Any thoughts on this home network architecture scenario would be greatly appreciated. I’m basically looking to allow access to a specific computer from the internet via a VPN.
Background
I am in the UK. I currently have a standard home network setup. We have a combined modem/router and a FTTC internet connection. The router is from the ISP and fairly basic so cannot have multiple VLANs or run a VPN server. All of our devices connect to the router either wired or wirelessly. This includes my business computer (PC 1).
My colleague also works from his home office in a different location and has the same basic setup (PC 3).
Problem
At present all the business “stuff” is in the cloud. However, we now both need to be able to access a particular piece of software. Up until now I have been the sole user and have it installed on PC 1. In order for us both to use it I plan to install it on its own PC (PC 2) which will be at my house. I would like my colleague to be able to connect to PC 2 and use the software on it.
For this to work securely I believe my colleague will need to connect via VPN. He will then be able to access PC 2 and use software on it. If I need to use the software, I will connect to PC 2 over the local network.
Solution
I was thinking that the simplest option would be to leave all of my home network alone and purchase a VPN capable router (e.g. the TP-LINK ER605). This would connect to my existing home router and I would then connect PC 1 and PC 2 to the VPN router. My colleague could then VPN in and be able to access PC 2 and wouldn’t have access to the rest of my home network.
Is this a reasonable architecture? Will it function in the way I expect? How complicated will it be to configure the two routers and access to PC 2 whilst also allowing PC 1 access to the internet etc?
I can see a couple of alternatives based on some initial research. Any thoughts on either of these or a different alternative even?
1 - Install PiVPN on a Pi connected to my home router and use this to provide the VPN access to PC 2. With this solution and the lack of VLANs I’m unsure whether my colleague would be able to access the rest of my network once connected via VPN. It could be a short term solution though as I already have a Pi and doing this would not impact the rest of the network.
2 - Replace the basic ISP modem/router with a VPN/Multi VLAN capable modem/router and configure this so that I have two separate VLANs with VPN access to the “Business VLAN” which would allow my colleague to connect to PC 2 but would not expose the rest of the network on the “Home VLAN”. This ultimately feels like the best solution but also has the most potential for disruption. I think the ER605 would be suitable.
Your second alternative is the better path forward as you kind of already know it to be. An ER605 is not expensive, and neither is its bigger brother the ER7602 (which I use). I implemented your 2nd alternative solution so I can access my NAS remotely, but it can’t access things in other VLANs as I didn’t configure it to do so.
The problem with your main solution is the double NAT which can create a headache, plus you’ll have to port forward for the inbound VPN connection to work. The 1st alternative with PiVPN can be locked down to allow access to a single IP if needed, but for the small cost of the ER605 you can have the kind of isolation you really want. You’ll probably need a VLAN capable AP to support this properly though.
Why not get something like NordVpn which will give you 5 clients. Each PC can choose which country to use. For example if I want to watch BBC IPLAYER , I connect to a Uk server.
Thank you very much for the detailed reply! Yes, I can see double NAT and port forwarding could cause some trouble.
As I was typing out my post I was starting to think more and more that Alternative 2 is the best way forward. My initial hesitation was around getting everything configured with the ISP and avoiding too much headache/disruption/complaints from family, but I’ve found a couple of posts on their forum about getting TP-LINK devices up and running and it mostly sounds ok!
When you say a VLAN capable AP does that mean something which can provide WiFi access for my home devices, e.g. like the TP-LINK TL-WA801ND?
This certainly looks an interesting alternative, thanks! I need to wrap my head around how this could be used and how/who needs to sign in where to get it working properly.
I’m certainly up for giving it a go, and PFSENSE does come up a lot for this sort of thing. From a brief look this would replace both my ISP modem/router and the VPN router with a device running PFSENSE and configured to have different VLANS and the VPN? Their “official” hardware seems quite expensive compared to the TP-LINK stuff I have been looking at so far. A cheaper alternative would be to get a refurbed PC with a couple of network cards?
I mean where you can have multiple SSIDs and assign each to different VLANs. You’ll probably end up wanting to isolate wifi devices too, so this lets you be prepared for it. If you’ll ever need to connect a wireless device to the same VLAN as your work PCs then you’ll need this as well.
If PC1 and PC2 are wired devices, putting them behind the VPN-enabled ER605 will provide what you want without disrupting your home LAN. Both will be accessible from PC3, when PC3 is connected to the VPN.
Personally, I use pfSense to allow VPN access to devices in my home network.
A secondary issue with the initial solution is that your home network is not properly separated from the business network behind the vpn router. This config effectively creates a one way street because you have a second “sub” firewall. Might not be an actual issue if you trust your friend and your vpn config, but anyone on the vpn would be able to see and communicate with the devices on the wireless. However the devices on wireless will not be able to see into the business network.
I’ve never shared my network beyond myself, so I can’t help there. But as long as you don’t “advertise routes” from your internal PC2 then the ‘only’ computers that can talk are the two with TS installed. It by default setup is a split VPN too, so buddy’s PC will act completely normal on their own network and internet, but when the TailScale IP is used it’ll tunnel through that to your computer.
It’s amazingly simple and awesome tech.
ZeroTier is an opensource version if you prefer. And I don’t know about pricing models or anything if you’d be dipping into that by inviting a friend in.
Thanks for that, I did wonder about segregation of home and business devices. I do trust my friend but I guess from a security point of view it would be better for there to be as little crossover as possible.
