HodgesanDY wrote:

Hi Jonathan ,

So for example if I wanted to ensure that VLAN 2 was tunnelling out via Nord VPN, I've setup a LAN-to-LAN profile using IKEv2 to say 'France' - the question is what would the local IP network need to be set to for this profile?   Would it be the same router interface that matches VLAN 2? So in my scenario it would be LAN2 - 10.7.32.x/24?   Or does it need to be set to LAN1 which in my case is 10.8.0.x?  Hope that makes sense

To be honest, in this instance, it doesn't really matter what you set your local network to, as long as it is a valid IP address, as in, you could use 192.168.111.0/24 for the local network setting on your NordVPN profile to France, if you wanted to.

The main goal as I understand it here, is to force(route) a particular subnet ("10.7.32.0/24" for example) to use the internet connection in France. This can be achieved by establishing the NordVPN connection and then using a 'Load-Balance/Route Policy' (not a Static Route) to force the whole subnet (of your choosing) through that particular VPN connection. I use this method a lot, although not with NordVPN, but rather with my own VPN connections scatter all over the world.

But for simplicity, and best practise, yes, I would use the relevant subnet settings as your 'Local Network' for the VPN Profile you intend to use for that subnet; so 'VLAN2 10.7.32.0/24 for your VPN profile to France! That will at least make it clear when you return to the settings many months or years later.


I have just tested the above between two of my own routers to make sure this works, including the random local network address (not linked to any local LAN in use).


 

Hi  HodgesanDY  

Thanks.  So yeah I have a number of Load-Balance/Route Policies already setup for things like my laptop (10.7.32.12) which go out via NordVPN to say, France and it appears to work well.

I did a bit of testing and you're right, regardless of what 'Local IP Network' subnet I use it seems to work for the route policy VPN connections.   I tried random subnets like 10.9.1.0/24, 192.168.0.1/24 etc and they all seemed to work.   I just wasn't sure if the 'Local IP Network' had to match a valid IP subnet that was in use/tied to an existing interface.

But, for the sake of my own sanity, you suggest i use the referencing subnet for my route policy connections?  So lets say I wanted my laptop, iPad and iPhone to tunnel through a policy via NordVPN - all aforementioned devices 'live' on VLAN 2 - 10.7.32.x so I would set the VPN LAN-to-LAN profile Local IP Network to 10.7.32.0/24 (for posterity) 

...because of how you are using the VPN connections, then yes to all of the above. Had you been requiring actual two-way LAN-to-LAN (so to speak) then you would want the local network setting to be relevant to your two-way traffic, especially for routing purposes and granular control, but really, you just want a direct pipe plugged in to the geographical ISP. 

Thanks.  I guess the same applies for the default route?  Can the local IP Network be any range if I'm just connecting to NordVPN via remote network 0.0.0.0/0?

 

Yes, but then all your LANs will be forced to use that (VPN) route, out on to the internet.

I can't say what would happen if you tried to make more than one VPN profile become a default route alongside the first one, never tried it, maybe the path will become pot-luck and randomly flip between the two or more default routes.

(Actualy, I just tried it and it seems you can set more than one default route, although I did not run any tests to see the affects; maybe another time...)

When you set multiple default routes, did you do them as seperate load balancing/routes?

 

When you set multiple default routes, did you do them as seperate load balancing/routes?

No, I enabled them in the VPN profile setting:

TCP/IP Network Settings >> "Change default route to this VPN tunnel..."