[lexridge]

I recently purchased a new home but will not be moving in for at least another month. I have two EA8500 routers, one at my current residence and one at the new residence, connected to two different ISPs. The internal subnets are the same but no IPs will ever overlap. Both places have home automation devices installed. I am wanting to access these devices and map them into Home Assistant at my current location, transparently in order to continuously monitor the new place. Also cameras are involved as well which will be mapped into MotionEye.

Because they both share the same subnet, once I do get moved into the new place, everything should just work by default when all is moved to that location. However, I fear that because both are on the same subnet, using Wireguard may not be possible. But hopefully I am wrong.

I have many questions about this, such as can one DHCP server serve both houses through the Wireguard connection, but until I know for sure whether or not this can even be done, there is no point in continuing until step one is completed and working.

I would not be against having each location on a different subnet, but I have so many ESP8266 devices that are hard coded IPs, that it would be a real PiTA to reprogram them all....and then again after the move. So I need this to work as is, if possible.

Any help and suggestions greatly appreciated!

[eibgrad]

WG (WireGuard), like any software, has its own limitations, so it's NOT appropriate for all situations. And one of those limitations is that it's NOT intended for bridged configurations, only routed.

Given this is only a temporary situation, seems to me it would be easier to use OpenVPN, which does support bridged (TAP) tunnels.

[lexridge]

[lexridge]

Okay I switched to OVPN. I set up the tunnel using TAP for bridging mode. Got it kinda working. I can see my devices on the remote side. However, as weird as it may seem, when connected I lose connection to my local router. I cannot even ping it, but yet the VPN is working and I can ping the remote router and devices behind it, but my local access disappears. I am sure this is something simple that I have overlooked.

I don't need to serve dhcp addresses via the VPN, in either direction as most of my IPs are static. I also want each side to maintain local Internet access since each side has really good service. I am pretty sure it's an iptables rule that I either missed or put in wrong. Not sure. I will probably give up on this for today and pick it back up tomorrow.

[eibgrad]

You need to block DHCP across the tunnel in order to ensure devices on each side of the tunnel are only configured by their local DHCP server and use the appropriate ISP. You do that using ebtables.

[lexridge]

Interesting indeed. I had enabled "Block DHCP across the tunnel" on the server side (remote) but I guess this was not good enough.

I am embarrassed to say that I have never heard of ebtables. So I Googled it, of course and found this:

"ebtables is an application program used to set up and maintain the tables of rules (inside the Linux kernel) that inspect Ethernet frames. It is analogous to the iptables application, but less complicated, due to the fact that the Ethernet protocol is much simpler than the IP protocol."

Makes sense. I will give this a shot sometime tomorrow.

Thank you!

[eibgrad]

I had forgotten about that option on the OpenVPN configuration. Presumably it's using ebtables for these same purposes. So I assume it *should* be working. Then again, it's NOT as if I tested it in the past (that option was added long after I stopped testing bridged tunnels).

[lexridge]

While I followed @egc guide(s) to do this, I did NOT add the iptables rules from his documents, as it seemed those would not be necessary for my application. Perhaps that is where I erred. I will re-read those documents and see if there is something I really needed to add to iptables. What complicates matters is the fact that each router, both local and remote, has multiple VLANs on them. I think this could be part of the problem. Can VLANs even be used through OVPN?

[eibgrad]

wrt VLANs, when the tunnel is established, its network interface is assigned to the default network's bridge (br0), both for the client and server. At that point, the behavior is just as if you had patched a virtual ethernet cable between the switches on each router. So whatever was or wasn't possible wrt other VLANs and the private network is exactly the same as before. All you're doing is *transparently* bridging the two ethernet segments from each router together.

[lexridge]

Yeah, that makes perfect sense. It was late last night and I was not thinking clearly.

So, I added the ebtables rules on both sides. However it didn't seem to make any difference. I connect just fine and can access all remote IPs. However, I lose local access to the router and no local Internet access. I am unable to look at the local EA8500 logs as I cannot connect to it at all. I can't even ping it but I can still ping everything else on the local network. Just not the router. Very weird! Here is the log from the remote server side:

[eibgrad]

[lexridge]

Everything on the remote side are static IPs, and yes, both ends are on the same internal subnet.