Hi all,

I wonder if someone can help as I really don't know what the answer is.    

I have multiple NordVPN 'dial out' connections running on my Vigor 2927.   I'm UK based so I have for example one pointing to France, Germany, Monaco etc.

All connections use IKEV2 and I've followed the tutorial on the Nord site.   

The bit thats confusing me is on the LAN-to-LAN profile page under TCP/IP Network settings - local network.   Should this be the IP range of LAN1 which in my case is 10.8.0.x /24? I understand that 'remote network' should be any - 0.0.0.0/0 as I presume this translates to allow all traffic out to anything via the VPN.

If I have concurrent VPN connections dialling out - should the 'local network' mask for each profile be exactly the same as LAN1 interface i.e 10.8.0.1/24 or should they be unique?

Local Network: what should this be?
Remote Network: 0.0.0.0/0

Looking at the Draytek article, it looks like the local IP is just the interface of the router, in the below example its 192.168.1.x/24

https://www.draytek.co.uk/support/guides/kb-vpnservice-nordvpn#:~:text=9.%C2%A0%20At%20TCP,to%20%220.0.0.0/0%22

https://support.nordvpn.com/hc/en-us/articles/20397988815633-DrayTek-Vigor-IKEv2-setup-with-NordVPN#:~:text=Click%C2%A0OK,traffic%20through%C2%A0NordVPN.

Thanks all

Hi Jonathan ,

If I am understanding your setup correctly...:

Local Network: what should this be?

It should be whatever your local LAN setup is. So if you have only 1 LAN Index established (in LAN >> General Setup), then this would be the 'Local Network' LAN data that you would need to enter. The reason it needs to know this info is because you could have many networks at your local end.

If you had 10 LAN indexes established and you wanted this option to be applied "(optional) Enable Change Default Route to this VPN tunnel option if you want to route all traffic through NordVPN." to only one of your LAN indexes then that desired LAN data should be entered in the 'Local Network' settings.

You can have multiple LAN-to-LAN connections between the same two sites and maintain separation by configuring the 'Local' and 'Remote Networks' in this way.

I wonder if someone can help as I really don't know what the answer is.    

Have you been able to get any of what you're trying to setup working yet?
 

Hi HodgesanDY

So to put it briefly, my network consists of a number of VLANS that I have assigned to the LAN interfaces, for example

LAN 2 - 10.7.32.x/24 - assigned to VLAN 2
LAN 4 - 10.7.0.x/24 - assigned to VLAN 4
LAN 6 - 10.7.2.x/24 - assigned to VLAN 6

And so on.

LAN 1 is currently set to 10.8.0.x/24 (I changed it from the default 192.168.1.x).   So I've been using that for my 'Local IP Network' when creating concurrent IKEv2 'dial out' LAN-to-LAN profiles for my NordVPN connections.  I wasn't sure if this was the correct Local IP Network to be using for the profiles.

For example (LAN-to-LAN profiles could be

Germany
France
Monaco 

If these were just 3 concurrent dial-out Nord VPNs would the Local IP be set to 10.8.0.x/24 which is what LAN1 is currently set to?

Hope this makes sense.

Hi  Jonathan,

What is working and/or what is not working? What are you hoping for from this configuration?

Are you wanting ALL of your LANs to be able to freely browse randomly via France, Germany and Monaco, or are you wanting to have certain Local LANs browse via certain locations?

It's tricky trying to guess what you're hoping to achieve from just reading your current posts...

If you're trying to route ALL traffic through ALL VPN profiles, I think you're going to encounter some routing issues. I can't say I've ever tried to do what I think you're trying to do. I would be checking my Vigor's routing table after each configuration change, to understand the affects of the adjustments. 



 

HodgesanDY wrote:

Hi  Jonathan,

What is working and/or what is not working? What are you hoping for from this configuration?

Are you wanting ALL of your LANs to be able to freely browse randomly via France, Germany and Monaco, or are you wanting to have certain Local LANs browse via certain locations?

It's tricky trying to guess what you're hoping to achieve from just reading your current posts...

If you're trying to route ALL traffic through ALL VPN profiles, I think you're going to encounter some routing issues. I can't say I've ever tried to do what I think you're trying to do. I would be checking my Vigor's routing table after each configuration change, to understand the affects of the adjustments. 





 

Hi   HodgesanDY

I'm sorry, it is rather confusing to explain.  I'll try and simplify it.   The issue is I've tried so many different solutions that I'm even confusing myself now, lol!

So scenario 1:

I've got a number of VLANs which have different devices connected, for example:

VLAN 2 - 10.7.32.0/24 - phones, laptops etc.
VLAN 4 - 10.7.0.x/24  -  switches, pihole etc
VLAN 6 - 10.7.2.x/24 - IoT devices such as my Hive heating, robot vacuums 

So for example if I wanted to ensure that VLAN 2 was tunnelling out via Nord VPN, I've setup a LAN-to-LAN profile using IKEv2 to say 'France' - the question is what would the local IP network need to be set to for this profile?   Would it be the same router interface that matches VLAN 2? So in my scenario it would be LAN2 - 10.7.32.x/24?   Or does it need to be set to LAN1 which in my case is 10.8.0.x?  Hope that makes sense

Same applies if I wanted to send all traffic over my 'IoT' VLAN out via NordVPN - would the LAN-to-LAN profile ''Local IP network' need to reflect the IP Range of that VLAN?  So in this scenario it would be 10.7.2.x/24

As for setting the default route, I've tried this will mixed results - sometimes name resolution works sometimes it doesn't but the question again would be what local IP network would need setting for a profile thats set to route all traffic?

So in a nutshell - if I had concurrent VPNs setup to dial-out does the 'local IP network' portion of the profile need to point to the IP range of the devices that are going to use the VPN via route policies?  i.e a laptop on VLAN 2 using IP 10.7.32.12 would need to use a VPN profile that has a local IP network of 10.7.32.x/24?

Really sorry but I'm trying my best to explain it as best I can! 

Hi Jonathan ,

So for example if I wanted to ensure that VLAN 2 was tunnelling out via Nord VPN, I've setup a LAN-to-LAN profile using IKEv2 to say 'France' - the question is what would the local IP network need to be set to for this profile?   Would it be the same router interface that matches VLAN 2? So in my scenario it would be LAN2 - 10.7.32.x/24?   Or does it need to be set to LAN1 which in my case is 10.8.0.x?  Hope that makes sense

To be honest, in this instance, it doesn't really matter what you set your local network to, as long as it is a valid IP address, as in, you could use 192.168.111.0/24 for the local network setting on your NordVPN profile to France, if you wanted to.

The main goal as I understand it here, is to force(route) a particular subnet ("10.7.32.0/24" for example) to use the internet connection in France. This can be achieved by establishing the NordVPN connection and then using a 'Load-Balance/Route Policy' (not a Static Route) to force the whole subnet (of your choosing) through that particular VPN connection. I use this method a lot, although not with NordVPN, but rather with my own VPN connections scatter all over the world.

But for simplicity, and best practise, yes, I would use the relevant subnet settings as your 'Local Network' for the VPN Profile you intend to use for that subnet; so 'VLAN2 10.7.32.0/24 for your VPN profile to France! That will at least make it clear when you return to the settings many months or years later.


I have just tested the above between two of my own routers to make sure this works, including the random local network address (not linked to any local LAN in use).