How to connect LAN to LAN using VPN?

Sunny · August 22, 2019, 1:30am

Hi Gurus,
How do I connect two LANs using the VPN available in AR750s. Assuming I have a Office LAN A in Country A and another Office LAN B in country B, can I link them up using VPN and let them form a Big Network so that each device in one LAN and access another device in another LAN? Can each device opts to access internet through Router A or Router B.
Is the scenario achievable with two AR750s with existing App ?
Any advice would be highly appreciated.
Thank you.

luochongjun · August 22, 2019, 4:20am

Hello，

We have a site2site for you
You can download the testing firmware 3.026 from here
For setting up steps, please refer to Cloud - GL.iNet Docs

Sunny · August 22, 2019, 6:31am

Great! Thank you very much. Will test it out.

Sunny · August 23, 2019, 2:30am

@luochongjun

Thank you very much for pointing me to the developing project “Site to Site”
Yes, it achieved what I wanted to do to connect two LAN.
Thank you very much for introducing this new feature.

However, I have some concerns on the security due to the implementation
model using GoodCloud.

In the case of manual WireGuard, I let the server node generate a set of
public and private keys, than I pass over to the client node manually to set up
a connection. There is no need to involve GoodCloud.
Only I know the encryption keys.

In the current version of “site to site”, I deduced that the GoodCloud
control the generation of the encryption keys at the Main Node and pass
it over to the other Node. It is very convenient. However, this is exactly
the security loophole. People may ask "Can we trust the GoodCloud?
Goodcloud holds the encryption keys of our connections in my network.

I would feel more comfortable if I can implement the “Site to Site”
manually (NOT through GoodCloud"). Any plan to release a manual
implementation (without going through GoodCloud) to the those who
do not mind the trouble?

Sunny · August 23, 2019, 4:58am

@luochongjun,
By the way, what is the connection between two devices (LAN) under “Site to Site” , is it a Wireguard or OpenVPN？

alzhao · August 23, 2019, 5:54am

There is always a tradeoff between convenience and security concern. I mean security concern, not security itself.

We don’t keep the private keys but it depends if you trust us. When using Cloud the cloud can always generate key again and replace those in the router even it does not keep the keys. But this is alway other Wireguard VPN providers are doing. If you are using OpenVpn protocols you face the same problems as well: Keys are generated from the server side.

But we do let a user to configure by him/herself. Just a little complicated.

luochongjun · August 23, 2019, 10:58am

Use the Wireguard,if you are a developer, you can configure it manually

kuhr · August 23, 2019, 12:20pm

Using “GoodCloud” means deprivation of your right of privacy and data security.

Johnex · August 24, 2019, 11:12am

It’s exactly as using any VPN service, no different for privacy.

kuhr · August 25, 2019, 10:21am

NO, it is in NO case like a VPN-Provider !

Goodcloud is a client-server system which is able to control the clients = routers of Gl.inet !

Goodcloud has some similarities with a command-and-control system (C&C-System) .

It has also some functions like a Man-In-The-Middle.

If a user has a Abo let’s say with “Mullvad”, why should GL.iNet have access to encryption keys, etc. like an admin similar to the owner of the router ?

Comparing Goodcloud to a VPN-Service is an intentional misinformation !

Johnex · August 25, 2019, 10:57am

What i am saying is that a VPN provider has their terms of service you read and agree to.

In the same way all traffic is sent via the VPN and they can see your traffic. A government request renders your privacy voided. When you downloaded your VPN keys after payment, surprise, you didn’t use a second system such as tor to download them? Well they are now logged at the ISP, at the internet backbones that have traffic analysis (where CIA, FBI and others have logging) and multiple other locations. In your own VPN list most of the providers are in countries that must comply with the governments. VPN’s offer a false sense of security if not used properly.

It’s you that is spreading misinformation here. The API is public and anyone can read it here:
https://dev.gl-inet.com/

The cloud as you say only controls the router, no data is stored on the cloud except a token for control. All other functions are done on the router itself and data is not send back to GL. Everything is listed in the TOS.

Still don’t believe it? Ok do packet logging for a few days using the cloud and post the results here of what data is sent. You can do it with cloud enabled and disabled. Until then, don’t post useless comments and misinformation.

kuhr · August 26, 2019, 9:50am

Regarding your answer, it looks like you are missing arguments:

You start fabulating about FBI, CIA etc. way off-topic and at the end you are insinuating in a dishonest way that my comments were useless and misinformation.

Without offending you (only facts!) take notice:

I am not interested in any crude discussion with people, who are showing misbehavior and latent aggressiveness .

Sorry to all others, lets return to the topic.

The following thread shows what I mean and contains remarkable information about “GoodCloud” regarding privacy and security:

          https://forum.gl-inet.com/t/goodcloud-xyz/7496

@AlZhao Please take notice

Johnex · August 26, 2019, 10:02am

Your comments are complete misinformation as you don’t provide any kind of proof and just state things as facts. You still haven’t posted any data dumps, any kind of analysis to anything you are saying.

You are linking to a thread where a user found the api URLs (which are public and documented on the GL site), while saying that full control of the router can be done, but fails to state that when the router has the cloud disabled, the server can’t control anything. That user has also not provided any logs, packet data or anything to “prove” (cos he can’t) that the server can do anything without your permission. You are basing your “facts” on something that is also misleading and dishonest as you say.

alzhao · August 26, 2019, 10:05am

OK. I did take notice

I understand your concern and this is valuable to our product design/development. Your challenge is accepted.
Cloud is designed to make things easy and make things work.
All cloud has security and privacy issues you mentioned. It is not about one package or API. One can just use udp/tcp to achieve all of this. We make APIs which is for easy, development and transparency.
We are taking necessary steps to make it more secure and trustworthy, as said in your linked post. We don’t acknowledge that it is not secure unless you find the security bugs. Welcome white hat!

kuhr · August 27, 2019, 11:10am

Regarding your fourth point of your post I cite in spirit:

-Company stance: Our code is secure till you find some bugs !

I will play here devil’s advocate and show the other side of the coin:

-Security stance: The code is insecure till you prove it’s secure

Only Quality products are making end’s meet with these two objectives.

Otherwise I am with you. And thanks for stepping in.

alzhao · August 27, 2019, 11:55am

I agree with you but

The security stance is for our engineers. They need to prove the product is secure to the company.

To the clients, the company can declare but even with all the source code open, no one can prove because the deployed products may not use exactly the source code.

You can question whatsapp, telegram and they will tell you that they will not oversee your messages. But still it depends on you to trust them or not.

kuhr · August 27, 2019, 1:04pm

I agree with you:

Trust is a big theme in this context.

It may be helpful if one knows better about how good or bad a company is

managing this security stance.

Often you are able to form an opinion from outside a company about this

internal security stance with the aid of the external Bug Management System

used by clients reporting bugs.

It’s like a fingerprint of the internal security and quality stance of a company

and often gives you more information than the company wants to expose.

This often achieves to loose (or sometimes gain) confidence (trust) in a company.

Hacker26 · May 11, 2023, 11:37pm

@kuhr and @alzhao
I know this thread is a few years old. However I thought I may as well post what I did for a solution in my case.
Since a certain firmware of glinet, you can use the Wireguard VPN client and server feature simultaneously. This is extremely useful. Especially given the fact how easy it is to setup a Wireguard server on the glinet router with provided ddns if required. I activated the Wireguard server on both routers and made one router being a client at the other one. It works perfectly! I’ve got services in one Network and printers in the other one, and it all communicates via super fast Wireguard VPN connectivity which is the fastest you can get to date.

One note though @alzhao :
When doing such a setup and you’ve got medium to large networks on both ends, you need fairly powerful routers. To date, there’s one or two routers of glinet which i find are powerful enough to provide the speed and performance needed. I look forward to see more powerful routers with stronger CPUs in the future…

PS
You need to configure on both routers at the client and server end, that you allow the routers to access the remote LAN

wcs2228 · May 13, 2023, 10:07am

I asked about the performance impact last year, with no response from GL.iNet:

Subsequently, I acquired and tested on a recent GL-AXT1800 Slate AX model, with the router throughput reduced significantly.

I do not work for and I do not have formal association with GL.iNet