I have got a Synology RT2600AC router with VPN Plus server with S2S option. that option is using IPSec, which would not connect my networks over Layer 2. In addition, the Synology VPNPlus S2S service is not free (even though it uses the libreswan package). I have DLNA/ UPnP servers on my network which should be visible automatically on all LANs (even remote ones). To have broadcast packets transmitted to all networks, I have to have them on same local LAN subnet, which is shared among all LANs connected via VPN.
That is achievable with OpenVPN, which is available for free on Synology VPN Plus Server. Synology S2S feature is not free as beer (even it is using libreswan package). The other two routers I have picked TP-Link TL-WR1043ND v4. I have replaced original firmware on them with LEDE-Project one, so I could tune fine my configurations.
OpenVPN server configuration on RT2600AC
drwxr-xr-x 3 root system 4096 Oct 7 07:35 . drwxr-xr-x 11 root system 4096 Nov 6 12:59 .. drwxr-xr-x 2 root system 4096 Nov 1 16:24 keys -rw-r--r-- 1 root system 949 Oct 8 21:25 openvpn.conf -rwxr-xr-x 1 root root 48 Oct 6 15:33 openvpn.up
dev tap syno_vpnplus_sync management 127.0.0.1 1195 server 10.51.8.0 255.255.255.0 max-clients 20 cipher AES-256-CBC auth SHA512 dh /var/packages/VPNPlusServer/target/etc/openvpn/keys/dh3072.pem ca /var/packages/VPNPlusServer/target/etc/openvpn/keys/ca.crt cert /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.crt key /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.key #this is shared key, must be uploaded to clients tls-auth /var/packages/VPNPlusServer/target/etc/openvpn/keys/ta.key 0 persist-tun persist-key verb 3 script-security 2 up /var/packages/VPNPlusServer/etc/openvpn/openvpn.up #log-append /var/log/openvpn.log keepalive 10 60 reneg-sec 0 plugin /var/packages/VPNPlusServer/target/lib/radiusplugin.so /var/packages/VPNPlusServer/target/etc/openvpn/radiusplugin.cnf client-cert-not-required username-as-common-name duplicate-cn proto udp port 1194 status /tmp/ovpn_status_2_result 5 status-version 2 client-to-client push "route 10.51.8.0 255.255.255.0"
#!/bin/sh /usr/syno/sbin/brctl addif lbr0 tap0 /usr/syno/sbin/brctl stp lbr0 on /usr/syno/sbin/brctl setmaxage lbr0 40
OpenVPN client configuration on TL-WR1043ND
client dev tap tls-client remote xxxxx.xxx 1194 pull proto udp script-security 2 reneg-sec 0 auth SHA512 cipher AES-256-CBC auth-user-pass /etc/openvpn/xxxxx-xxx.secret key-direction 1 ca /etc/openvpn/xxxxx-xxx.ca tls-auth /etc/openvpn/xxxxx-xxx.key explicit-exit-notify