So, since lots of people here have experience with VPN, I'd like to ask theoretical project question:
I have distant family memebers, and it'd be nice to have a simple way to get devices on the same network easily.
My initial thought would be to setup a VPN server somewhere central and fast, and then distribute wireless routers with custom firmware that they could plugin to their network. Then anything they connect to that router would be connected to the VPN (because the router is pre-setup to connect to the VPN).
Is that doable? Is it a good idea? I know just enough about networking to be dangerous...
Unless you are ok living with pwned routers, printers, you don't want devices with javascript-enabled web browsers and other random 3rd party software, like apps, to have access to anything on local network or at least not when they have access to the internet.
Home equipment often is relatively poorly secured. The reality is that intra-LAN communication causes contagion to spread easily, that blocking intra-LAN communication can be very inconvenient, and that often there is no good solution.
At least restrict it as much as possible. For example, allow connections only to the printer, if that is needed, and maybe only in one direction - and lock down that printer. But consider walk-up printing via USB cable: People print much less often these days and they have to walk over to the printer to pickup the document anyway.
I've only used it for testing purposes, so I can't vouch for the quality of connections or anything else really, but it seems like something that could be useful for your use case.
I would think carefully about why you want to get them all on the same network, and then find other, application-based ways to accomplish the same thing. For example if you want to share files, use Dropbox instead of a LAN file share. This will most likely be easier to implement and secure.
Consider that cutting edge companies are in the process of basically deprecating their LAN in favor of app-based security. Google "zero trust network" or BeyondCorp.
You can build this sort of ecosystem yourself using commercially available products and services. Instead of enterprise single-sign-on, set up family members with a password manager.
Certainly doable, but it really looks like the unnecessary hard way to do it.
If you set up openvpn somewhere you can just handout .ovpn files and tell your relatives to install the openvpn client on windows. Then they just have to double-click the .ovpn file and iconise "that black window that appears" (the DOS prompt window).
I should have mentioned I'm trying to connect devices that can connect only to wireless that you can't set up a VPN on (the Nintendo Switch). Though I'm sure once I got it setup I'd abuse it for easy file transfer occasionally...
There a various options to implement VPNs and each has its own problem
--
a) The option everyone else here tries to tell you about is a Client-to-Site VPN. Its downsite is that you'll need to connect each client separately and the VPN isn't entirely 'transparent' (the client and programs can and do know that they're not directly connected to the internet)
your performance will suffer unless your VPN server has enough upstream to offset the combined downstream of all connecting clients. You can offset this by manually routing all internet traffic along the normal gateway and just use the VPN for inhouse connections.
b) a true Site-To-Site VPN is possible with enterprise routers. You'll probably have to define static route across all routers as routing protocols will probably add more maintenance than they'll prevent. Each has to be manually added on all routers but remote management is generally possible at that price point. Expect at least $300 for the very cheapest router, and you'll probably want to spent at least $500 per device.
The VPN is entirely transparent and at that price point, you'll be able to configure the routers remotely. Management won't be as big as a problem as you'd expect, as these devices are very stable.
i.e.
house a 192.168.111.0/24
house b 192.168.112.0/24
house c 192.168.113.0/24
What you were probably hoping for was to get a cheapish router, flash DD-WRT or similar and just use that? if so, i don't believe thats viable. they just don't have the CPUs power to handle this amount of package inspection (its probably using IPSEC, so each IP Package should be flagged and needs to be validated separately)
--
c) ISPs can provide you with a network across sites. Expect to pay thousands though. really good performance however
--
d) client-client VPNs. Zero Tier is one of these. Each client needs to install a software and all communications are directly addressed.
You don't need a central server anymore (still have one for initial authentication however). You'll however have to force people to
1. install the software,
2. start the software,
3. update the software. You probably don't want to do that with family members though. Its very ... annoying
performance is pretty great and you can actually buy appliances which give you the same Site-To-Site capabilities. Beautiful technology which is just as expensive as the enterprise routers. No idea about managing them however. Never had one of these appliances myself
Thank you for the very thorough reply, especially the terminology. Yes, I think what I want is site-to-site vpn hardware to have lan parties with my family on consoles that don't do well with the internet (I'm looking at you nintendo switch).
> It looks like they have a crowdfunding campaign to launch a site-site vpn device
that is what i meant with the appliance.
I can't speak from experience, but what i've read yesterday makes the previously linked comment the most interesting [0]
the edge router costs ~$100 and has enterprise hardware. The only missing feature is the management frontend, which isn't stricly necessary. And the referenced vyatta-wireguard [1] has a code excerpt which looks like a site-to-site vpn
I have distant family memebers, and it'd be nice to have a simple way to get devices on the same network easily.
My initial thought would be to setup a VPN server somewhere central and fast, and then distribute wireless routers with custom firmware that they could plugin to their network. Then anything they connect to that router would be connected to the VPN (because the router is pre-setup to connect to the VPN).
Is that doable? Is it a good idea? I know just enough about networking to be dangerous...