Hi there,
I have a senario with a VPN server (SSTP or PPTP) with multiple clients connected (all Mikrotik devices).
I want that each client can communicate with each other.
How can I make this?
If you have in mind that two clients would talk to each other directly, that’s only possible if at least one of that clients is on a public IP address and acts as a server for the other one.
If you don’t mind that the two clients would talk to each other via the server common for both of them, it is just a matter of firewall rules at the server to permit this and of routes at the clients to send packets for other clients’ LANs to the server.
Thanks for your answer!
I would like that each client talk directly but only the VPN server has a public IP address!
If the clients don’t have public addresses, or unless all of them sit in the same private network so that they could send packets directly to each other’s private addresses, there is no way to do that. The maximum you could have would be that the device on public address would create tunnels between its two protocol ports and the clients would send the VPN transport packets to each other via these hairpin pinholes, which is how e.g. TeamViewer works, but I cannot see any advantage in doing it this way as compared to sending packets between clients via the tunnels they have to the server. The physical path is the same in both cases, the only difference is whether the server can see the plaintext contents of the communication between the clients or not.
Could it works if I use EoIP tunnel between each VPN client connected to the central VPN server?
Yes, but the physical path would still remain the same, client1 ↔ server ↔ client2, so what is the ultimate goal? To have the contents of the client-client communication hidden from the server? If so, you even don’t need the EoIP tunnel, you can simply have a SSTP (or PPTP) tunnel between clients (where one of them acts as a server) inside the SSTP (or PPTP) tunnels between the clients and the central server.
client1 server client2
\________/ \_______/
\_____________________________________/
_____________________________________
/ ________ _______ \
/ \ / \
inner tunnel client inner tunnel server
As no one of the client has a public IP address, I would like to use the VPN server to make the client-client communication possible.
How con I do it?
As suggested on my drawing.
You assign a private IP address space which is not in conflict with any of the private address spaces already used at client routers’ LANs, and let the server assign the clients addresses from this VPN address space. You need to have a static mapping between each client’s credentials and the address from this space which that particular client will get, this is provided by the /ppp secret configuration section.
Next, you create L2 (EoIP, L2TP) or L3 (IPIP, GRE) tunnels on clients using these addresses if you don’t mind that the data running between the clients will be available in plaintext to the server, or you create a VPN (e.g., SSTP) server on one of the clients and make the other client connect to the other client’s address from the VPN range.
The biggest issue I have is that already a single VPN tunnel with TCP transport (SSTP) is problematic for TCP connections passing through it (google for “tcp meltdown”). And if you set up an SSTP tunnel between clients inside a tunnel between a client and server, you’ll have three layers of TCP over each other. So I’d rather use L2TP/IPsec for the tunnels between each client and the server, and any of the tunnels listed above for the client-client tunnels, depending on what is the purpose (L2 or L3 tunnelling). Any of these can be protected using IPsec as well.