses in SILCHER location.

Should this be possible in Site to Site connection? Even this I’m missing. I tought, that this need OpenVPN.

I i try

then will that not acceptet (adress conflict guest net)

ad 2)
“What do your mean “not #2” in “I can reach via Android -Phone Open-VPN client Lokation #1 (Master) but not #2.”?” this means, that when I run OpenVPN Client in mobile network I can reach 192.168.9.x adresses in SILCHER location (as in 1)) and even not AR750 Conway by access 192.168.18.1.

“Your phone run openvpn client to connect to Location #1(AR750 Slicher), then you try to access AR750 Conway by access 192.168.18.1?” even this is not possible.

Outside SILCHER and CONWAY I can reach via OpenVPN only SILCHER an not CONWAY.

many thanks for your help

“For your reference”

even this is my problem too :cry:

I have tried to add 10.8.0.0/24 in Tunnel IP adress range. This was accepted; but I have no connection to 192.168.9.x

this is the internet configuration an SILCHER side:

I don’t understand, how and where I have to set guest net

192.168.9.x is default for guest wifi, could you change it, e.g. 192.168.49.x