VPN to VLAN bridges

cac3a · January 22, 2022, 9:17pm

I have the following scenario that I’d like to see if even my concept is possible.

Two networks A and B. Network A is VLAN 100 provided through esxi, so I don’t even get to choose the vlan as its set on host level. Network B on host level is configured as trunk for clans 200-400.

Network A is a general lan network, but Network B, with each clan from 200 to 400 is a separate network. I’d like the vyos device to serve as a point of contact on each Network B through VPN connection from clients on network A.

I know the IP subnets on Network B VLANs, and I’d like if possible to not have a static interface on any of the VLANs, but rather have a client popup on that (network b specific lan) network once connected.

I know this could be done through routing, but I want to control clients who have access to specific VLANs and only connect when needed.

I was thinking of setting up wireguard on Network A and then providing a VPN connection to each VLAN as needed. The only problem is that I would need static IP’s on each VLAN that I need to connect to. I wondered if there is a way to dynamically add vyos NIC when a client connects on a specific VLAN.
Perhaps there are some other approaches to solve this?

n.fort · January 23, 2022, 11:29am

I’m not getting the idea of what you are looking for, but for this:

I know this could be done through routing, but I want to control clients who have access to specific VLANs and only connect when needed.

Looks like routing (inter-vlan routing) and firewall (control who has access) should work.
It’s all in the same the location? If so, why you are thinking on a vpn based solution?

cac3a · January 23, 2022, 4:08pm

The reason for VPN was because I wanted to control user access on per user basis to each vlan. A user could have multiple machines on Network A and regardless of their machine they should be able to connect to their “allowed” vlans within Network B. It seemed that doing this through routing would be little more cumbersome to gather and maintain the IP’s especially when user machine IP’s on Network A can change.

Think of it this way. I have various teams that have their VLAN’s dedicated to them. There is a single support team (I was referring to it as users/clients above) that should be able to connect to given VLAN for support requests. However, the support team shouldn’t be connected at all times, but rather just when support is needed. In addition the support team fluctuates with machines, people and not all of the team members should have access to all VLANs.

What we do right now is that on support team machine we add vlan tagging, but this has a problem for us as its manual tasks, people can enter any vlan they want and it always takes few minutes between switching from VLAN to another.