Dummies guide to VPN/NAT/.... ?

Message

Goverp · Post by **Goverp** » Mon Jul 21, 2025 5:04 pm

I set up a minimal VPN between two locations, let's call them "home" and "away". I realise I don't really understand what's going on. I tried Google to get an overview - it's AI was too brief, but the HOWTOs and guides I found tended to be tilted to a specific product and/or to prone to giving more detail of the various network layers, standards and RFCs than I'd hope would be necessary.
To compound my problem, I promised some friends I'd explain it all to them

Does anyone know of a readable document/presentation/web site that explains the various bits clearly and concisely? It's so easy to disappear down a twisty little maze of wikipeadia links.

The background: I set up my VPN because "away" is now behind CGNAT. I used to be able to connect to a device there registering the router's address on a DDNS and having the router forward the ssh port to my PC. CGNAT breaks that. However "home" remains connected directly by my ADSL router, so it can do port forwarding and DDNS. "away" can therefore connect to "home", and thus my wireguard VPN can connect both. I can happily ping home from away, and vice versa.

That said, I almost certainly can do much more, such as enable all the devices at home and away see each other. I probably want to NAT my 192.168.x.x networks to different subnets of 10.0.0.0, or something.
I told you I didn't really understand what's going on

Post by **John R. Graham** » Mon Jul 21, 2025 8:01 pm

I found Mastering OpenVPN from PACKT Publishing to be a quite helpful. There's a freely downloadable PDF discoverable online; although PACKT appears to want you to own the dead tree edition before getting access to it, they haven't enforced that very well. I see you've used WireGuard. I evaluated that and chose OpenVPN instead because I wanted my remote machines to be authenticated against a real X.509 PKI with CRLs (revocation lists). But there's a lot of information in this book on VPN topologies and architectural choices, too. But I note that Amazon has Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server (Build Your Own VPN); it looks to be more of a guide than a textbook and I can't vouch for its quality.

I've set up secure connectivity to my lab network from "away" (currently defined as my travel laptop and my Android phone) and have successfully connected from any number of public WiFi access points. Whether my machines are remote or local, they can see my lab network and (because I've chosen to let them) machines on the lab network can see the remote machines as well. They even get their network configuration from my lab DHCP and resolve machines by name through the lab DNS.

Caution: Using one of the very common subnets like 192.168.0.0/24 of 10.0.0.0/24 is problematic because you're too likely to have collisions along your route. Choose something semi-random in place of those non-rightmost zeroes.

- John

Goverp · Post by **Goverp** » Tue Jul 22, 2025 10:12 am

John, thanks, I'll give that a look.

Havin_it · Post by **Havin_it** » Sun Aug 03, 2025 5:18 pm

@Goverp I recently had more-or-less the same situation where I had to make "away" an OpenVPN client because it couldn't be reliably reached from outside ("home" has a static IP so no problem there). I also wanted home's hosts to all be able to contact away's hosts through the link, so if you do want to do that here are a couple of titbits I learned along the way.

1. You need to enable ip forwarding in sysfs and NAT rules in iptables/whatever on both the server and client machines. (I just googled these at the time, they are quite common but I can probably dig them out if you like)
2. To allow random machines on each end to be able to reach each other, you need to add a static route on the router at each end so that any requests for IPs on the other side are routed via the host that is the OpenVPN server/client. So let's say your subnets are like:

home: 192.168.8.0/24, VPN server 192.168.8.10
away: 192.168.12.0/24, VPN client 192.168.12.10

For all home's hosts to have access to away, you need a route on home's router like

192.168.12.0 netmask 255.255.255.0 gateway 192.168.8.10

and vice versa on away's router if you want both ways. All my consumer routers so far have had the facility of adding static routes like this, though it's often a bit buried in the menus.

Goverp · Post by **Goverp** » Mon Aug 04, 2025 8:24 am

Haven_it, thanks. I'd read some stuff like that, before I got distracted...
(I've been trying to get digikam's DLNA server send my photo albums to our TV. Turns out my firewall was blocking part of UPnP. Turns out I need to either allow anything (virtually) from the TV to my PC, or far better, a conntrack helper for SSDP enabled in UFW. I just love collecting networking acronyms.)