Looking at setting up a VPN between home and office

[WJA96]

I can't say I have but what if OP decides to work from parents or Starbucks? Carrying a USG wouldn't work and a "simple" router VPN solution for a road warrior would by far be a better solution and scale better compared to providing every home worked a USG.

That's before any of us get into using SMB/CIFS mounts over a WAN connection, VPN or not it'll be painful for anything more than a small document.

As the Germans would say, “Jaein”

The original problem was for a single site to site VPN. Which morphed into someone using 3 monitors, so I think we can rule out the ‘road warrior’ option.

A suggested solution was to use the USG to USG VPN solution built into the Unifi controller. That creates a bridging tunnel between the two USGs and does NAT so that all devices appear to be on the originating network. It does this because USGs tend to like to be 192.168.1.1/24 and two 192.168.1.x/24 isn’t going to work. So it NATs the remote side of the connection. So if you want to access a remote NAS, you still can, by it’s NAT’d IP address and the speed of the connection will be limited only by the slowest aspect of the connection (usually uplink in the UK). It’s a really straightforward system.

So yes, I agree. The Draytek type L2TP/IPSec option is indeed the best option for a single remote user/road warrior, and I would still hold that the USG to USG proprietary UBNT VPN single click solution is the better option for the challenge set by the OP.

 

[Steveocee]

A suggested solution was to use the USG to USG VPN solution built into the Unifi controller. That creates a bridging tunnel between the two USGs and does NAT so that all devices appear to be on the originating network. It does this because USGs tend to like to be 192.168.1.1/24 and two 192.168.1.x/24 isn’t going to work. So it NATs the remote side of the connection. So if you want to access a remote NAS, you still can, by it’s NAT’d IP address and the speed of the connection will be limited only by the slowest aspect of the connection (usually uplink in the UK). It’s a really straightforward system.

So yes, I agree. The Draytek type L2TP/IPSec option is indeed the best option for a single remote user/road warrior, and I would still hold that the USG to USG proprietary UBNT VPN single click solution is the better option for the challenge set by the OP.

You missed my point. Samba performance decreases as latency increases. Over a WAN link the latency will likely be the limiting factor at the office end. Local shares work great on a LAN due to low latency but once you start doing that over the web you get heavily limited.

The OP mentioned currently the setup was purely for them but in the future "who knows". Future scale is easy to accomplish with a "real" VPN server at the office. a USG to USG solution would serve fine for now but again, scale into the future would be virtually non-existent as it's unrealistic.

The comment also about the USG tunnel being "enough" but if wanted you could go all out L2TP/IPSEC and having done enough for due diligence? Seriously this guy is handling peoples intimate financial details. I don't think "enough" is really something we should be specifying in good faith. Absolute best should be the top of the tree.

The USG is great I certainly won't argue that toss but in a "what fit's best" the USG really isn't something that should be specced for a business router in this case just because it is "easy" to set a tunnel up from A to B.

 

[WJA96]

I may well have misunderstood your point, but I’ve actually used the solution I’m proposing. And it’s good. It delivers exactly what the OP wanted.

What shocks me is that someone like yourself, who is actively interested in this stuff, hasn’t had even a cursory look at what I’m suggesting. It is a secure link.

In UniFi the Auto IPsec VTI configuration allows an admin to create a VPN between two UniFi Security Gateways that are adopted into the same controller. Creating this VPN in the UniFi dashboard automatically configures the following:

• Set the peer IP on each side of the tunnel to match the WAN interface address.
• Adds the remote networks for each site.
• Provisions a VTI interface on each USG to use for the VPN. Auto VPN VTI interfaces start with vti0 and increment as vti1, vti2, and so on, as more auto-VPNs are added.
• Dynamically tracks IP changes on WAN.
• Provisions a strong, randomly generated pre-shared key between the two USGs.

Sure, there are issues with the USG and the UniFi controller. On the other hand, when UniFi works, it really works. And this just works.

 

[Caged]

SMB3 is much better behaved over WAN latencies, so as long as you can keep things below around 40ms you can get away with just browsing file shares in Explorer

 

[Steveocee]

What shocks me is that someone like yourself, who is actively interested in this stuff, hasn’t had even a cursory look at what I’m suggesting. It is a secure link.

I think I appreciate the sentiment there? Lol.
My finger has been off the pulse for 3 months and much like others when you find a solution that really works then you stick to it (mine is my CHR doing L2TP/IPSEC). Sadly I am no longer involved with UBNT daily so the motivation is weak.

SMB3 is much better behaved over WAN latencies, so as long as you can keep things below around 40ms you can get away with just browsing file shares in Explorer

If that's the case then golden. I must not be running 3 on my Filestore (high possibility).

 

[mrkev]

If SMB were a problem over a VPN then doesn't the NAS support other methods of downloading/uploading files? Such as owncloud.

 

[WJA96]

I think I appreciate the sentiment there? Lol.
My finger has been off the pulse for 3 months and much like others when you find a solution that really works then you stick to it (mine is my CHR doing L2TP/IPSEC). Sadly I am no longer involved with UBNT daily so the motivation is weak.

I certainly meant it as a compliment, even if it didn't come across quite like that. I very much appreciate your skill and I've watched and learned from all your MikroTik classes on YouTube, so please accept my apologies if I implied any disrepect or caused any offence.

 

[Steveocee]

I certainly meant it as a compliment, even if it didn't come across quite like that. I very much appreciate your skill and I've watched and learned from all your MikroTik classes on YouTube, so please accept my apologies if I implied any disrepect or caused any offence.

No not at all. We're all friends here