Has anyone used a double VPN? What I mean is there is an edge router and a LAN router. So, road warrior client would VPN to the edge router from the Internet and would traverse to the LAN router where the client would present a key to get to the back office. It’s like entering the building (edge router) and once in the build, presents key to the private elevator to go the executive office. I am thinking of such and was planning to use openVPN to get to the edge router, then use L2TP/IPsec at the private elevator (Mikrotik router).
A company’s office doesn’t have a public IP address.
My office does.
I have the Far office calling my Office over L2TP. The route between them is 2 points. On each router… I have a route that points to the l2tp route. Encryption engine grabs the traffic before it goes over the tunnel.
I vpn to my office… And I can then reach device on his network.
Is this similar to what you are trying to do?
No…the client VPN into two different routers, at the destination network, where the WAN is the first router and LAN is the second. There is a quarantine area that is the Ethernet connection…the network lan connection or wan of the second router. It’s within this network lan area that the client needs to present credentials (L2TP/IPsec) to proceed to LAN router’s addresses. Here is a diagram of the idea!
I got the inspiration from guys such as this: https://www.technadu.com/double-vpn/45274/
However, in their case, it’s to hide the IP address from one’s ISP. Whereas, in my case, it’s just because it seems doable and kind of a “James Bond” approach/novelty. Also, in my case, the WAN is a pfSense box and LAN is a Mikrotik (RB450gx4). Things I am wondering about is would it be better to use openVPN all the way or it doesn’t matter! Where are the forum Gurus!
Whenever I see oVPN in a Mikrotik thread… I stop reading. OpenVPN has been crippled in Mikrotik for like 10 years now.
Thanks Gotsprings…maybe that why I intuitively wanted to use L3TP/IPsec at the Mikrotik. That’s where I am struggling to visualize when the VPN client reaches the Mikrotik, how the client presents the user and key.
I think you need to set the IP address that the VPN client comes in as.
Then firewall rules will dictate what clients can then reach the next subnet.
If I understood the diagram… its not VPN from one site to another… but a wired connection.
If that is the case… you have one feed from the first router and only need a switch on the far end.
I forgot to mention that the VPN is a road warrior setup. The VPN client, once leaving the pfSense box-(WAN), will come in on 192.168.1.1 to the Mikrotik (RB450Gx4) which has 10.0.8.0/24 network and where the subnet is the client real destination. The switch is already on the Mikrotik and in essence, the pfSense to the Mikrotik could be considered site-site VPN.