Establishing secure links between home networks via VPNs
Establishing secure links between home networks via VPNs
It's straightforward on Linux. I've accomplished this with a similar setup, adding extra layers above my home and a few family members. To clarify, I have symmetrical gigabit fiber, and one of the remote links works too. I keep a centralized cloud-based connection hub to prevent issues with the dynamic IPs that WireGuard VPN connects to. By updating the routing table on edge routers, devices can establish a VPN link between each shared device, seamlessly integrating with the LAN on the other side. Both ends of the network can reach anything listed in the routing tables of both the edge and VPN (central hub), enabling communication across the connected networks. I control this using VLAN tagging via Linux, smart switches for end devices, and firewall rules on the edge routers. Mobile devices can also join the network by connecting to the VPN.
EDIT: I included a simple diagram, though it doesn't show mobile devices—just connect them to the cloud-based VPN router. Software and hardware used:
- Edge routers: ODroid H2+ (supports up to 2.5Gb Ethernet on two ports, x86 Intel Celeron J4115)
- Smart switches: TP-Link TL-SG1016PE (affordable, VLAN tagging & port assignment)
- VPN: WireGuard (fast and flexible, runs as a kernel module)
- DNS: Pi-Hole (caching, blacklists, easy Docker deployment)
- Cloud services: AWS EC2 Free Tier (t3.micro/t3.nano) – 1GB RAM, ideal for VPN gateways)
Hardware:
- RAM: 8GB (suitable for VPN gateway)
- Software: Linux distro + DD-WRT (optional)
- Mobile devices: Can join via VPN connection.
This concept aligns well with a pfSense Site-to-Site IPsec setup using static routing. Implementing a hub-and-spoke model with your home as the central hub simplifies management and avoids complex client setups. Remote devices can directly connect to the tunnel without additional software. For a fully interconnected mesh network, consider dynamic routing protocols across all routers so that when tunnels establish, remote subnets become accessible automatically. Static routes in such configurations can become problematic quickly—especially with many sites. pfSense is free and effective; you just need an older x86-64 capable machine. Remote locations can use DD-WRT or Tomato alongside IPSec and BGP stacks to integrate seamlessly with pfSense.
PFSense offers a viable alternative. Instead of relying on IPsec, it provides a different approach that simplifies managing multiple clients with varying needs like mobile or laptop connections. Recent concerns have emerged about IPsec's key exchange processes and vulnerabilities in IKEv1 and IKEv2. IPsec tends to stick with a fixed encryption method, which can be exploited more easily.
On the other hand, Wireguard employs the Noise Protocol for selecting encryption and incorporates public key authentication, considered a stronger security measure. It also allows secondary symmetric keys for added verification. Wireguard performs better in terms of efficiency, offering higher data transfer rates with reduced overhead and latency.
Like IPsec, it supports multiple simultaneous connections across different network instances. Although native Wireguard integration is available via third-party modules in PFSense and is now included in newer DD-WRT versions, challenges remain such as dynamic IP address management. Using dynamic domain names could help mitigate this issue.
Updated: September 28, 2020 by Maverick38344
IPSEC is quite simple to set up. Configure your phase 1 phase 2 settings on every router. Establish your VTI tunnel interfaces and define all static routes. After finishing, devices in remote subnets will be able to communicate through the IPSEC overlay network back to you. If you add static routes at remote locations to link multiple sites together, you can enable transitive routing between them.
I appreciate the concept of PFSense and WireGear as mentioned by Maverick38344. Linus Tip Tips has also produced videos about setting up a PFSense router, although they're no longer current. IPSec has been exposed to risks for many years, so I won't include it in my design. The remote sites don't use fixed IP addresses, and they'd rather avoid dynamic DNS solutions altogether, preferring that all network management stays on my side. Dynamic DNS features will be added in this setup. There are affordable DDNS services available.
Consider using routers that support DD-WRT instead of PFSense. Wireguard runs smoothly and uses minimal resources. I prefer Linux distributions like Debian or Ubuntu because of available packages and regular updates. These options won’t match PFSense’s speed, but they’re more affordable than dedicated x86 boards. x86 remains a solid pick; I have a 6" deep wiring cabinet and the H2+ model works well inside.
For reference:
- Device link: https://www.hardkernel.com/shop/odroid-h2plus
- Case link: https://www.hardkernel.com/shop/odroid-h2-case-type-2
Note: The 2.5Gb NIC isn’t supported by PFSense, and the RTL8125B driver is missing from current releases. You’d need Linux instead.
Alternative for PFSense users: Fully Supported Odyssey X86J4105 – https://www.seeedstudio.com/ODYSSEY-X86J...-4445.html
PFSense install includes 8GB RAM: https://wiki.seeedstudio.com/ODYSSEY-X86J4105-pfSense/
Currently the network operates with the existing gear at our residences. Our personal router is powered by an AsusWRT setup serving as the OpenVPN endpoint, set up so clients bypass routing through it. An ECS Liva X hosts five USB drives functioning as a bidirectional mirror in Windows 10 Storage Spaces. Offsite storage options include an Intel NUC with USB drives—either mirrored or not—and a Raspberry Pi acting as a NAS based on the family’s technical ability at the remote site, since none of the users opted for a paid commercial NAS. Clients connect via OpenVPN clients on their devices to Oracle VirtualBox, while the ECS Liva X manages DNS. All DHCP requests point to this DNS as a secondary host.
Looking ahead, we aim to shift many remote machines from standalone OpenVPN setups to a blend of WireGuard VPNs and OpenVPN at our home server. The remote sites will adopt a mix of WireGuard devices or Asus routers running AsusWRT with OpenVPN. This will connect the entire home network at those locations back to our primary home network.
We’ll keep utilizing a combination of Windows and Raspberry Pi NAS solutions at the remote spots. A dedicated virtual machine environment could be established at our house using tools like VMware or Unraid, enabling near bare-metal virtualization with shared storage pools. The DNS server will run on a Windows VM, while Minecraft servers and our existing Windows dedicated servers stay on Windows. A Linux VM will host Minecraft Java servers and our current Linux services.
All equipment will eventually move into a server rack integrated into our home arcade cabinet, optimizing space and cooling as described in the referenced guide. Some remote units might still rely on OpenVPN clients, and a few could use Windows Storage Spaces with mirrored drives for backup.
OpenVPN performs significantly better than PPTP on AsusWRT routers, offering faster speeds and improved security. The PPTP clients have been moved to OpenVPN for enhanced stability and easier tunnel management. You can download the client here: https://openvpn.net/community-downloads-2/