Site-to-site VPn tunnel with no public IP

Posted on 2013-11-14
Medium Priority
Last Modified: 2013-11-18
This is not a specific issue, but rather a technical question about a hypothetical VPN scenario for a possible solution.

We have two locations, but unfortunately only one have a public IP so we cannot establish a classic site-to-site VPN tunnel between them.

What we had in mind was for one location to establish a VPN tunnel by a software client to the other with the public VPN server address, keeping this tunnel open by sending traffic from client.

However, sometimes we also would need to initiate traffic from VPN server location to the client location, essentially using the existing tunnel to initiate traffic in opposite direction so is this possible?
Question by:AndersBiro
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 20

Expert Comment

ID: 39647553
It is possible to do this with Sonicwalls. You don't mention what hardware you have, so consider the following link an example of how it is done with Sonicwalls.


Author Comment

ID: 39647596
Thanks for the suggestion, in this case we will most likely not deal with Sonicwall firewalls but rather an Open VPN solution but perhaps this offer similar functionality?
LVL 20

Expert Comment

ID: 39647627
A quick bit of research seems to indicate that OpenVpn can be configured with one or both ip's as dynamic addresses.
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.


Author Comment

ID: 39651022
That is very interesting, would this also apply on an Open VPN server end-node being on a local NAT IP behind another firewall, or it has to be a dynamic public IP?
LVL 20

Expert Comment

ID: 39651049
If I understand your question, "another firewall" would be the fixed or dynamic ip that you used for OpenVPN. That firewall would require rules to pass through the vpn connection to the device behind the firewall. If configured properly I expect that it would work.

However, why not just make the tunnel to the firewall itself (most would support this), and then allow access to the LAN from there?

Author Comment

ID: 39651068
Well, to be more specific the thing of interest is to get two machines to communicate in a secure tunnel through the internet.

The first machine resides behind a firewall but has the benefit of being mappable to a public IP, and so it can be setup with an IPSec server service that is accessible from the internet.

The second machine does however reside on a local IP without mapping option to public IP, so it can only initiate outgoing traffic but not receive incoming traffic like the first one.

The idea is to set up an VPN-tunnel using IPSec on both machines, and keep a persistent tunnel for communication.

The second machine can easily initiate traffic to the first with public IP, but the question would be that the first machine should also be able to initiate traffic using the tunnel to the local IP.

I hope this makes sense or let me know, we do unfortunately not have access to tamper on the firewall for the second machine, but only for the first one with public NAT IP.
LVL 20

Expert Comment

ID: 39651115
If you cannot modify the firewall setting then you will probably have to initiate the vpn tunnel from the system behind it. Typically a firewall will permit the response to traffic (no rules) initiated from the LAN. Depending upon the firewall and configuration, this may or may not be true in your case. I would ask whomever is responsible for the firewall if they expect such  would work in your case.

You say the second system is on a local IP, is this physically at the same location as the first? Perhaps a diagram of the setup would help. You say it can only initiate outgoing traffic and not receive incoming traffic. Why is this (what configuratiion is restricting this)?

If the second system cannot receive traffic, and the firewall at the first cannot be modified to accept and pass traffic from the second, then we are kind of at a standstill. It would seen that neither system would be able to initiate the tunnel.

Author Comment

ID: 39656094
Hello, I am afraid I cannot provide a diagram but I can try to give a more through description:

Machine 1 resides on a location with local IP behind a firewall, we do have control of this particular firewall so it can be SAT configured to respond to a public IP that is redirected to the local IP of the machine.

This machine can hence be set up as an IPSEC server that can respond to the requests from the internet.

The second machine resides at a different independent location woth local IP behind a firewall, but the firewall cannot be configured.

It is therefore possible to initiate traffic from machine 2 to the IPSEC server residing at machine 1, but not the other way around since machine 2 does not have a public IP.

Have I understood it correctly that machine 2 can still initiate a site-to-site VPN tunnel to machine 1 despite not having a public IP as long as machine 1 has one?

The idea is that this tunnel should be persistent, and so machine 1 should be able to initiate traffic to machine 2 using the tunnel IP?

Does this make more sense, and it is feasible?
LVL 20

Accepted Solution

carlmd earned 2000 total points
ID: 39656120
Makes sense and is feasible! Machine 2 can initiate the tunnel to a fixed ip. How to do it will depend on the VPN software, but is you plan to use OpenVPN is appears well documented.

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question