Simple VPN between Surf SOHO and Surf on the Go for travel

Hello

I am attempting to set up a VPN between my Surf SOHO and Surf on the Go to use when I’m on travel.

My home network has the SOHO sitting between a cable modem and my LAN, it gets an IP via DHCP but this IP has only ever changed when I’ve had a change on my account (new modem, change service level, etc). The Surf on the Go will mostly be set up to create a private LAN/AP using external WIFI as the WAN. I would like to set it up VPN between the routers both for privacy purposes and so I can access services on my home network (like a SAMBA share). To put it another way, I want to securely extend my home network to my remote location.

I began looking through the SOHO manual to set up PEPVPN between the two but I feel a little out of my element and am not really sure that this is even going to give me the result I want. Does anyone have any suggestions on how best to do this?

Thanks.

Hi,

PepVPN is the solution for your case.

Just to confirm Surf Soho WAN is getting a public IP? If so please ensure Surf Soho (test ping www.peplink.com via System > Ping) and Surf On The Go (test ping Surf Soho WAN public IP via Settings > Tools) can access the internet. Then follow configuration below:-



Yes, the SOHO will have always have a public IP. The On-The-Go may be behind NAT; I’m assuming this won’t matter as long as the OTG can reach the SOHO.

Hi,

Yes. Please follow the settings of the provided settings.

Hope this help.

So I got it set up and the two routers appear to be seeing each other and connecting.

My problem now is getting clients on both sides of the tunnel to see each other. Trying to ping the SOHO from the OTG results in a destination unreachable error from the OTG IP.

I then figured that the problem was that the two sides were on different subnets and so set up both sides as follows

SOHO
router IP: 192.168.1.1
DHCP IP range 192.168.1.20-192.168.1.50 with a 255.255.255.0 subnet mask

OTG
router IP: 192.168.1.100
DHCP IP range 192.168.1.70-192.168.1.90 with a 255.255.255.0 subnet mask

I rebooted and still can’t see the other side.

Do I need to set up firewall rules to allow traffic through the tunnel beyond what I have locally?
Is there some other approach I need to be taking to bridge the two networks?

Hi,

  1. Please avoid using same IP subnet on both LAN. Please change on either side other than 192.168.1.x.

  2. Please ensure Status of PepVPN showed “Established” then test again.

Okay, I tried it again on different subnets and it seems to work with one little issue, it seems like the OTG gets stuck in the setup phase about 50% of the time; when this happens the status on the OTG says something along the lines of “Connecting” and the SOHO alternates between “Established” and “Connecting”; I’m not sure what the cause of this is but it’s workable since once both sides are at “Established” the connection remains stable. I believe this is what was happening when I was testing the other day.

Thanks for the help.

Hi,

This could be the connection issue between both units. If Surf On The Go having stable internet connection then should be fine.

When I first setup up a site to site PepVPN, I had the same question about subnets on each end. The documentation really needs to explain this.

Hi Michael,

We do provide examples of SpeedFusion setup on our knowledgebase. To make it simple, Layer 3 SpeedFusion tunnel is similiar with other VPN solution (e.g. IPSec) which need to avoid using same subnet between HQ and branch network. This is a standard design for Layer 3 environment. :slight_smile:

So, follow up question.

I have my VPN set up per TK LIEW’s pictures above with the exception of I’m using a pre-shared key for authentication, but I’ve noticed that it looks like most traffic is leaving the local network via the WAN as opposed to through the VPN tunnel. Is there any way to force traffic to use the VPN tunnel for more stuff? I’d like to be able to make it so that most traffic exits networks I control from the far side of the VPN (the router at my home) rather than through the OTG.

My initial ideas for doing that were:

  1. change the default gateway to point to my home router on the OTG’s DHCP server.
  2. Use the firewall/port forwarding to force stuff to my home router.

Neither of these options appear to exist on the OTG router.

Hi,

SOTG <– PepVPN –> SOHO mainly for the network communication between the LAN segments for both end. Internet traffics from SOTG will not route to the PepVPN.

Can you further explain what you want to achieve using the PepVPN ?

Thank You

To expand on the above response from sitloongs: things are working as they are supposed to work.

Again, this is a documentation issue. Even when there is no problem, a user is confused. The doc from Peplink, as a rule, is a cheat sheet for people who already understand it all. None of the doc takes someone new to an issue, a site to site VPN in this case, and brings them up to speed. Too bad.

A Surf SOHO to another Surf SOHO was the first site to site VPN, I had ever configured. It was a struggle, solely due to the documentation. The software works great.

I might suggest using the PepVPN to remotely control a computer at home and do web browsing from that computer. Or, if the Surf SOHO at home was running a VPN server, then perhaps something could be done with that. Don’t know. It would be really nice if Peplink provided VPN client software, but like most router vendors, they only offer VPN server software. VPN client software would allow the Peplink router in your hotel room to directly connect to dozens of different VPN providers which is probably what most people want most of the time.

Hi Michael,

Your concern is noted. We are improving our documentation. We have put more examples in the knowledge base and design lab. We will continue put more effort on this.

Thank you.

Option one:
Functionally what I want is to have my home network at remote locations. IE: when I arrive at my hotel room, I plug in the router, it builds the tunnel, and when I connect to it with my laptop I get an IP address from my home DHCP server, and other than being slower my laptop thinks I’m at home (and I can do things like watch stuff recorded on my TIVO, grab stuff from my fileshare etc.)

It sounds like it can’t do that.

Option Two:
If I can’t do option one at least get some of my traffic off of (obscured from) the hotel WIFI. IE: I plug in and it routes some or all of my traffic through my home router.

It sounds like it can’t do that either.

Basically what I’m walking away with is that PepVPN is the easiest way to set up a VPN that doesn’t do any of the stuff people who don’t already know how to set up a VPN would want to do.

And I agree with Michael234, the problem likely is documentation. While you make it sound like setting PepVPN is easier it probably would have been easier if I had just gone the with the IPSEC route since, in general, that’s documented elsewhere… or at least I would likely have figured out earlier that I’m using the wrong tool here.

I think what I have right now is a way to access my home network remotely as long as the stuff on my home network is okay with talking to stuff on other subnet’s, which most of it isn’t.

There is a mis-understanding here. The site to site PepVPN does do your option 1. It will let you access the devices on your home LAN from a hotel room while traveling.

That said, in the hotel room your network needs to use a different subnet than you use at home. If home is 192.168.5.x, then hotel can be 192.168.6.x. Any computing device in the hotel room would get an IP address from the router in the hotel room, one in the 192.168.6.x range.

If a file share at home is \192.168.5.5\myfolder then you can reference this from the hotel room exactly as if you were home. Its pretty cool the first time you do it.I have done this with PepVPN, never tried IPSEC.

Another cool thing is WakeOnLAN. You don’t necessarily have to leave devices on all the time while traveling. Those that support WOL can be woken up from your hotel room by talking to the Peplink router at home. This was added with Firmware v6.

I can’t speak to your option 2.

Hi Kandralla,

In order to achieve your requirement, you need to establish PEPVPN between Surf SOHO and Surf on the GO, at the same time, enable Layer 2 PEPVPN bridging.

This will make networks behind Surf SOHO and Surf on the GO in the same broadcast domain.

Refer to the below sample network diagram:


Surf SOHO:

  • the wan ip is 192.168.52.52
  • the lan network is 192.168.60.0 / 24
  • the lan interface ip address is 192.168.60.1
  • enable dhcp server in Surf SOHO to server DHCP ip range
  • establish PEPVPN to Surf on the GO, enable Layer 2 PEPVPN bridging too

Surf on the GO:

  • the wan ip is 192.168.52.146
  • the lan network is 192.168.60.0 / 24
  • the lan interface ip address is 192.168.60.254
  • disable the dhcp server in Surf on the GO
  • establish PEPVPN to Surf SOHO, enable Layer 2 PEPVPN bridging too

When you connect a device to Surf on the GO, it will get the DHCP IP address from Surf SOHO.

In this case, the device might get the IP address 192.168.60.10/24 and the gateway of 192.168.60.1 from DHCP server at Surf SOHO.

Due to this, when the device behind Surf on the GO wants to go to internet, the internet traffic will go back to Surf SOHO and then go out to internet.

Thanks.

Regards,
Yaw Theng

Hi Kandralla,

I had posted out the sample configurations for both Surf SOHO and Surf on the GO.

Surf SOHO:



Surf on the GO:


Thanks.

Regards,
Yaw Theng

How can a WAN IP address start with 192.168? This is a private IP range.

I have the same hardware: Surf OnTheGo for traveling and a Surf SOHO at home. If I understood the last point, then this configuration offers free VPN service. That is, in the hotel while traveling, I don’t need VPN client software for PPTP or L2TP/IPsec or OpenSSL to connect to any of hundreds of public VPN providers. When traveling, I can instead use PepVPN in the SurfOnTheGo to connect to the Surf SOHO at home. Then, all devices connecting to the SurfOnTheGo get the same VPN protection offered by Witopia, PureVPN, Tunnelbear, Express VPN, Hidemyass, etc. etc. And, no need to bother with the PPTP VPN server or the L2TP VPN server offered by the Surf SOHO.

Did I understand this correctly? Sounds too good to be true. Thank you.

Exactly Michael. If you already have the SOTG, you could simply establish a PePVPN tunnel to your SOHO to access the internet securely through the VPN instead of (in your example) hotel’s network.