A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

NAT friendly VPN



 
 
Thread Tools Display Modes
  #1  
Old October 8th 12, 01:09 AM posted to uk.telecom.broadband
Theo Markettos
external usenet poster
 
Posts: 539
Default NAT friendly VPN

Can anyone recommend a good VPN protocol? Specifically I want something
that:

a) works through NAT (potentially double NAT) where I have no control over
the NAT server (no port forwarding possible)

b) allows inbound connections from the VPN to a box behind NAT

c) is resistant to a hostile NAT (eg one that drops connections after
they've been idle for 30 seconds)


As you might guess, I'm trying to do VPN over mobile networks which often
have nasty carrier-grade NAT, and I want to be able to login to devices that
are behind such networks. I had a go with PPTP, for example, which works
nicely but any inbound connections are blocked by the NAT. I can control
the software on both sides of the links, so setting options to the VPN (like
keepalives) isn't a problem. Primary platform is Linux, but others are also
useful.

Thanks
Theo
(who is very much looking forward to IPv6)
  #2  
Old October 8th 12, 10:25 AM posted to uk.telecom.broadband
Graham J
external usenet poster
 
Posts: 620
Default NAT friendly VPN

Theo Markettos wrote:
Can anyone recommend a good VPN protocol? Specifically I want something
that:

a) works through NAT (potentially double NAT) where I have no control over
the NAT server (no port forwarding possible)

b) allows inbound connections from the VPN to a box behind NAT

c) is resistant to a hostile NAT (eg one that drops connections after
they've been idle for 30 seconds)


As you might guess, I'm trying to do VPN over mobile networks which often
have nasty carrier-grade NAT, and I want to be able to login to devices that
are behind such networks. I had a go with PPTP, for example, which works
nicely but any inbound connections are blocked by the NAT. I can control
the software on both sides of the links, so setting options to the VPN (like
keepalives) isn't a problem. Primary platform is Linux, but others are also
useful.


I don't think there is a good VPN solution to this.

If the remote device is a desktop computer, then set it up with LogMeIn
or an equivalent - that way it invokes an outgoing connection so it
should get out through any NAT and most port filtering.

I have this working where the remote connection connects to the internet
via satellite. The reason most VPNs fail in this case is the excessive
round-trip delay.

If the remote device is not a desktop computer (perhaps it only offers
telnet), then do you have a PC or similar on the same LAN behind the
mobile network and NAT? In which case use that to communicate with the
device.

Perhaps you might tell us more about the equipment and why you want to
do this. It may be that the equipment can be connected to a landline
based network over which you have full control at least often enough for
you to do whatever needs to be done.

--
Graham J



  #3  
Old October 8th 12, 11:23 AM posted to uk.telecom.broadband
Roger
external usenet poster
 
Posts: 46
Default NAT friendly VPN

On 08 Oct 2012 00:09:19 +0100 (BST), Theo Markettos
wrote:

Can anyone recommend a good VPN protocol? Specifically I want something
that:

a) works through NAT (potentially double NAT) where I have no control over
the NAT server (no port forwarding possible)

b) allows inbound connections from the VPN to a box behind NAT

c) is resistant to a hostile NAT (eg one that drops connections after
they've been idle for 30 seconds)


The above sounds like the sort of conditions that SIP has to
deal with. Look at the ways that are used for that and see if
they can be used for VPN.
--
Roger
  #4  
Old October 8th 12, 11:10 PM posted to uk.telecom.broadband
Theo Markettos
external usenet poster
 
Posts: 539
Default NAT friendly VPN

Graham J [email protected] wrote:
Perhaps you might tell us more about the equipment and why you want to
do this. It may be that the equipment can be connected to a landline
based network over which you have full control at least often enough for
you to do whatever needs to be done.


I want to do remote management of a network (of random machines) in a
location I will only have one opportunity to visit. There's nobody I can
ask to run LogMeIn/etc. So the plan is to deploy a wireless router running
Linux (OpenWRT maybe?) to be the VPN endpoint. That router will be behind
the site 3G NAT router, and that's behind the telco's network NAT. The
other VPN endpoint will be a VPS somewhere (global static IP, no NAT, nice and
simple). I can then SSH into the wireless router over the VPN and do
anything I need to to machines on the network.

The suggestion of borrowing ideas from SIP is a good one:
http://www.voip-info.org/wiki/view/VOIP+and+VPN
suggests that a TCP-based VPN might do the trick - eg OpenVPN or Stunnel

Theo
  #5  
Old October 8th 12, 11:34 PM posted to uk.telecom.broadband
alexd
external usenet poster
 
Posts: 1,765
Default NAT friendly VPN

Theo Markettos (for it is he) wrote:

Can anyone recommend a good VPN protocol? Specifically I want something
that:

a) works through NAT (potentially double NAT) where I have no control over
the NAT server (no port forwarding possible)


In what direction? You're not going to be able to run any services unless
either or both end can listen on a public IP for the other to connect to,
unless you have a third party that can listen for both of you, through which
you connect. I'm sure you know this.

b) allows inbound connections from the VPN to a box behind NAT


Seems like a bit of an obvious requirement so I must be missing something.

I think you to need to clarify, who's behind the NAT? Who isn't? If
everything is behind NAT, then you're going to need another bit of kit with
a public IP address to which everything else connects. This can either be a
hosted service or something you install yourself.

As you might guess, I'm trying to do VPN over mobile networks which often
have nasty carrier-grade NAT, and I want to be able to login to devices
that are behind such networks.


If you can install the "client" software at the hidden end, you should be
able to initiate a connection out to a server under your control.

I had a go with PPTP, for example, which works nicely but any inbound
connections are blocked by the NAT.


Don't understand. How did it work if the connections are blocked?

I can control the software on both sides of the links, so setting options
to the VPN (like keepalives) isn't a problem. Primary platform is Linux,
but others are also useful.


OpenVPN. Will run on a single UDP [or TCP if neccessary] port, or even
through a web proxy. Available for the usual platforms. Tune keepalive and
reconnection parameters to suit.

--
http://ale.cx/ (AIM:troffasky) )
22:16:03 up 1 day, 10:36, 4 users, load average: 0.44, 0.28, 0.28
Qua illic est reprehendit, illic est a vindicatum

  #6  
Old October 9th 12, 03:54 AM posted to uk.telecom.broadband
Phil W Lee
external usenet poster
 
Posts: 482
Default NAT friendly VPN

Theo Markettos considered 08 Oct
2012 22:10:30 +0100 (BST) the perfect time to write:

Graham J [email protected] wrote:
Perhaps you might tell us more about the equipment and why you want to
do this. It may be that the equipment can be connected to a landline
based network over which you have full control at least often enough for
you to do whatever needs to be done.


I want to do remote management of a network (of random machines) in a
location I will only have one opportunity to visit. There's nobody I can
ask to run LogMeIn/etc. So the plan is to deploy a wireless router running
Linux (OpenWRT maybe?) to be the VPN endpoint. That router will be behind
the site 3G NAT router, and that's behind the telco's network NAT. The
other VPN endpoint will be a VPS somewhere (global static IP, no NAT, nice and
simple). I can then SSH into the wireless router over the VPN and do
anything I need to to machines on the network.

The suggestion of borrowing ideas from SIP is a good one:
http://www.voip-info.org/wiki/view/VOIP+and+VPN
suggests that a TCP-based VPN might do the trick - eg OpenVPN or Stunnel

Theo


As long as one endpoint is fixed, you can arrange for the other to
connect to it, either on a regular script or maybe, if all else fails,
by using a modem (remember those?) to dial-in to a remotely operated
power switch to power it up.
Of course, you might find that the modem is sufficient to do the
management over, but dial-back security (either through the modem or
through a vpn) may be a worthwhile precaution.
  #7  
Old October 9th 12, 09:50 AM posted to uk.telecom.broadband
Graham J
external usenet poster
 
Posts: 620
Default NAT friendly VPN

Phil W Lee wrote:
Theo Markettos considered 08 Oct
2012 22:10:30 +0100 (BST) the perfect time to write:

Graham J [email protected] wrote:
Perhaps you might tell us more about the equipment and why you want to
do this. It may be that the equipment can be connected to a landline
based network over which you have full control at least often enough for
you to do whatever needs to be done.


I want to do remote management of a network (of random machines) in a
location I will only have one opportunity to visit. There's nobody I can
ask to run LogMeIn/etc. So the plan is to deploy a wireless router running
Linux (OpenWRT maybe?) to be the VPN endpoint. That router will be behind
the site 3G NAT router, and that's behind the telco's network NAT. The
other VPN endpoint will be a VPS somewhere (global static IP, no NAT, nice and
simple). I can then SSH into the wireless router over the VPN and do
anything I need to to machines on the network.

The suggestion of borrowing ideas from SIP is a good one:
http://www.voip-info.org/wiki/view/VOIP+and+VPN
suggests that a TCP-based VPN might do the trick - eg OpenVPN or Stunnel

Theo


As long as one endpoint is fixed, you can arrange for the other to
connect to it, either on a regular script or maybe, if all else fails,
by using a modem (remember those?) to dial-in to a remotely operated
power switch to power it up.
Of course, you might find that the modem is sufficient to do the
management over, but dial-back security (either through the modem or
through a vpn) may be a worthwhile precaution.


I suspect the site is remote and there is no phone line; otherwise why
would there be a 3G router? So a backup link is unlikely ...

What about a point-to-point wireless link to the site? I've used
Engenius 5GHz wireless access points over distances of about 2km; and
they are specified for distances up to 25km. The primary cost is in the
erection of mounting poles or similar to get them up high enough. Use
them to link to a location where you can provide a reliable ADSL service.

Is this in the UK?

--
Graham J

  #8  
Old October 9th 12, 07:20 PM posted to uk.telecom.broadband
Theo Markettos
external usenet poster
 
Posts: 539
Default NAT friendly VPN

Graham J [email protected] wrote:
What about a point-to-point wireless link to the site? I've used
Engenius 5GHz wireless access points over distances of about 2km; and
they are specified for distances up to 25km. The primary cost is in the
erection of mounting poles or similar to get them up high enough. Use
them to link to a location where you can provide a reliable ADSL service.

Is this in the UK?


No, Africa. A thousand-mile link might be pushing it a bit. I thought VPN
was supposed to prevent the need for a dedicated link?

Theo
  #9  
Old October 9th 12, 09:09 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default NAT friendly VPN

Theo Markettos wrote:
Graham J [email protected] wrote:
What about a point-to-point wireless link to the site? I've used
Engenius 5GHz wireless access points over distances of about 2km; and
they are specified for distances up to 25km. The primary cost is in the
erection of mounting poles or similar to get them up high enough. Use
them to link to a location where you can provide a reliable ADSL service.

Is this in the UK?


No, Africa. A thousand-mile link might be pushing it a bit. I thought VPN
was supposed to prevent the need for a dedicated link?


Yes. Africa is ...challenging.

Thunderstorms will knock a lot of kit sideways too.

You had better set up something linux-ish to reboot itself and register
its presence so that with luck you can establish a known port on an
known IP address to get access.

I'd also suggest if its at all possible it has a modem on a local phone
line. Even if its no more that 2400 baud a console connection that way
can be a lot of use.


Theo



--
Ineptocracy

(in-ep-toc'-ra-cy) - a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
  #10  
Old October 10th 12, 12:49 AM posted to uk.telecom.broadband
Phil W Lee
external usenet poster
 
Posts: 482
Default NAT friendly VPN

Theo Markettos considered 09 Oct
2012 18:20:14 +0100 (BST) the perfect time to write:

Graham J [email protected] wrote:
What about a point-to-point wireless link to the site? I've used
Engenius 5GHz wireless access points over distances of about 2km; and
they are specified for distances up to 25km. The primary cost is in the
erection of mounting poles or similar to get them up high enough. Use
them to link to a location where you can provide a reliable ADSL service.

Is this in the UK?


No, Africa. A thousand-mile link might be pushing it a bit. I thought VPN
was supposed to prevent the need for a dedicated link?

OK, so you set up a vpn endpoint machine to connect to you (or at
least to attempt to) on a regular schedule.
To be clear, the remote system is trying to connect all the time - the
scheduled restarts are to deal with any possibility of any part of the
system locking up or becoming unstable.

It worked for me, with a small network in Namibia, although that was
over ISDN, not 3g, and therefore only one layer of NAT.

Of course, no "in-band" management is going to be any use at all if
it's the link itself that's borked.
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FYI: Using the Orchid box to make the Fritzbox more user friendly Brian A uk.telecom.voip (UK VOIP) 0 August 12th 07 12:45 PM
VPN friendly ISP ? ToxOgrady uk.telecom.broadband (UK broadband) 47 January 9th 07 03:49 PM
Is PPTP better at traversing NAT etc then IpSec VPN client software? kevin bailey uk.telecom.broadband (UK broadband) 2 September 8th 06 06:24 PM
VOIP Friendly ADSL Supplier.... Matt uk.telecom.voip (UK VOIP) 5 July 11th 06 09:07 PM
NAT vs non-NAT for web server? [email protected] writeme.com uk.telecom.broadband (UK broadband) 0 August 4th 03 08:08 PM


All times are GMT +1. The time now is 01:01 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.