Solved

VPN and the private network at the other side: can I reach it from my pc?

Posted on 2009-05-07
38
2,621 Views
Last Modified: 2012-05-06
Hi experts!

Usually I am answering questions, but about networking I can use some assistance. I have a (private) client that I can reach using a VPN connection through firewalls and everything (I use TeamViewer, http://www.teamviewer.com) but now I need to access the database server which is reachable as a local network address (10.x range) from my client's pc and I need it directly accessible from my pc as well.

Is it possible to set up this VPN such that I can reach the local subnets at the other side as well? I.e., ultimately I want to connect to their database server to make it easier to assist them, and their database server is too large to simply copy locally.

Any assistance is much appreciated. I am using Windows Vista / TeamViewer / other side is Windows XP. Both behind firewalls, but the TeamViewer software created virtual IP addresses.
0
Comment
Question by:abel
  • 21
  • 13
  • 4
38 Comments
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24324070
If you set up a VPN tunnel (IPSec would make sense) between your subnet and the client's remote subnet and then configure your own devices to route traffic for the remote subnet over the VPN then you shall be able to access the client's network.

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24324164
ok, now suppose I were a beginner on the subject, how should I go about it? What tools should I use or what should I configure where? Can the VPN tunnel which is setup by TeamViewer be used for this, or do I need something else instead?

bottomline: it can be done, which is good news, now the how ;)
0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24324197
Having never used teamviewer, I am not sure if it can be used for traditional VPN purposes.

The easiest (and probably best) way to do IPSec is to implement it on the gateway routers of the two organisations. What hardware is in place at the gateway of each location?

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24324370
ah, now you're talking. Here comes the tricky bit. We do not have the possibility to do something on the client's side firewall (which is why we used TeamViewer in the first place). Sigh! Sorry about that, but if it is possible with regular (or not so regular) settings on either of our computers, that would be great.


0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24324419
IPSec can work over NAT by encapsulating ESP in UDP. Providing you can let that UDP through the firewall, all should be good.

To do that you'd need to, ideally, set up a VPN gateway inside the client's LAN and make it the new default gateway for the network. You can then set up that VPN gateway with a default gateway of the network's Internet gateway. This would have the effect of routing all traffic for the remote subnet over the VPN and then passing on the other traffic to the Internet gateway. At the Internet gateway, you'd have to obviously forward the UDP ports (I'm not sure what they are) to the VPN gateway.

Something else you could also look into is OpenVPN.

Phil
0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24324431
In fact, it would probably be easier to leave the default gateway as is and set up a static route on the current gateway for the remote subnet, using the VPN gateway as the next hop.

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24324479
I checked this OpenVPN thingy. From what you are telling, it seems that maybe it could already work with this TeamViewer connection, but I am not sure how to go about this rerouting bit.

So, if this can work without too much hassle by using OpenVPN, I'd be greatly indebted!
0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24324610
Can you establish the TeamViewer connection and paste an ipconfig from each side of the tunnel?

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24324647
hold on, I'll try (check if the other side of the atlantic is already in the office)
0
 
LVL 39

Author Comment

by:abel
ID: 24325416
That took a tad bit longer than I hoped, but here are the ipconfigs. I rarred them with a password, because it contains private data.

ipconfigrar.txt
0
 
LVL 39

Author Comment

by:abel
ID: 24325426
the pwd is your nickname in capitals and the commentid of your first comment.
0
 
LVL 39

Author Comment

by:abel
ID: 24325450
ah, that was a bit stupid, because it is archived here, of course. Should've placed it online somewhere temporary.
0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24326594
Sorry for the delay, I had some work to do.

I assume you can ping 7.32.140.208 from the local side?

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24327172
yes, I can indeed
0
 
LVL 39

Author Comment

by:abel
ID: 24327188
the connection is not the problem, I can enter the other's machine just fine. But I want to access the private network behind the remote machine, the addresses in the 10.x range. How do I somehow map / route that in the right direction.
0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24327334
There may be security features in place to stop this, however...

On your local Windows machine do:

route ADD 10.7.1.0 MASK 255.255.255.0 7.32.140.208

On the machine at the far end of the tunnel do:

route ADD 192.168.1.0 MASK 255.255.255.0 7.31.202.115

Disable windows/other software firewalls on both machines and try to ping 10.7.1.33 from the local side.

If this doesn't work, come back and paste a traceroute to 10.7.1.33 from the local side.

If it does work, on the server you want to access, do:

route ADD 192.168.1.0 255.255.255.0 10.7.1.33

You can then try pinging it.

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24327515
that last thing will not be possible, because on the server we do not have access (atm). So for now, we'll really have to work from the workstations. We're trying the suggestions. Tx for standing with us so far.
0
 
LVL 39

Author Comment

by:abel
ID: 24327812
This must be obvious for you, this error (on remote machine):

The route addition failed: Either the interface index is wrong or the gateway des not lie on the same network as the interface. Check the IP Address Table for the machine.
shouldn't we add the 10.x range somehow?
0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24327964
Can you post another ipconfig and a "route PRINT" from both ends.

Does it add ok on the local?

Phil
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 39

Author Comment

by:abel
ID: 24328086
Here's a ping to 10.7.1.33:

Pinging 10.7.1.33 with 32 bytes of data:
Reply from 7.31.202.115: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.7.1.33:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

and here's a tracert to the same, both from the local machine:

Tracing route to 10.7.1.33 over a maximum of 30 hops

  1    57 ms    99 ms    99 ms  dsldevice.lan [192.168.1.254]
  2    10 ms     9 ms     8 ms  lo1.dr5.d12.xs4all.net [194.109.5.219]
  3  0.ge-3-3-0.xr4.1d12.xs4all.net [194.109.7.157]  reports: Destination net un
reachable.

Trace complete.


Note: after the most recent reconnection, the ip addresses from VPN connection remained the same, as did the output of the ipconfig.
0
 
LVL 39

Author Comment

by:abel
ID: 24328131
0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24328191
On your local Windows machine do:

route ADD 10.7.1.0 MASK 255.255.255.0 7.32.140.208 IF 22

On the machine at the far end of the tunnel do:

route ADD 192.168.1.0 MASK 255.255.255.0 7.31.202.115 IF 20004

Phil
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24328248
Did I understand correctly that the VPN is build with TeamViewer itself? Then you won't be able (that easy) to create a route. The remote gateway has to be on a network directly attached - either an address on the LAN, or the VPN tunnel's IP address hence.

Next obstacle is that the remote client does not route. You can change this, but only if TeamViewer creates a real network interface on both sides.

About OpenVPN: The design would have to be to have it run on the DB Server, in a peer-to-peer configuration with static preshared key. Configuration this way is easy, only thing you need is to set up a ping from OpenVPN server to some internet address for leaving the required UDP port open in firewall (if it is not filtered, of course). OpenVPN is able to do that.

Most simple solution would be to start another TeamViewer in VPN mode on the DB server, in unattended mode of course.

0
 
LVL 39

Author Comment

by:abel
ID: 24328319
I'll try your new suggestion, Phil.

@Qlemo: the way you put it, it sounds we are on a treacherous course. Let's call my customer Cust, myself MySelf and the database DB. Using laments terms, if I have a (direct?) connection from MySelf --> Cust, and when Cust has a direct connection through an existing network to DB, i.e. Cust --> DB, then, ergo and addition applied, why can't I do MySelf --> [cust/route] --> DB?

We do not have the possibility to touch the DB server in any way. So our only hope lies in this crappy scenario. I can reach Cust and Cust can reach DB. How can I reach DB without changing the config at DB?
0
 
LVL 2

Assisted Solution

by:lavinpj1
lavinpj1 earned 250 total points
ID: 24328378
Don't bother trying what I suggested, it will be fruitless. I assumed that it'd be possible to route over the TeamViewer tunnel, however, judging by what Qlemo said, you can't do this.

One option would be to run a NATd on the remote end of the tunnel, listening on the TeamViewer IP. This could then NAT traffic to the DB box. I assume this is possible with TeamViewer as it's certainly possible with Hamachi.

I don't know of any NATd applications for Windows but someone else/google may be able to help.

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24328414
just to help me out: what am I searching for? Some software that works as some network address translation deamon? What will it do? Map address X to address Y so that it can be routed?
0
 
LVL 2

Accepted Solution

by:
lavinpj1 earned 250 total points
ID: 24328423
http://www.quantumg.net/portforward.php

That one looks ok, but I don't have a Windows machine to try it on/check it can listen on the tunnel interface.

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24328442
0
 
LVL 2

Assisted Solution

by:lavinpj1
lavinpj1 earned 250 total points
ID: 24328454
What you'd basically do is have the application listen on port(s) X of the remote machine on the tunnel interface. When connections are received on that interface/port, it will translate them to change the destination address to port(s) Y of the DB machine and forward on the connection.

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24328479
in other words: the Cust pc will act as a middleman which will forward my requests. And I can in fact choose any free port (specific range that is safe to prevent conflicts?) and forward it to the db port of the db machine. Right?
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 24328527
Connections and Ip addresses are not transitive:  A => B, B => C  does not result in A => C (as in maths) ;-)
 
 VPNs like that with TeamViewer is thought as an single point entry into one peer. It would be a severe security break to allow for the network to be routed thru the VPN without setting some switches on the client side.
 
 Are you able to set a route on your computer to the other network using the virtual IP address of your side of VPN? If not, we have to leave that path alone.
 
 You could install OpenVPN on that XP machine, set the XP machine in routing mode by changing the registry, set up NAT on XP via netsh, start RRAS on that machine, and it's done :-> !
 

0
 
LVL 39

Author Comment

by:abel
ID: 24328579
> Are you able to set a route on your computer to the other network using the virtual IP address of your side of VPN

not sure what you mean, but I can access the local databases on my customer's pc. Unfortunately, the "large" back-end databases are on the DB server, which is why this thread was started in the first place.

How can I test that it is "routable"?

> by changing the registry, set up NAT on XP via netsh, start RRAS on that machine, and it's done
sounds like quite complex... and the idea of NAT? Is that a viable easier solution? We're trying it right now..
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 24328722
There is a database server running on the client's machine? What sort of? Oracle or MSSQL knowledge here to "hack", if you can live with using database link syntax.
0
 
LVL 39

Author Comment

by:abel
ID: 24329180
ah, that sounds interesting, but I think it is getting closer now.

I just used that NAT tool from lavinpj1, and I can now access through port XX the port of the db server. Using telnet I can see that it is reachable. However, I'm unsure yet whether everything works, because the app is giving weird errors... but I'm gaining...
0
 
LVL 2

Expert Comment

by:lavinpj1
ID: 24329402
That's good. If you can do that, I'm unsure why you can't route it directly but I guess NAT would be the easiest option here if you just need to access few services.

If Qlemo is right about TeamViewer having security to stop you (which it appears he isn't) then, as I said, Hamachi will work just as well. I'm not sure how TeamViewer works, however, if one party has the port open (forwarded through NAT), Hamachi will make a p2p connection. This is obviously faster and safer than going through some kind of relay server. TeamViewer may do something similar.

Phil
0
 
LVL 39

Author Comment

by:abel
ID: 24330340
Well folks: IT WORKS!

And I'm very glad that you helped me through all this, setting up this application was a nightmare and this was only the last hurdle. Once you have the solution, it looks awkwardly easy, but that's what it always is.

I think a 50-50 share is fair. The solution came from lavinpj1, but much of the understanding and some of the thoughts that lead to the solution, came from Qlemo. The solution: NAT using that little tool. I assume the same could be achieved by using netsh, but that's an exercise for the reader (not me this time).

-- Abel --
0
 
LVL 39

Author Closing Comment

by:abel
ID: 31578906
Thanks ppl, this was a huge learning curve and i'm really very glad it works now. Beer time, cheers!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24330395
Agreed and points welcome, Thx!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now