HotSpot over VPN

electravis · April 24, 2015, 6:19pm

So want to see if anyone has any thoughts or ideas on the following:

I want to have aps out in the filed connected to an ISP either by themseleves or behind a router that I have no control over. I then want them to VPN tunnel back to my hotspot gateway to be able to authenticate. After they authenticate I want them to be able to go out the internet through the ISP they are connected to and not my tunnel.

I already have my vpn setup with ap connected. My client is able to connect to ap pull an Ip of the VPN hotspot and surf the internet through the VPN. I want to be be able to direct my traffic out the ISP the AP is connected to after they authenticate over the vpn. Any thoughts?

thebracket · April 24, 2015, 9:38pm

We recently had to setup a hotspot portal for a customer, and route traffic out through their network (it’s a school district, so their user’s traffic has to go through some filtering stuff they own). We ended up using OpenVPN between locations (on RB 1100 AHx2s, I believe). The tricky part was that the hotspot doesn’t like to bind to a layer-3 interface, so we had to run both ends of the VPN in interface/ethernet mode, and add the virtual interface to a bridge with the hotspot applied to it. It works very well, but the interface-level VPN took a bit of tweaking to get going. It would probably also work with EoIP or one of the other layer-2 VPN options - I never could figure out how to make it talk to a layer-3 VPN.

For the setup you describe, you should be able to put a router-OS device at each of the apt complexes and have it do the tunneling back to a router at your location (leaving the users blissfully unaware of whatever is in-between). Otherwise, I guess you could have the end-users “dial” a VPN to you - but that’s not automatic, so users will complain about it!

Hope that helps!

cdemers · April 26, 2015, 1:21pm

Maybe as a suggestion, if you want central user management, setup user manager on authentication router, setup access points to connect to the vpn (should have different ip addresses than authentication router), when connecting vpn do not add default route or dns, setup hot-spot to run on ap and authenticate via radius to the ip address of the user manager router

Sent from my Nexus 7 using Tapatalk

ChefJay · March 20, 2017, 5:27pm

thebracket:

We recently had to setup a hotspot portal for a customer, and route traffic out through their network (it’s a school district, so their user’s traffic has to go through some filtering stuff they own). We ended up using OpenVPN between locations (on RB 1100 AHx2s, I believe). The tricky part was that the hotspot doesn’t like to bind to a layer-3 interface, so we had to run both ends of the VPN in interface/ethernet mode, and add the virtual interface to a bridge with the hotspot applied to it. It works very well, but the interface-level VPN took a bit of tweaking to get going. It would probably also work with EoIP or one of the other layer-2 VPN options - I never could figure out how to make it talk to a layer-3 VPN.

For the setup you describe, you should be able to put a router-OS device at each of the apt complexes and have it do the tunneling back to a router at your location (leaving the users blissfully unaware of whatever is in-between). Otherwise, I guess you could have the end-users “dial” a VPN to you - but that’s not automatic, so users will complain about it!

Hope that helps!

Can you go a little more in to detail about how you did this? I’m trying to set up this exact setup, in a test environment, but not having any luck. I think I’m missing the link between the VPN and the hotspot. Any help would be very much appreciated.