Bridging Two LANs through a VPN

Discussion in 'Tomato Firmware' started by geekjock, Jun 23, 2009.

  1. geekjock

    geekjock Network Guru Member

    My girlfriend and I have a commuter relationship and thus maintain two homes some distance apart. I would be very useful to us if the two home networks could be combined into one. The idea is to be able to access shared folders on each other's computers, share printers, and ideally have the TiVoHD's see each other on the same subnet, in both directions.

    We have two almost identical setups: cable modem to WRT54GL router, to desktop running XP, VOIP phone adapter, TiVoHD (all wired).

    I would appreciate comments and suggestions on my progress thus far: I have installed Tomato 1.25 with VPN GUI on both routers, and set static IPs for all devices. Everything working great for individual networks.

    Home 1 has router IP as, subnet mask, static DNS to OpenDNS. DHCP and static devices in the range of - 199, WINS Router name and hostname both "Home1", domain name "homelan".

    Home 1 VPN tunneling has Server 1 set to TAP, UDP, port 1194, firewall automatic, authorization TLS, tls-auth bi-directional, client address pool DHCP selected. No advanced settings made. All keys generated on my desktop and pasted into the gui.

    Home 2 has the same settings, except the router IP is, and the DHCP and static devices are - 149. Router name and hostname both "Home2" and domain name "homelan".

    Home 2 VPN tunneling has Client 1 set to TAP, UDP, server address "" (updated by DDNs), port 1194, firewall automatic, authorization TLS, tls-auth bi-directional, server on the same subnet selected. No advance settings, keys entered as before.

    When I start the server and client on the respective routers, the client appears in the server status with a real address, port 2049, and no virtual address. The client status shows a table under General Statistics, so it seems the VPN is established.

    All input from you experts gratefully accepted. I have done a lot of reading and have not been able to find clear instructions on how to achieve my aim. Assuming I've done everything correctly, what next? TIA
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You haven't said what isn't working for you :wink: Can you ping the opposite router? Computers (by IP) on the opposite LAN?

    For the record, I think things could be a lot cleaner if you used TUN and kept the two on separate subnets. You wouldn't be able to browse Network Neighborhood to find the computers, but they could be accessed by name or IP (eg, \\GFComputer\ or \\\). Actually, this is how I have things set up with with my girlfriend's LAN in a similar situation.
  3. ifican

    ifican Network Guru Member

    So what you are asking is the reason MPLS was developed. Though there are no soho implementations of MPLS you can accomplish close to what you want as SgtPepperKSU states.

    I believe what you are seeing is phase 1 of the tunnels completing but because you are trying to use the same network on both sides of the tunnel (i.e. same networks on both sides of router which is not possible) phase 2 is not completing and thus the tunnel is not being established. Just create the vpn with differenet subnets on either side and simply browse via the ip as stated above.
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It is possible to have the same subnet on each endpoint, and that is what TAP is typically used for. But, having that setup is error-prone and difficult to work the kinks out because of all the complications that arise. TUN with separate subnets does what people want 95% of the time, and is much easier administratively.
  5. geekjock

    geekjock Network Guru Member

    Thanks for the replies. I set the system up late last night and was too tired to do testing. I shall do so later today, after work. I'll try pinging, etc. and report back.

    So far the consensus is that separate subnets are easier and more reliable. The only reason I was shooting for a common subnet was to enable muti-room viewing (MRV) on the TiVos. See and . Must the TiVos have the same gateway?

    In reality, MRV is not very practical, due to bandwidth limits, especially in hi-def. So it becomes more of an intellectual challenge!

    I meant to ask: are any special settings needed for Windows machines on the network, in terms of workgroups/domains/names/etc?
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Indeed, Tivo MRV looks to be one of the times a common subnet would be necessary. This is because MRV uses a broadcast requests to discover other Tivo devices rather than allowing you to configure them manually.

    If you want to go that route (though, as you mention, MRV will likely be unusable due to bandwidth), then we'll have to start with what's working and what's not. Then, we'll try and figure out why those areas aren't working for you.

    It's probably best not to use the same names for two computers, and having the same workgroup would probably make things smoother when searching for Windows shares.
  7. geekjock

    geekjock Network Guru Member

    Done some experimenting and testing, so here is some feedback on my setup described above.

    TAP does not appear to work, even though the routers' VPN status shows the link. I am not able to ping any devices through the tunnel. I can't help feeling that there is some subtlety I've missed in my ignorance, that cannot be remedied by changing an appropriate setting.

    TUN does allow me to ping devices from the client router to devices behind the server router, but not vice versa. Is this expected? Also, the PC behind the client router seems to drop off the network when the VPN is started - it disappears from the device list and I cannot access it by my normal method of VNC over the internet. When the VPN is stopped, it comes back.

    I am somewhat hamstrung in my testing efforts by being at the server end, and only seeing the client side remotely. Due to WAF, I don't want to involve girlfriend! I also have to be careful not to hang up her system, because she is running a business, and that comes first.

    Anyway, I want to express my appreciation to SgtPepperKSU and others for creating these great tools, and then taking so much time to support them - thanks!
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Can you ping the router client itself?
    Could you post the routing table from the client and server while the VPN is connected (Advanced->Routing from WebGUI, or "route -n" from ssh/telnet shell)?
    That is expected if you have the "NAT" checkbox selected on the client. If you want to be able to initiate connections on both sides, then you'll need to uncheck that box on the client and fill in the "Client-Specific Options" section of the server.
    Do you have "Direct clients to redirect Internet traffic" selected on the server or "Redirect Internet traffic" selected on the client? If so, then you will not be able to make any connection to the client router (or connected compuers) directly from the internet. In this case, you'll have to VPN through the tunnel. This is because the return traffic for your connection is Internet-bound and is routed through the tunnel and sent through your server router. Things don't work well when you send traffic to one IP and receive the response from another :wink:
  9. baldrickturnip

    baldrickturnip LI Guru Member

    I have 2 networks connected via the tomato open VPN - 1 network has the tomato VPN running as a client and its WAN is actually on another network with an ADSL gateway

    the other network is behind a tomato router running VPN server with client to client as an option and it controls a wimax modem.

    both networks are on the same subnet and the VPN server has a pool of 5 IPs it hands to clients. all the devices on the network are manually assigned IPs.

    I have a machine elsewhere running windows open VPN client which connects to the server also and it runs TheDude and each device is pinged every 5 mins to see they are powered up. Most of the devices are IP cameras and there are 3 windows machines running as network video recorders and viewers. Security at both sites can monitor cameras at each site.

    I also connect to the server and VNC to the windows machines or http to the camera GUI's for any problems that arise or to check on recording operation.
  10. geekjock

    geekjock Network Guru Member


    I've been distracted with travels and so on, but today had some time to fiddle. I can report that I have successfully established a TAP bridge per my ambition in the original post. So I want to give some feedback that I hope will be useful to others.

    The following changes were made: On the Server side, Basic tab - unselect DHCP for Client address pool, and enter manually enter a range that covers all possible devices at both sites, to in my case. Under Advanced, select both Manage Client-Specific Options and Allow Client<->Client.

    On Client side - no changes.

    The result is that I have bidirectional communication across sites. Devices are visible to each other and shared folders can be accessed at their network IP addresses. The most amazing part is that the TiVos now see each other, can stream media from the other and also from all computers running TiVo software - amazing!

    In reality this is an easy setup, thanks to Tomato, OpenVPN and the GUI. Once again, my appreciation for the creators and those willing to support and answer questions.
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! I'm glad you found a solution you are happy with!

    Have you actually tried watching a Tivo video streamed across the tunnel? Does it automatically scale back the quality? If so, what kind of quality are you able to get? If not, is there any stuttering?
  12. anik

    anik Addicted to LI Member

    Can you explain further?

    Are you speaking about the option “Create NAT on Tunnel†in the VPN Client configuration (BASIC Tab)? If so I really wish you’d elaborate a bit on this to help us understand exactly what it does, and when it should or should not be used.

    The reason I asked is, we have it checked and yet (after adding some configuration options on the server side) we are in fact able to connect to devices connected to the same network as the WAN port on the client side (in other words, devices not plugged into the Tomato router, but rather into the same primary router that the Tomato router’s WAN port is connected to). I’ve never fully understood that option and when it should or should not be used (and what might change if I were to uncheck it), so would like to see that explained more fully. Thanks.
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yah, that's the option I'm referring to. When it is selected a NAT is created on the client end of the VPN tunnel. This makes all traffic coming from the client LAN look like it is originating from the client router.

    This is needed if you don't set up the "Client-specific options" on the server router since, without that, all the server router knows about is the client routers VPN IP address (it won't know to send return traffic bound for the client LAN over the tunnel).

    If you do set up "Client-specific options", the server router is perfectly capable of talking directly with the client LAN with the need for a NAT. I suppose the NAT won't cause any harm, but it isn't needed any more and adds unnecessary complication.
  14. geekjock

    geekjock Network Guru Member

    TiVo-to-TiVo transfers work by transferring the show from one hard drive to the other over the network. There is no quality adjustment or scaling, just a straight copy. During the transfer, one is able to watch the show on the receiving end up to the progress point. If the copy speed is faster the realtime, then you can essentially watch it immediately. If slower, the playback pauses with a message that you have to wait for more to transfer. Transfer over the VPN is much slower, so best let it run overnight!
  15. geekjock

    geekjock Network Guru Member

    The “Create NAT on Tunnel†option only appears when using a TUN interface type. In my case I am using TAP, and the option is therefore not relevant for me.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice