Tutorial for VPN subnet routing choices?

Hi all. I have searched and read several threads here to help me, but none quite did the job. Perhaps everyone’s case is too distinct to make an overall tutorial, but I hope not.

My base case is a road-warrior (e.g. using unencypted wifi from a hotel or coffee shop), wanting to encrypt through the VPN from my computer at the hotel to my home router. Let’s assume that my home router (LAN IP 192.168.99.1), which connects all my home clients (192.168.99.101 through 192.168.99.250) to the Internet, is a GL-inet using 3.X firmware and running as the VPN Server, and my remote (in hotel room) router is also GL-Inet 3.X and running VPN Client. Although I haven’t actually tried yet, I am confident I can set this up, especially with the v 3.X version of the GL-inet firmware.

My understanding is that, by default, my data would flow through the VPN client (my hotel room router) back to my home router (VPN Server), after which, my network session would appear to be originating from my home, and unencrypted.

However, the data session would never enter my home LAN, and thus from the hotel VPN client, I would not be able to reach any client inside my home. In addition, the IP addresses between the VPN Client and VPN server would be different than the IP subnet inside my house.

First, is this understanding correct?

Second, how would you make it possible to access a specific IP address on my home LAN (e.g. 192.168.99.150) from my hotel router (or a tablet or other device connected to the hotel router).

Third, how would you make it possible to access all of the clients on my home LAN (192.168.99.X)?

Fourth, what are the pros and cons of allowing your VPN Client router access to my home LAN? Assume that my VPN Client router is never lost or compromised (e.g. attacker learns my admin passsword, etc.)?

Fifth, while I understand the newly offered site to site feature could do this, and I may adopt, but first I want to learn how I can do this myself. Would I do this with a VPN Policy? A config of my firewall on my home router?

Hopefully the answers will be broadly helpful to others trying to understand VPN forwarding between subnets.

Many thanks.

Three things to think about in understanding the routing.

If you’re not familiar with routing, there’s the basics of routing that is “most specific route wins”. For a destination of 10.1.2.3, 10.1.2.3/32 is more specific than 10.1.2.0/24 is more specific than “default”, for example.

Before the tunnel is set up, you often need to be “unprotected” so that you can use a captive-portal login.

The tunnel itself needs to connect to the remote host. This is usually managed by a specific route inserted by the VPN software. “Route all packets to the remote tunnel endpoint through the hotel’s wireless.”

The “protected” traffic wants to go through the tunnel. Assuming you’re routing everything you can through to the other end, the VPN software replaces the default route with the tunnel. This is less specific than the rule for the tunnel itself.

There is also “split” VPN, where only some of the destinations go through the tunnel, and the rest don’t. In this case, rather than replacing the default route, a route to, for example, 192.168.8.0/24 is used.

Edit: Not really a “tutorial” on routing, but some of the illustrations in https://emanuelduss.ch/2018/09/wireguard-vpn-road-warrior-setup/ may help.

Before the tunnel is set up, you often need to be “unprotected” so that you can use a captive-portal login.

Yes, this I knew.

The tunnel itself needs to connect to the remote host. This is usually managed by a specific route inserted by the VPN software. “Route all packets to the remote tunnel endpoint through the hotel’s wireless.”

“remote host” means VPN client or VPN server? Also, can you observe these routes inside the router config while connected? how?

The “protected” traffic wants to go through the tunnel. Assuming you’re routing everything you can through to the other end, the VPN software replaces the default route with the tunnel. This is less specific than the rule for the tunnel itself.

Again “to the other end” means VPN Client or Server. Also, “This is less specific than the rule for the tunnel itself”, Why? Can you give an example?

There is also “split” VPN, where only some of the destinations go through the tunnel, and the rest don’t. In this case, rather than replacing the default route, a route to, for example, 192.168.8.0/24 is used.

From the context, I have to assume you are talking about splitting traffic at the VPN client side, right? Some of the outbound traffic from the VPN Client wants to go through the tunnel to the VPN Server before it is routed from the VPN Server, and some VPN Client data wants to exit from the hotel router directly through the hotel’s connection to the Internet. Please confirm.

Still trying to understand when (and why) data from the VPN Client router goes into the LAN of the VPN Server router.

The “other” end from whichever end you’re on. There are both peering VPNs (WireGuard being one) as well as client-server VPNs.

The routes are visible with

ip route [show]

on a Linux-based host.

Let’s say that your “laptop” has a public IP address of 198.51.100.100 with an initial routing table of

  • default via 198.51.100.1
  • 198.51.100.0/24 link-local on eth0

You now bring up a routed VPN with a remote endpoint of 203.0.113.113. That software does something like

  • Creates a new tunnel interface, wg0, with an IP of 10.0.0.100/24
  • Which, in turn, inserts a route of 10.0.0.0/24 link-local on wg0
  • Adds a route of 203.0.113.113/32 via 198.51.100.1
  • Replaces the default route with default via 10.0.0.1 (the other end point of the tunnel)

so the laptop’s routing table now looks like (in order of increasing specificity)

  • default via 10.0.0.1
  • 198.51.100.0/24 link-local on eth0
  • 10.0.0.0/24 link-local on wg0
  • 203.0.113.113/32 via 198.51.100.1

Yes

All based on the routing table. Assuming you have a single routing table, the packet’s departure destination is determined by the most specific route for the destination in the table. If there are multiple with equal specificity, the one of those with the lowest metric is selected.

  1. Packet originates on your laptop with a destination of 8.8.8.8. (Or, if forwarding is enabled, arrives there from another host)

  2. The routing table selects the default route as the more specific ones don’t match and sends it to the host at 10.0.0.1 over wg0

  3. The VPN software reads the packet from wg0, encapsulates it, and sends new packet(s) to the other end point at 203.0.113.113 (as that software knows the destination to reach the other end point)

  4. The routing table has a more specific (exact, in this case) match for 203.0.113.113 so sends it to the host at 198.51.100.1

  5. The host at 198.51.100.1 then consults its routing table and sends the packet to its next-hop destination …