Solved

Site-to-site VPn tunnel with no public IP

Posted on 2013-11-14
9
1,325 Views
Last Modified: 2013-11-18
This is not a specific issue, but rather a technical question about a hypothetical VPN scenario for a possible solution.

We have two locations, but unfortunately only one have a public IP so we cannot establish a classic site-to-site VPN tunnel between them.

What we had in mind was for one location to establish a VPN tunnel by a software client to the other with the public VPN server address, keeping this tunnel open by sending traffic from client.

However, sometimes we also would need to initiate traffic from VPN server location to the client location, essentially using the existing tunnel to initiate traffic in opposite direction so is this possible?
0
Comment
Question by:AndersBiro
  • 5
  • 4
9 Comments
 
LVL 20

Expert Comment

by:carlmd
ID: 39647553
It is possible to do this with Sonicwalls. You don't mention what hardware you have, so consider the following link an example of how it is done with Sonicwalls.

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=4834
0
 

Author Comment

by:AndersBiro
ID: 39647596
Thanks for the suggestion, in this case we will most likely not deal with Sonicwall firewalls but rather an Open VPN solution but perhaps this offer similar functionality?
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39647627
A quick bit of research seems to indicate that OpenVpn can be configured with one or both ip's as dynamic addresses.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:AndersBiro
ID: 39651022
That is very interesting, would this also apply on an Open VPN server end-node being on a local NAT IP behind another firewall, or it has to be a dynamic public IP?
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39651049
If I understand your question, "another firewall" would be the fixed or dynamic ip that you used for OpenVPN. That firewall would require rules to pass through the vpn connection to the device behind the firewall. If configured properly I expect that it would work.

However, why not just make the tunnel to the firewall itself (most would support this), and then allow access to the LAN from there?
0
 

Author Comment

by:AndersBiro
ID: 39651068
Well, to be more specific the thing of interest is to get two machines to communicate in a secure tunnel through the internet.

The first machine resides behind a firewall but has the benefit of being mappable to a public IP, and so it can be setup with an IPSec server service that is accessible from the internet.

The second machine does however reside on a local IP without mapping option to public IP, so it can only initiate outgoing traffic but not receive incoming traffic like the first one.

The idea is to set up an VPN-tunnel using IPSec on both machines, and keep a persistent tunnel for communication.

The second machine can easily initiate traffic to the first with public IP, but the question would be that the first machine should also be able to initiate traffic using the tunnel to the local IP.

I hope this makes sense or let me know, we do unfortunately not have access to tamper on the firewall for the second machine, but only for the first one with public NAT IP.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39651115
If you cannot modify the firewall setting then you will probably have to initiate the vpn tunnel from the system behind it. Typically a firewall will permit the response to traffic (no rules) initiated from the LAN. Depending upon the firewall and configuration, this may or may not be true in your case. I would ask whomever is responsible for the firewall if they expect such  would work in your case.

You say the second system is on a local IP, is this physically at the same location as the first? Perhaps a diagram of the setup would help. You say it can only initiate outgoing traffic and not receive incoming traffic. Why is this (what configuratiion is restricting this)?

If the second system cannot receive traffic, and the firewall at the first cannot be modified to accept and pass traffic from the second, then we are kind of at a standstill. It would seen that neither system would be able to initiate the tunnel.
0
 

Author Comment

by:AndersBiro
ID: 39656094
Hello, I am afraid I cannot provide a diagram but I can try to give a more through description:

Machine 1 resides on a location with local IP behind a firewall, we do have control of this particular firewall so it can be SAT configured to respond to a public IP that is redirected to the local IP of the machine.

This machine can hence be set up as an IPSEC server that can respond to the requests from the internet.

The second machine resides at a different independent location woth local IP behind a firewall, but the firewall cannot be configured.

It is therefore possible to initiate traffic from machine 2 to the IPSEC server residing at machine 1, but not the other way around since machine 2 does not have a public IP.

Have I understood it correctly that machine 2 can still initiate a site-to-site VPN tunnel to machine 1 despite not having a public IP as long as machine 1 has one?

The idea is that this tunnel should be persistent, and so machine 1 should be able to initiate traffic to machine 2 using the tunnel IP?

Does this make more sense, and it is feasible?
0
 
LVL 20

Accepted Solution

by:
carlmd earned 500 total points
ID: 39656120
Makes sense and is feasible! Machine 2 can initiate the tunnel to a fixed ip. How to do it will depend on the VPN software, but is you plan to use OpenVPN is appears well documented.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HP 1920 Switch -- IFNET LINK_UPDOWN Errors 3 78
Boot Camp 3 55
Force a website to use the second network card 3 36
CentOS 7 wireless 2 25
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question