Requesting help with VPN Bridging

Joined
Mar 26, 2020
Messages
512
We're running a hub and spoke network at work for multiple sites, I need to setup bridges for one specific device to trick it into thinking it is part of the hubs' network to see a device there.

The devices are unifi access hubs, unifi tried to force people into a cloud subscription for multiple sites but we had it working when I was using Dell SonicWALLs to serve as bridges so I know it can be made to work... we switched to unifi udm pros which don't do bridges, not that we want to in this environment. Wish we still had the dells, it would be overkill for this but I could make it work!

I have two options as I can see them:
Reuse some windows 10 PCs between the hub and spokes, bridge them, and use a usb ethernet adapter to hook up the spoke device, dhcp it to the hub network. I've never setup two windows machines as a bridge before, only played with Hamachi or hosting dns/dhcp services. I couldn't find enough info on this when digging, but I did find that tinc has a windows port...

Or

Get a cheap Linux based solution and use tinc or similar to bridge, needing 2+ lan ports. I've seen ~$30 vpn routers on Amazon with openwrt and similar that support bridging. They would go for that over a raspberry setup hands down...

Any help is greatly appreciated.
 
Hmmm...I think I know what you're needing to do here, but not completely. Can you draw it out?

There are ways to do this with creative subneting or other tricks. I know I had to do this once back in the day with some Cisco RV series routers and I simply made the spoke a client of the hub so it was on the same subnet.
 
Here is one of the $30 options I could see potentially working:

GL.iNet GL-AR300M16-Ext OpenWrt | 2 x Ethernet Ports | OpenVPN/Wireguard VPN | USB 2.0 Port https://a.co/hnKZldU

Thanks SamirD , I will draw it tonight.

A text version might be: I need a network device at site B to logically appear to be at the primary site A, so a similar device physically at Site A can see it, using a pair of hardware solutions (buying a cheap Linux option or reusing a windows pc) for the bridge, being the intermediaries between the sites.

Site A on the VLAN I want has an internal IP like 10.0.10.1/24, and Site B is like 10.1.10.1/24, but I want a pair of intermediate devices to bridge a single piece of hardware at Site B to appear to be at Site A with the 10.0.10.1/24 network assigned to it.

Hope that helps, I will draw it up tonight.

The unifi hardware is intentionally limited to support only devices on the same LAN network, they are trying to force people to pay $5/user for their 'Cloud' version over WAN, but we made it work when the main WANs were controlled by the Dells, with a bridged network. But sending all of that traffic through the hub was not good for performance, and the Dells were starting to fail from age. Now we have unifi UDM pros connected to WAN with site to site VPN networks, primarily for windows AD.
 
Last edited:
As an Amazon Associate, HardForum may earn from qualifying purchases.
Got it. Yep, this is the exact same scenario I dealt with years ago.

So knowing Unifi, they probably will look for things such as being on two different subnets or routes in between, so essentially you need them to be in the same broadcast domain.

If you've got site-to-site ipsec tunnels, there should be an option for broadcasting across the tunnels. However, knowing unifi, they're going to make sure their devices won't be able to use that--hence this is probably why the Dells worked.

Since it is a single device that needs to appear like it is on the other network, you can try to do the same thing I did--make that device a client to the hub so it gets a local IP. This would probably require a dedicated network device for that device, but then in theory you should be able to make that connection over your existing tunnel, so it's actually double encrypted (I assumed this is a low bandwidth device so this won't matter). By doing this, you should be able to get that single device to connect to the hub with a hub local IP and the hub won't know the difference.

The other trick that I've heard will work is to use 'supernetting' to create a much larger flat network, where each device even across vpn tunnels is actually considered local due to the subnet mask. I've personally not made a solution based on this though, and again knowing unifi, they probably already block this too.
 
afa bridging in windows, it is supported natively. It may be hidden or locked down on certain versions, however.
 
The device is very low bandwidth, its just a door opener that gets used a couple times a day!

Since it is a single device that needs to appear like it is on the other network, you can try to do the same thing I did--make that device a client to the hub so it gets a local IP. This would probably require a dedicated network device for that device, but then in theory you should be able to make that connection over your existing tunnel, so it's actually double encrypted (I assumed this is a low bandwidth device so this won't matter). By doing this, you should be able to get that single device to connect to the hub with a hub local IP and the hub won't know the difference.

Spot on, that is all correct on the unifi assumptions...

The spot I'm stuck on is what device to go with; cheap Linux router or reusing a windows PC that is barely used. And what would the connection look like? I'm assuming the network device acting like an intermediary would be doing a site to site VPN bridge at both sites?

I've shared internet with windows PCs before using their 'bridged' shared LAN stuff between 2 lan ports in a pinch to supply internet from one PC to another but I think the IP subnet and all changed. I know back in the day I had it working for 'lan party' games where we were all supposed to be on the same network, but I don't know anymore. That's why I tried Hamachi, but it has it's own IP list, and I'm just tredding too far into the unknown now. I know unifi is going to want the same subnets or it'll be a no-go.
 
Gotcha. Well, the feasibility of 'dialing in' will depend on if the unifi hub assigns IPs from a dedicated pool for client to server connections or if it pulls from the main one.

For example, on netgear routers I've worked with, it's a dedicated separate pool (so I could never get it to work right seeing my network). On the cisco rvxxx series, it used to be from the same main dhcp pool, so a device pptping in would be on the same network 100%. The same device over an IPsec tunnel would still need to be on a different subnet (as is the rule in IPsec tunnels) so it would not be on the same network.

What I did to get a device to be on the same network with a pair of rvxxx routers was to establish an ipsec vpn tunnel and then pptp over that tunnel to get a local IP on the hub network. This allowed me to still have security and still have the IP. However, I think this was a very specific setup that won't work on other routers. I know I've tried it on a watchguard and it didn't work.

Speaking of cheap routers--if you just want to have site-to-site tunnels and bridge them, I think the watchguard M200 can do this, and you can get some BNIB ones on ebay for like $60/ea. They're under warranty from what I can tell, but are EOL as of the end of the year so you'd lose updates. They keep working however except for subscription stuff.
I've been tempted to pick up a newer one just for the warranty. You can read the entire fireware manual online to see exactly how to set them up to bridge the interfaces and set up vpn tunnels and whatnot.

But one big question I have is what is the network physical and logical layout in your proposed solution using a linux router or a windows PC? I still can't figure out how a bridge there will help/work since it has to connect with the hub site.
 
Years ago I would have said something like L2TPv3 on Cisco routers, but seeing the $$ figures you're looking at, I'm guessing that's a bit much. That and DLSw were fun to play with.

OpenVPN supports bridging, but I've never used it. I don't know if it just means the client gets the layer-2 goodness, or with a second NIC, everything behind it can join the fun too (??)
 
Back
Top