Expose a machine on the far side of a VPN

Question

We're using a VPN to connect a remote office to our main office, and a machine in the remote office needs to expose port 22 to the outside internet.

Complications:

The main office has a fixed IP address.
The remote office has a floating IP address.
The remote office sits behind a router that we don't control.
All traffic from the remote office needs pass through the main office's VPN.

The main office and remote office have DrayTek Vigor2925 series routers, with the latest firmware. The router immediately upstream of the remote office's Draytek is a cheap black box, with no DDNS or VPN capability, or anything that appears useful.

Things that work:

We've been able to connect the remote office to our network with a dial-in VPN. When that's up, we can connect to the target machine from the main office.
We can forward connections to the fixed IP address to a machine in the main office, using the router's port-forwarding settings.
We can forward from the fixed IP address to a machine in the remote office.

My understanding, from DrayTek's documentation and elsewhere, is that NAT is incompatible with IPSec tunneling, particularly the Authentication Header, but it should be possible to establish a VPN using L2TP and IPSec Encapsulation, if both devices support NAT-T, which the routers claim to support.

So: We've set the remote office to dial in, using "L2TP with IPsec Policy", turned off the Authentication Header, set the main office router to forward the ports to the target machine, and used the telnet interface to check that vpn-passthrough was turned off, and we're still not able to connect.

Alternatively, we could use a dynamic-DNS solution, if we could read the remote office's floating IP address. However, we don't control the router upstream of the remote office, and we are forwarding all traffic through the office's VPN: All of the machines in the remote office think that their public facing IP address is the fixed address belonging to the main office.

We're almost at the point of buying a Raspberry Pi to plug into the upstream router, and using it to run a cron job that wgets icanhazip.com.

So... is there a step I've missed in my router configuration? Or is there a less-hackish way to read the IP address from the inside of a VPN?

score 0 · Accepted Answer · answered Dec 15 '14 at 08:56

0

Is all traffic from the remote office going through the VPN, e.g. is the vpn the default gateway? If not, then you might need to SNAT all the connections from the internet going to port 22 on the remote machine. Else the connections will return through your internet connection at the remote office.

Another possibility is to do remote port forwarding via SSH, by doing ssh -R 22:127.0.0.1:22 <main gateway> for example.

answered Dec 15 '14 at 08:56

Daniel

218
3
11

Thank you for that, ssh remote port forwarding looks like it's going to be the way to go here. – Sean C. Dec 17 '14 at 10:06

Expose a machine on the far side of a VPN

1 Answers1