dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1551
share rss forum feed

videonerd

join:2007-01-21

VPN for homes but each retain own internet

I'm sure I'm not the only person who's thought of this, I just don't know what it's called... Our family's spread out across the country but is there a way to configure the routers to pass LAN traffic to each other so we can share printers, files, etc. but yet each house retain their Internet connection? Neither the parental units nor sibling are tech savvy, thus why I want the set-it-and-leave-it config if possible.

Now, I understand that iTunes Home Sharing only works within a subnet only and not across VPNs? I want access to my entire iTunes library while I'm on the road with my laptop.

So... something like
if 192.168.x.x then send through VPN
else send to yonder fluffy cloud

Network config (all cable, dyn IP w/DDNS):
Me: Juniper SSG5, Mac & PC
Parents: WRT54g w/ Tomato, PC
Sister: Asus N16 w/ Tomato, Mac

Any help would be appreciated! Thanks!


SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5

3 edits
Well you can certainly access your entire iTunes library with iCloud from a Mac or PC or iOS device...

»www.apple.com/icloud/features/

As far as creating and/or sharing access to documents, photos, videos, music, etc with your parents/sister you can also do that with SkyDrive or Google Drive.

»windows.microsoft.com/en-US/skyd···download
»www.google.com/intl/en/drive/sta···dex.html

I don't have a need to print remotely so I have no suggestions for that. Hamachi (free for personal use) VPN might work for that along with file sharing. I have never used it so as always YMMV...

»secure.logmein.com/products/hamachi/

The TeamViewer VPN function may also work for you...

»www.teamviewer.com

The BBR VPN forum for further help with VPNs...

»Virtual Private Networking


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to videonerd
said by videonerd:

I'm sure I'm not the only person who's thought of this, I just don't know what it's called... Our family's spread out across the country but is there a way to configure the routers to pass LAN traffic to each other so we can share printers, files, etc. but yet each house retain their Internet connection? Neither the parental units nor sibling are tech savvy, thus why I want the set-it-and-leave-it config if possible.

Now, I understand that iTunes Home Sharing only works within a subnet only and not across VPNs? I want access to my entire iTunes library while I'm on the road with my laptop.

So... something like
if 192.168.x.x then send through VPN
else send to yonder fluffy cloud

Network config (all cable, dyn IP w/DDNS):
Me: Juniper SSG5, Mac & PC
Parents: WRT54g w/ Tomato, PC
Sister: Asus N16 w/ Tomato, Mac

Any help would be appreciated! Thanks!

For a single VPN connection, you can simply setup the VPN client to not use the VPN connection as the default gateway (as shown in the screen shot of one of the VPN connections on my notebook below). With the VPN client setup that way, all normal Internet traffic goes through whatever Internet connection is in use, and all traffic for the LAN in my office goes through the VPN tunnel.




Since I am currently using that notebook, and it is connected to my guest router (which is totally isolated from my LAN), I connected to my LAN via that VPN link so that I could show you how it works:


C:\>ipconfig /all
 
Windows IP Configuration
 
        Host Name . . . . . . . . . . . . : RWS-6325
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Wireless Network Connection 8:
 
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
        Physical Address. . . . . . . . . : 00-1A-73-67-2C-DC
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.18
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        IP Address. . . . . . . . . . . . : 2601:5:c80:56:2d63:7369:b3dd:d58c
        IP Address. . . . . . . . . . . . : 2601:5:c80:56:21a:73ff:fe67:2cdc
        IP Address. . . . . . . . . . . . : fe80::21a:73ff:fe67:2cdc%6
        Default Gateway . . . . . . . . . : 192.168.10.1
                                            fe80::a221:b7ff:fe9c:602%6
        DHCP Server . . . . . . . . . . . : 192.168.10.1
        DNS Servers . . . . . . . . . . . : 192.168.10.1
                                            fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        Lease Obtained. . . . . . . . . . : Thursday, January 24, 2013 08:56:25
        Lease Expires . . . . . . . . . . : Friday, January 25, 2013 08:56:25
 
PPP adapter DCS SRV-VPN:
 
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.9.209
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 192.168.9.2
                                            75.75.76.76
        Primary WINS Server . . . . . . . : 192.168.10.2
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%4
        Default Gateway . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Disabled
 
Tunnel adapter Automatic Tunneling Pseudo-Interface:
 
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : C0-A8-09-D1
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5efe:192.168.9.209%2
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled
 
Tunnel adapter Automatic Tunneling Pseudo-Interface:
 
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : C0-A8-0A-12
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5efe:192.168.10.18%2
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled
 
C:\>tracert www.dslreports.com
 
Tracing route to www.dslreports.com [209.123.109.175]
over a maximum of 30 hops:
 
  1    <1 ms    <1 ms    <1 ms  ap2.dcs-net [192.168.10.1]
  2    31 ms    28 ms    18 ms  67.177.172.1
  3    11 ms     9 ms    12 ms  68.85.50.125
  4    12 ms    12 ms    16 ms  162-151-9-21-static.hfc.comcastbusiness.net [162.151.9.21]
  5    13 ms    12 ms    11 ms  ae-3-0-ar01.goodslettvll.tn.nash.comcast.net [68.86.148.69]
  6    21 ms    19 ms    21 ms  pos-5-8-0-0-cr01.56marietta.ga.ibone.comcast.net [68.86.94.125]
  7    44 ms    35 ms    35 ms  he-0-10-0-0-cr01.ashburn.va.ibone.comcast.net [68.86.89.177]
  8    51 ms    47 ms    47 ms  he-0-12-0-0-cr01.newyork.ny.ibone.comcast.net [68.86.85.30]
  9    42 ms    42 ms    40 ms  173.167.58.26
 10    45 ms    41 ms    42 ms  0.e1-4.tbr1.oct.nac.net [209.123.10.122]
 11    43 ms    42 ms    46 ms  vlan804.esd1.oct.nac.net [209.123.10.2]
 12    42 ms    41 ms    41 ms  www.dslreports.com [209.123.109.175]
 
Trace complete.
 
C:\>tracert rws-wks.dcs-net
 
Tracing route to rws-wks.dcs-net [192.168.9.100]
over a maximum of 30 hops:
 
  1     *        *        *     Request timed out.
  2    21 ms   119 ms    19 ms  rws-wks.dcs-net [192.168.9.100]
 
Trace complete.
 



The above ipconfig information shows that I have both a public Internet connection, and a separate VPN tunnel to my LAN. The traceroutes show that a connection to an Internet site uses the public Internet directly, but a connection to my Windows XP workstation on the LAN goes through the VPN (the multiple ms transit times are the clue that the LAN traceroute goes out to the Internet through the VPN; a direct connection to the LAN would show transit times of <1 ms).

I have never tried to setup a pseudo wide area VPN by simply using multple VPN sessions on a single PC, but that might work. The caveat would be that each of the VPN endpoints would need to be on a separate private IP subnet; if everyone uses 192.168.1.x/24 it will not work (nor will it work for even a single VPN session if both the client and host have the same IP subnet).

Anytime I have worked with VPNs that are used to create a distributed LAN, it was always done by having the remote locations connect to a master host VPN server, and that server would handle the routing between the remote clients if that was needed (and the remote VPN clients would need to be setup so that the VPN connection was not their primary gateway). And again, each of the VPN endpoints need to be on different private IP subnets. In your case, since you have a Juniper SSG5, that box should be able to handle the task of being the master VPN server for all of the remote clients (and if you don't need communication between the VPN clients, that would greatly simplify the Juniper SSG5 setup).

Once IPv6 becomes the primary transport, such things will be simplified, but for now (especially if some clients are mobile, and don't always have control over the connection being used), that is just something to look forward to, and not a viable option for most people.

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

videonerd

join:2007-01-21
reply to videonerd
I expect to use my SSG5 as the VPN server and the rest of the family would connect to it as it has ample CPU power to handle the traffic.

A full-time VPN from their Tomato'd routers to the SSG5 isn't the difficult part... it's the fact I don't want their Internet traffic to pass through my connection as well, but done in the router and not the computers. Connecting computers to the VPN is easy peasy and I've done exactly what you're doing with the default gateway unchecked, thank you very much for the screencaps though, hopefully others can benefit from it. It's the "allow-only-LAN-traffic-in-the-VPN-only" part that I was wondering about, whether it can be done in the router. As in, "if 192.168.1.x route to VPN, else out to the public Internet."

Heck, might as well do Dropbox, and use Google's remote printer utility...

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to videonerd
Was going to suggest site-to-site VPN as well, but sounds like you got it set up already videonerd See Profile.

Only thing left is, as you say, not routing WRT or Asus internet traffic thru the SSG5. If there was another
SSG5, the config's easy enough, not sure how to do it thru Tomato. You may want to check in a Tomato forum
or manual.

Regards

videonerd

join:2007-01-21
I also have a Firebox x10e I got when a business threw it out but subscription's expired... not sure what it can do without one.


stcbus

@ohio-state.edu

Re: Tips on configuring HTPC computer

You want a split-tunnel VPN...as mentioned, you just don't have it change the default gateway.

What VPN are you planning on using for the connection? Tomato doesn't really support IPSec (apparently it is there in some builds, but very experimental, no GUI, etc.) and the SSG doesn't support OpenVPN. PPTP I guess would work it's just not great.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to videonerd

Re: VPN for homes but each retain own internet

If the device works with the current software, and there's no "time-limited licences," there's really nothing to lose
by dropping in the firebox and playing with it. If not, happy to give you my address where you can ship it to videonerd See Profile

Regards