LAN to LAN VPN via a Secondary Router, behind a Primary Router

My objective

I wanted to establish a LAN to LAN VPN between a remote site and home. I already had a pair of Draytek routers, one for each end of the VPN. The remote site is on a 4G network with CGNAT addressing so it needs to ‘dial out’ to my home where I can have a ‘fixed’ dynamic DNS (DDNS) address on the router. I’d already had this Draytek pair working OK when originally installed.

The Challenges

In November 2022 I took delivery of a new Sky SR203 router along with new Fibre to the Premises (FTTP) broadband. The Sky router does not have any VPN functionality, but I was able to successfully replace it with my Draytek Vigor 2862 router following the instructions issued by Draytek for configuration with Sky broadband. Broadband worked fine and the VPN from the remote site to home worked fine, however the IP telephone originally plugged into the Sky router had nowhere to go. I thought the easy solution would be to plug the Sky router into the Draytek router as an Access Point (AP) i.e. with DHCP disabled, however it transpires that the IP phone will only work if the Sky router is the primary router connected to the WAN. In the interests of domestic harmony, the Sky router was placed back into position as the primary, WAN facing router so the telephone could be reinstated.

(Update 05/May/2023: A potential solution to have phoe working when using the Sky router as the 'secondary' router [i.e. behind the WAN facing router] is posted on Reddit here. I have not tried this.)

The Solution

With the help of a friend, we found a solution where the Sky router remains the primary WAN facing router but the Draytek can be added to the home network as a VPN end-point.

Remote Site Draytek 2620

The remote LAN is on a 192.168.50.* subnet.

The Gateway address is 192.168.50.1

I have chosen a L2TP VPN for its simplicity.

The remote site VPN screenshots are as follows:

Home Sky Router

I have forwarded the inbound L2TP port (1701 UDP) to the outwardly facing (‘WAN’) IP address of the home Draytek router (192.168.0.2). An address reservation has been set up on 192.168.0.2.  (NB. Port 1701 UDP was already available in the list of drop-down services in the Firewall config page)

Home Draytek Router

There are two WAN inputs on the Vigor 2862 router. WAN1 is for VDSL internet and WAN2 is for Ethernet input. Since the Draytek’s input is coming from the Sky router, WAN2 needs to be enabled for Ethernet input:

The WAN2 input then needs to be defined as Ethernet having a static IP address. That was done on the following screens:

In the above screen shots of the home Draytek unit, the input to the Draytek is on the WAN port and it’s given a static IP address of 192.168.0.2 – this is the address that the Sky Router will use for it. VPN traffic coming through the Sky Router will be on port 1701 (UDP) and will get forwarded to this address.

The home Draytek’s LAN needs to be on a different subnet to the Sky router, therefore in the LAN setup we did the following:

On my home Draytek I have disabled the WiFi, so access is only available to the 192.168.10.* subnet via wired connections, however this is optional.

I had an initial issue with passwords not matching on ether side of the VPN but when the configuration was completed, the two VPN nodes started talking. Success!

The device at home I’m using on the VPN (a Remote-Rig RRC-1258MkII talking to the remote site) is plugged directly into the Draytek router and uses DHCP address allocation, though I have reserved the address for it in the router. Everything else I have at home (NAS, laptop, phones etc) are connected to the Sky router either via WiFi or Ethernet cable. I have one PC that I connect via WiFi to the Sky router and Ethernet cable to the home Draytek router so I can access both LAN subnets.

I hope this is of help to someone!

John Warburton (G4IRN)

05 May 2023