SSLVPN Site-to-Site bridge

Discussion in 'Tomato Firmware' started by reddwarf, Jan 27, 2012.

  1. reddwarf

    reddwarf Networkin' Nut Member

    I was thinking of buying two RT-N16's for the following purpose:
    I work as a contractor all over town and often access the internet at client sites. Some of these sites only allow port 80/443 traffic. I have setup my cisco 5505 for SSLVPN, but I also need to access the office VPN (OpenVPN client on port 1194). I would like to be able to do the following:
    Setup on SSLVPN tunnel from one RT-N16 (client cable/wireless network) to another RT-N16 (at my home). Use it to allow for my laptop to plug into the RT-N16 (wire into the WAN port) when onsite at the clients location. Then use the OpenVPN client on my laptop to connect to work through the SSLVPN tunnel established by the two RT-N16's.

    I tried with the Cisco AnyConnect client, but as soon as I start the OpenVPN client the Anyconnect client detects the route change and disconnects.

    Is this idea possible?
  2. reddwarf

    reddwarf Networkin' Nut Member

  3. humba

    humba Network Guru Member

    why not simply run openvpn on port 443 and using tcp as protocol?
  4. reddwarf

    reddwarf Networkin' Nut Member

    I need to tunnel a IPSEC VPN through an SSL VPN.
    Basically -
    1. PC has an IPSEC VPN client, but wireless only allows web traffic (80,443 after web gateway authentication)
    2. Tunnel a tunnel
    2.A. So if I can get the Asus n12 I install at client site (via wired wall connection) connecting with SSLVPN to remote site (home) via WAN port
    2.B. Connect client computer to Asus N12 at client site via LAN ports and establish the IPSEC VPN

    (SSLVPN router 1 -- (IPSEC VPN client --> server) --> SSL VPN router 2)
  5. Monk E. Boy

    Monk E. Boy Network Guru Member

    Basically I see it as you @ restricted client site -> SSLVPN Client -> SSLVPN tunnel -> SSLVPN Server -> home network -> IPSEC VPN Client -> IPSEC VPN tunnel -> IPSEC VPN Server -> systems @ office network.

    Only way I can see that working is through static or otherwise preconfigured routes so each hop along the way knows where the traffic should flow to. In both directions! So the client site network (behind the router or whatever) needs to know about the office network and that the next hop to it is the SSLVPN server, or client, depending on the implementation. And then so on up the chain, each time giving it a route to the other network. Then build the routes in reverse.

    Seems like a big headache, I'd probably just SSLVPN into a machine @ home, then use that to build a VPN tunnel to work, and use the machine @ home as an intermediary for file transfers or whatever I wanted to do.
  6. humba

    humba Network Guru Member

    The way I read your post you want the reverse.

    Your PC with IPSec VPN Client <-> Tomato Router 1 (client site) <---- SSL VPN Tunnel ----> Tomato Router 2 (home) <-> Internet <-> IPSEC VPN Concentrator

    Is that about it? If so, there's a simpler way.. you leave Tomato Router 2 (your home router), configure OpenVPN using TCP Port 443 and using TAP, and configure so that all traffic is routed through your home router, install OpenVPN client on the PC, establish the OpenVPN connection, and once up, your PC has an IP from your home network, from which it can establish outgoing connection to machines of your choosing. Tunnel over tunnel, even from the same machine, is perfectly doable... I do it all the time... VPN into our corporate network, and from there establish a connection to my lab (in my case both are SSL VPNs... the second one being OpenVPN based, the first not).

    If you cannot install OpenVPN on the PC in question, you can still do it. You just configure Tomato Router 1 as client to connect to Tomato Router 2 - the setting stay the same (so TCP Port 443, and TAP). Your PC, connected to the LAN side of Tomato Router 1, will end up being in your home network (ip / roouting wise), so you can then connect to any outside system you desire. I've personally done this as well... bridged a network from a lab network @ work to a Tomato Router at home - then attach my PC to the LAN side of the home router and the PC ended up in the lab network.
  7. reddwarf

    reddwarf Networkin' Nut Member

    I am happy to report that this setup worked!!!

    I used a N16 at home as the VPN server - TAP, TCP 443, certificates (which I generated solely on my MacBook Pro - Lion)
    I used a N12 at the remote site as VPN client - configured to check for specific codes in certificate, etc... for security.
    Did have to enter the DNS as on external DNS ( as I didn't know how to enter a secondary DNS server into tomato DHCP server.

    Once on clients site I plugged the N12 in, wan to client connection, LAN to my laptop.
    Once I got a valid IP on the LAN side, I opened internet explorer, hit the company web proxy (put in my credentials).
    Went back to the N12 VPN configuration and started the VPN - connected :)

    Traced my routes and all traffic routed through the VPN to my home internet.
    I then was able to start the IPSEC VPN client (OpenVPN as luck would have it - port 1194) on my work laptop and connect to the office.

    Now if I can just figure out how to get the N12 to work on USB power AND connect as a wireless client to a wireless AP (bridge mode maybe? but with DHCP), I would have the perfect secure remote solution for me :)...
  8. humba

    humba Network Guru Member

    You'll want to deploy Wireless Bridge mode... see here for details - separate subnet with DHCP just like when you go wired. I'm not convinced you're going to get anywhere with the power situation though - USB provides 500mA, your power brick is a 2A model if I'm not mistaken - plus you need to convert the voltage (USB is 5V, the Asus if I'm not mistaken is 12V - so get up to 12V you further lose on Ampere.. so even with the 900mA that USB3 can provide, it still won't get you there).
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    12V @ 2A is 4.8A @ 5V, so you'd need a 6 USB3 ports with some crazy 6-into-1 power-combining cable to make it work on USB3, and 10-into-1 for USB2. OTOH they have that 2A "charging mode" for USB2 now, so in theory you'd only need 2 charging ports plus a couple non-charging ports.

    In other words, it isn't going to happen unless you rig up your own battery pack and regulator circuit.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice