Running VPN server behind router
Moderator: Queue Moderator
Running VPN server behind router
OK- I decided that I just have to have VPN access to the home network while I'm out on the road.
The first thing that caught my eye was the Linksys WRV54G wireless router. It features a built in IPSec VPN appliance, and a really simple free VPN client for the remote machine. For $120, how could I go wrong?
Now I know.
I am now able to call myself the latest member of the large group of people who have discovered that this thing is a completely useless POS. Getting it to actually set up a VPN connection is only a little less reliable than most schemes for picking winning lottery numbers. The only good news is that it's still a little better than Linksys' tech support, which is three giant steps past worthless.
Having given up on that, I resolved to just set up a PPTP VPN server on the Windows XP box that acts as a server for a bunch of other things.
I was able to get the server up and running fairly easily, but now I have a port forwarding issue that I'm hoping some of the resident gurus can help sort out. Here's the story:
1) If I try to connect from within the LAN, the client connects with no problems.
2) If I place the VPN server in the DMZ (I twitch just saying that), I'm able to connect to it from the WAN side, with no problems.
3) I cannot connect to it from the WAN side when the machine is on the LAN side, but not in the DMZ.
4) I have forwarded Port 1723 to the VPN server, and have enabled PPTP (as well as L2TP and IPSec) passthrough on the router.
Obviously I am having a problem with passing the VPN traffic to the server on the LAN side, but I am at a loss as to how to resolve it. A little searching on Google makes it look like I'm not the first to run into this.
I really don't want to put the server in the DMZ, there's just too much good stuff on it to feel good about leaving it fully exposed. I could build another dedicated box just to host the VPN login, but that seems like overkill.
I'm open to any input or suggestions...
Thanks in advance!
The first thing that caught my eye was the Linksys WRV54G wireless router. It features a built in IPSec VPN appliance, and a really simple free VPN client for the remote machine. For $120, how could I go wrong?
Now I know.
I am now able to call myself the latest member of the large group of people who have discovered that this thing is a completely useless POS. Getting it to actually set up a VPN connection is only a little less reliable than most schemes for picking winning lottery numbers. The only good news is that it's still a little better than Linksys' tech support, which is three giant steps past worthless.
Having given up on that, I resolved to just set up a PPTP VPN server on the Windows XP box that acts as a server for a bunch of other things.
I was able to get the server up and running fairly easily, but now I have a port forwarding issue that I'm hoping some of the resident gurus can help sort out. Here's the story:
1) If I try to connect from within the LAN, the client connects with no problems.
2) If I place the VPN server in the DMZ (I twitch just saying that), I'm able to connect to it from the WAN side, with no problems.
3) I cannot connect to it from the WAN side when the machine is on the LAN side, but not in the DMZ.
4) I have forwarded Port 1723 to the VPN server, and have enabled PPTP (as well as L2TP and IPSec) passthrough on the router.
Obviously I am having a problem with passing the VPN traffic to the server on the LAN side, but I am at a loss as to how to resolve it. A little searching on Google makes it look like I'm not the first to run into this.
I really don't want to put the server in the DMZ, there's just too much good stuff on it to feel good about leaving it fully exposed. I could build another dedicated box just to host the VPN login, but that seems like overkill.
I'm open to any input or suggestions...
Thanks in advance!
I've got a suggestion. Take the Linksys POS and trash it.
There are a couple of decent solutions. One, pick up a Cisco Pix (501 or 506, for instance) and use one of those.
Or, my preference would be to grab an old box (P2-class should be more than enough), load it up with NICs, and run IPCop. There are road-warrior configurations using OpenVPN or OpenSWAN IPsec supported natively, you get a good graphical interface, and it's a Real Firewall.
I've got a P3/866 with 512MB RAM and 5 NICs (LAN 1, LAN 2, DMZ, "contaminated", WAN) running IPCop now with excellent success. It's also got about 2 dozen VPN tunnels up constantly. Everything is 100Base-TX (outbound connectivity is a 6Mbps ADSL) but will probably be 1000Base-TX sooner or later (moving stuff from my 3TB array is pretty slow over 100Mbit).
There are a couple of decent solutions. One, pick up a Cisco Pix (501 or 506, for instance) and use one of those.
Or, my preference would be to grab an old box (P2-class should be more than enough), load it up with NICs, and run IPCop. There are road-warrior configurations using OpenVPN or OpenSWAN IPsec supported natively, you get a good graphical interface, and it's a Real Firewall.
I've got a P3/866 with 512MB RAM and 5 NICs (LAN 1, LAN 2, DMZ, "contaminated", WAN) running IPCop now with excellent success. It's also got about 2 dozen VPN tunnels up constantly. Everything is 100Base-TX (outbound connectivity is a 6Mbps ADSL) but will probably be 1000Base-TX sooner or later (moving stuff from my 3TB array is pretty slow over 100Mbit).
No, Linksys is a division of Cisco. Show me a Linksys product that will take the place of my ASA5520s or Catalyst 3750G-48ESs, then we'll talk. Until then, Linksys is a toy when it comes to real networking. That's why Linksys still has their own brand, packaging, website, etc.escomm wrote:Er, Linksys is a Cisco product.
-
- Posts: 1030
- Joined: Wed Mar 13, 2002 4:00 pm
- What radios do you own?: Motorola, Icom, Sunair (HF).
Another possibility...
Another solution, if Cisco is not to your liking, is to pick up a similar firewall appliance such as the Zyxel ZyWall-5, or perhaps you could scour the Dreaded Auction Pit for an old Watchguard Firebox II.
I've been using the latter for years. It works great! I've got full and secure access to our LAN no matter where I VPN in from, and setup was relatively painless.
For the record: I would never trust any Windows-based product, especially not X(tra)P(ain), to do something as sensitive as VPN serving. If you're serious about letting a behind-the-firewall computer do it, you would do far better to set it up on FreeBSD or some similar Unix-type OS.
Happy tweaking.
I've been using the latter for years. It works great! I've got full and secure access to our LAN no matter where I VPN in from, and setup was relatively painless.
For the record: I would never trust any Windows-based product, especially not X(tra)P(ain), to do something as sensitive as VPN serving. If you're serious about letting a behind-the-firewall computer do it, you would do far better to set it up on FreeBSD or some similar Unix-type OS.
Happy tweaking.
Bruce Lane, KC7GR
"Raf tras spintern. Raf tras spoit."
Re: Another possibility...
Just, please, don't buy anything that says SonicWALL on it.kc7gr wrote:Another solution, if Cisco is not to your liking, is to pick up a similar firewall appliance such as the Zyxel ZyWall-5, or perhaps you could scour the Dreaded Auction Pit for an old Watchguard Firebox II.
-
- Posts: 1030
- Joined: Wed Mar 13, 2002 4:00 pm
- What radios do you own?: Motorola, Icom, Sunair (HF).
Re: Another possibility...
No argument there! SonicWall is even worse than Watchguard for trying to nickel-and-dime their buyers to death.tvsjr wrote:Just, please, don't buy anything that says SonicWALL on it.kc7gr wrote:Another solution, if Cisco is not to your liking, is to pick up a similar firewall appliance such as the Zyxel ZyWall-5, or perhaps you could scour the Dreaded Auction Pit for an old Watchguard Firebox II.
FWIW: I've had really good results with Zyxel's early stuff as well. My first firewall/router, prior to getting the Watchguard, was a Zyxel Prestige 312. No VPN capability, but boy did it do a good job of protecting my LAN!
Happy hunting.
Bruce Lane, KC7GR
"Raf tras spintern. Raf tras spoit."
There was a firmware glitch in either 2.x or 3.x that prevented PP2P from passing through even though it was enabled in the configuration. Well, that was in the WRT54G boxes, I assume they made the same mistake across the board.
I updated my firmware and can connect to my office. It would probably block on inbound connections too.
I updated my firmware and can connect to my office. It would probably block on inbound connections too.
- rrfd43
- Posts: 434
- Joined: Wed Mar 06, 2002 4:00 pm
- What radios do you own?: Cobra 25 LTD Classic with echo
I had the same problem with the pptp passthrough on the wrt54g. It would be seen fine on the lan, but not wan. A firmware flash and port foward to the proper ip address made it all work.
I did note one thing, on the computer I connect FROM (client) on the windows vpn in the network connection settings, networking tab, internet protocol (tcpip), properties, advanced - unclick the use default gateway on remote network. I could not make the connection on the client computer is this was clicked....
I did note one thing, on the computer I connect FROM (client) on the windows vpn in the network connection settings, networking tab, internet protocol (tcpip), properties, advanced - unclick the use default gateway on remote network. I could not make the connection on the client computer is this was clicked....