VpnTonode

back to http://scratchpad.wikia.com/wiki/Sasecurity

VPN from outside the mesh
You can only VPN to a node from the public side, if your node is ether sat on DMZ on wrt, ONE to ONE IP address on Billion routers/zyxcel, Oh and don't forget to turn on the vpn pass through features in your router. What type of tunnel are you trying to build, as the mesh nodes can be funny buggers.

I need to see if I'm missing something obvious here:

I occasionally need to access a device that is inside the mesh (my TiVo box). This device has a web-based front end. If I create a standard VPN connection to the device's local access point, once authenticated I can access that device via it's private mesh IP address (192.168...). This is no problem if I am INSIDE the mesh.

However, if I attempt to access the mesh from the outside, I can not open up a VPN connection. I have attempted to open a VPN connection up to one of my gateways, but that does not seem to work. I'm trying it on a Pro gateway and on an OSS gateway on dev106.

Is anyone doing this? I seem to remember once being able to do this a long time ago, but if that is the case, something has changed either in the software or on my settings.

I know that mapping out an IP address would solve this, but I really do not want to put my TiVo box on the net like that :)

>you can only VPN to a node from the public side, if your node is ether sat >on DMZ on wrt, ONE to ONE IP address on Billion routers/zyxcel, Oh and don't >forget to turn on the vpn pass through features in your router. What type of >tunnel are you trying to build, as the mesh nodes can be funny buggers. >

Doesn't have to be one to one IP address mapping, but if you are passing through port 1723 for the PPTP, you have to also make sure that GRE is passed through. However, normally I would pass through all traffic for the meshbox, which is, in effect, one to one mapping, or host mapping.

Some things I did not say - VPN is working perfectly for all outbound connections. What I want to do is be on the outside and VPN to the eth0 port of a meshbox. It seems like this worked with dev76, but that has been almost 2 years ago.

It just sounds like this is something that is no longer an option. I realize that it's rather odd to want to do this anyway! I know without a doubt that setting up host mapping would work - it's just that I don't want this device on the internet... but would rather keep it behind the MeshAP's firewall.

Jon - there is one practical benefit of having this capability - and this might be a good feature to turn on for this reason: Suppose you are outside the mesh and you have a client that has an outdoor receiver that offers web configuration via the wireless interface. The mesh operator could establish a VPN connection to the gateway meshbox first. Then you could ping the remote node to make sure that pathway was opened up. Once open, you could establish a second VPN to the remote node. Once you have a VPN session going at that box, you can access that client device on his wireless interface, using the 192.168.cell id one.x IP address in your browser.

> you can only VPN to a node from the public side, if your node is > ether sat > on DMZ on wrt, ONE to ONE IP address on Billion routers/zyxcel, Oh > and don't > forget to turn on the vpn pass through features in your router. > What type of > tunnel are you trying to build, as the mesh nodes can be funny > buggers.

> I need to see if I'm missing something obvious here: > > I occasionally need to access a device that is inside the mesh (my > TiVo box). This device has a web-based front end. If I create a > standard VPN connection to the device's local access point, once > authenticated I can access that device via it's private mesh IP > address (192.168...). This is no problem if I am INSIDE the mesh. > > However, if I attempt to access the mesh from the outside, I can not > open up a VPN connection. I have attempted to open a VPN connection > up to one of my gateways, but that does not seem to work. I'm trying > it on a Pro gateway and on an OSS gateway on dev106. > > Is anyone doing this? I seem to remember once being able to do this a > long time ago, but if that is the case, something has changed either > in the software or on my settings. > > I know that mapping out an IP address would solve this, but I really > do not want to put my TiVo box on the net like that :)

Some things I did not say - VPN is working perfectly for all outbound connections. What I want to do is be on the outside and VPN to the eth0 port of a meshbox. It seems like this worked with dev76, but that has been almost 2 years ago.

It just sounds like this is something that is no longer an option. I realize that it's rather odd to want to do this anyway! I know without a doubt that setting up host mapping would work - it's just that I don't want this device on the internet... but would rather keep it behind the MeshAP's firewall.

Jon - there is one practical benefit of having this capability - and this might be a good feature to turn on for this reason: Suppose you are outside the mesh and you have a client that has an outdoor receiver that offers web configuration via the wireless interface. The mesh operator could establish a VPN connection to the gateway meshbox first. Then you could ping the remote node to make sure that pathway was opened up. Once open, you could establish a second VPN to the remote node. Once you have a VPN session going at that box, you can access that client device on his wireless interface, using the 192.168.cell id one.x IP address in your browser.

> you can only VPN to a node from the public side, if your node is > ether sat > on DMZ on wrt, ONE to ONE IP address on Billion routers/zyxcel, Oh > and don't > forget to turn on the vpn pass through features in your router. > What type of > tunnel are you trying to build, as the mesh nodes can be funny > buggers.

> I need to see if I'm missing something obvious here: > > I occasionally need to access a device that is inside the mesh (my > TiVo box). This device has a web-based front end. If I create a > standard VPN connection to the device's local access point, once > authenticated I can access that device via it's private mesh IP > address (192.168...). This is no problem if I am INSIDE the mesh. > > However, if I attempt to access the mesh from the outside, I can not > open up a VPN connection. I have attempted to open a VPN connection > up to one of my gateways, but that does not seem to work. I'm trying > it on a Pro gateway and on an OSS gateway on dev106. > > Is anyone doing this? I seem to remember once being able to do this a > long time ago, but if that is the case, something has changed either > in the software or on my settings. > > I know that mapping out an IP address would solve this, but I really > do not want to put my TiVo box on the net like that :)

>Some things I did not say - VPN is working perfectly for all >outbound connections. What I want to do is be on the outside and VPN >to the eth0 port of a meshbox. It seems like this worked with dev76, >but that has been almost 2 years ago.

I do this all the time - I do not think that it is a limitation of the meshbox, but rather to do with the way you have your meshbox connected to the net. I have done it on dev 105, and pro.

> >It just sounds like this is something that is no longer an option. I >realize that it's rather odd to want to do this anyway! I know >without a doubt that setting up host mapping would work - it's just >that I don't want this device on the internet... but would rather >keep it behind the MeshAP's firewall. >

The problem is how the router you are going through deals with PPTP connections. In particular, as well as TCP on port 1723, you also have to have a GRE connection which is protocol 47. If your router is doing NAT, you have to make sure that the GRE protocol is also forwarded for the PPTP to work. This is why it is easier if you pass everything for one address through to the meshbox.

To verify this, stick the meshbox on an external IP address directly, with no NAT or firewalls, and then connect to it from outside.

I don't know what I can be missing...

The Pro GW and the OSS GW boxes are not behind routers... they have real-world static IP's and are right on our T-1's - so no blocked ports to worry about. I have access to a Windows computer at work, and I tried it and got the same results. I thought at first it might be one of those weird Apple computer issues, as that is what I use at home.

Adrian - is there anything you can think of that you are doing that deviates from the instructions in the Wiki? I feel kind of foolish, as I helped write the Mac portion of the Wiki instructions :)

>> you can only VPN to a node from the public side, if your node is >> ether sat >> on DMZ on wrt, ONE to ONE IP address on Billion routers/zyxcel, Oh >> and don't >> forget to turn on the vpn pass through features in your router. >> What type of >> tunnel are you trying to build, as the mesh nodes can be funny >> buggers. >>

>> I need to see if I'm missing something obvious here: > >> I occasionally need to access a device that is inside the mesh (my >> TiVo box). This device has a web-based front end. If I create a >> standard VPN connection to the device's local access point, once >> authenticated I can access that device via it's private mesh IP >> address (192.168...). This is no problem if I am INSIDE the mesh.

>> However, if I attempt to access the mesh from the outside, I can not >> open up a VPN connection. I have attempted to open a VPN connection >> up to one of my gateways, but that does not seem to work. I'm trying >> it on a Pro gateway and on an OSS gateway on dev106.

>> Is anyone doing this? I seem to remember once being able to do this a >> long time ago, but if that is the case, something has changed either >> in the software or on my settings.

>> I know that mapping out an IP address would solve this, but I really >> do not want to put my TiVo box on the net like that :)