How to connect to remote VPN periodically?

I would like to periodically create a VPN connection from a remote site to my home network.

Primary use-case
In my home network I have attached a NAS that I use for backups. I would like to also make backups from a specific machine on the remote site and store them on the NAS in my home network.

Secondary use-case
There is no technical expertise present at the remote site. I would like to offer assistance remotely via a VPN when there are IT problems. Once inside the network I can use SSH and VNC to help them.

Restrictions
The remote site is behind a firewall and can not run a VPN server.
I have full control over my home network and can set up a VPN server on my end.

Questions
I was thinking to buy a MikroTik Routerboard RB750Gr3 or a MikroTik hap ac2 and put that in the network of the remote site. Then I would attach the specific machine that needs to create backups to the MikroTik.

1. Is it possible to let the MikroTik create a VPN connection from the remote site to my local network periodically? (lets say once every week at night to copy the backups to my NAS)
2. Is it possible to use this VPN connection initiated by the remote MikroTik client when connected to my home network also to access the remote network and do (simple) network or IT maintenance?

Yes. Any action can be scheduled using RouterOS scripting, including activation and de-activation of a VPN connection.

Yes, however as the remote Tik will not have a public IP address if I got you right, you’d have to either keep the VPN active all the time, or let it connect much more frequently to that you could connect there when needed.

If the firewall at the remote site has a public address, it might be possible to maintain a pinhole in it, allowing you to initiate connection to the remote Tik actively from your site, without actually running the VPN initiator at the remote Tik, but I cannot see much purpose in running the VPN only when needed, except if you pay for traffic volume transported on one of the connections (a VPN which transports no payload still generates some small volume of keepalive traffic).

Out of the two suggested Mikrotik models, my personal preference is hAP ac².

I have no prior experience with RouterOS scripting but I will look into that. It is good to know I can activate or de-activate a VPN connection that way. Maybe I can even trigger it on other events beside running a periodic task.

Yes I am aware of that. Maybe I could let it connect more frequently or perhaps use some kind of external event like an email to trigger the RouterOS scripting that activates the VPN.

What is a ‘pinhole’? Sounds like something that might help me to achieve what I want?

There are two reasons why I do not want the remote site to be connected trough VPN 24/7.
First I do not want to expose a VPN service to the public internet 24/7 that might be exploited. After all I only need it periodically when the backups are being transferred or incidentally when I need to fix a technical problem at the remote site.
The second reason is that when the specific system connected to the MikroTik on the remote site has a VPN connection to my home network, then it is not available on the remote network anymore. It has to disconnect from the VPN in order to become part of the remote sites network again.

I am not sure what to look for when selecting a capable MikroTik. I have experience with the hAP ac² myself, that’s why it was on my list. I was looking for an affordable solution that I can place at the remote site and saves me the trouble of driving over there every time something goes wrong on the network.

A pinhole is a common name for the temporary (ephemeral) rule in a firewall which allows packets between two IP address:port tuples to pass through the firewall although normally such packets would be dropped. It is typically created by a packet which comes from the protected side of the firewall towards something on the “jungle” side of it, and once created, it exists for as long as some traffic passes through (if handling UDP, ICMP, GRE…) it or until the connection is explicitly closed (TCP, SCTP, some firewalls understand the application layers using UDP as transport and act accordingly). In both cases, there is some timeout after the last packet seen.

So you could send UDP packets to your home IP with source and destination ports same like those used by the VPN connection while the VPN connection would not be active, so that your home IP would be able to connect to the sending device, without having to manually configure port-forwarding on the firewall between the internet and the remote device.

But still, it is much simpler that the remote device behind the firewall just keeps attempting to connect to your home device, and you disable and enable listening at the home device by schedule or manually on demand; this way, the remote device never needs to respond to incoming VPN requests.

This one sounds like a space for improvement

To me, the hAP ac² is currently the best value for money. I prefer it solely because it has a better switch chip than the other one - maybe not actually better but better when used together with RouterOS. Plus it has the wireless part which may be useful sometimes.

the hapac2 is newer better specs and faster and one can turn the wifi off if not needed. Overall better value although a pubic hair more expensive… (for those that are of older ilk and dont shave LOL)

How interesting. I knew about the existence of port-knocking from the outside but a pinhole is typically initiated from the inside if I understood correctly?

Off course. I suppose I could make that work. It sounds simple enough and is just as secure.

Is it possible to have the specific machine on the remote site be available simultaneously on the remote site and on my home network?
How could I achieve this? Does it require an additional network card on that specific machine?

A pinhole can be open by a packet coming from both “inside” or “outside” (actually, there are firewalls controlling traffic betweens several zones, so “inside” and “outside” is a simplification) for which some static rule permits to open it, or by a “helper” - a software module of the firewall which monitors communication on some control protocol such as FTP, PPTP, SIP, TFTP, … which negotiates establishment of another communication flow, and creates a corresponding pinhole for that flow before its first packet arrives. This latter behaviour is also called “application layer gateway”.

In the Linux/Mikrotik world, “pinholes” are implemented using the connection tracking module of the firewall.

I don’t know the particular circumstances, but unless that machine needs to communicate with a single particular IP address, and you have one machine with that particular IP address in the remote network and another one with the same address in your home network, so when the VPN is up, the connection initiated by that machine lands at the one at home and when the VPN is down, the connection lands at the one in the office, I can see no reason why existence of a route to a network at your home should prevent that machine from talking to machines in the office network. If you have overlapping IP subnets at home and in the office, it is slightly more complicated but still doable, you can apply NAT also to the VPN traffic.

I assumed this was a problem because when I have a laptop and want to VPN to my home network, then I use a VPN client on the laptop to connect to the home network. When I am connected to the home network the laptop receives an IP-address from the home network. My laptop can no longer access machines on the local network it is physically connected to via wifi or ethernet.

Did I understood you correctly that when I place a MikroTik router such as the hAP ac² in the remote network to create the VPN connection to my home network, then the machines connected to that MikroTik can reach the NAS on my home LAN and also still access the machines on their own network?
In other words the MikroTik does not become part of my home network exclusively when the VPN connection is active as it is the case with my laptop?

Ah… that’s caused by how the Microsoft’s embedded VPN client treats VPN connections (and I hazily remember about someone here complaining about MacOS doing it similarly). By default, as soon as you connect to a tunnel, the tunnel becomes a default gateway, so the machine starts sending all outgoing traffic through it. You can replace this by adding just a “class-based” route, which only uses the tunnel as a route to 10.0.0.0/8, 172.x.0.0/16 or 192.168.y.0/24 (or maybe I’m wrong and it is actually 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16), depending on what own address it got assigned from the VPN server. Or you can disable both variants, and use either static routes added as “persistent”, so surviving a reboot, that only become active when the tunnel is up, or you can use PowerShell to do something more complex.

With Mikrotik (or any other decent router), it is fully up to you for what destinations you set up routes via the VPN tunnel and what destinations you keep on local LAN/WAN.

But unless you can set the PC to use the Mikrotik as its default gateway (i.e. if the Mikrotik will only provide the VPN but the main router for the PC will be some other one), the PC will need an exceptional route towards your home subnet via the Mikrotik anyway. So it again requires some more detailed information about the network topology on the remote site to suggest the best way.

I have created a diagram to visualize the network topologies. As you can see both networks are small and simple.

The remote site is drawn on the left and my home network is drawn on the right.
The A2 Switch in my home network is a MikroTik hAP ac² with the WiFi disabled.
I am considering to replace the switch [B2] on the remote site with a new MikroTik hAP ac² [?].
Then the new MikroTik hAP ac² [?] at the remote site would need to be configured in such a way that it can connect to my home network trough a VPN tunnel.

I am not sure what the best approach is to wire and configure both networks but I would like to be able to use hostnames in my backup scripting instead of ip-addresses that might change.

OK, it looks fine. If it wasn’t for the IPTV at site β, I would recommend you to switch the modem there to bridge mode and get the public IP assigned directly to the hAP ac², however making IPTV work over Mikrotik is another can of worms.

So if you let the hAP ac² get its WAN address from the modem, and give out IP addresses from another subnet on its own LAN, you don’t need to touch the routing on the PCs because they will send everything to the Mikrotik which will sort it out. You will end up with double (or even triple) NAT, but the negative effects of multiple NAT as compared to a single one are overestimated so no worry there.

Or you may let the hAP ac² become yet another device on the modem’s LAN, with a static address outside the range assigned by the modem and not running its own DHCP server, and manually configure the routes on the PCs to send the traffic for site α via the Mikrotik and the rest via the modem.

Yet another possibility is functionally the same like above, except that you disable the DHCP server on the modem and enable it on the hAP ac² instead, and let it dynamically push the routing table to the PCs (using DHCP, you can provide not only the IP address of the default gateway but also a complete static routing table).

The same applies for the hAP ac² at site α, but there it becomes a tiny bit more complicated as the laptop is connected wirelessly, so I’d recommend the last option above if A1 will be flexible enough to keep acting as the wireless AP but give away the DHCP server role.

In any of the “two and a half” cases above, the hAP ac² at site β will be configured the same way as a VPN client of the hAP ac² at site α.

Mikrotik allows to define static DNS items which are taken into account first, so yes, if you configure the PCs at both sites to use their local Mikrotiks as DNS servers, you can do this. Again, the DNS server IP can be pushed via DHCP, so you can do that in a centralized way.

Unfortunately I ran into a problem. I have ordered hAP ac² at two different vendors, but none can deliver. First I ordered at my preferred vendor I orderd the hAP ac² I use at home. After 5 days they send an email that they could not deliver due to depleted stock and they offered an alternative brand or money back. Obviously I opted for money back because I prefer a MikroTik.
Then I ordered at a different webshop which promised delivery within 5 days but after paying I immediately received an automated email that due to Covid-19 they could not deliver the items in a timely fashion and I should expect an additional delay of 5 days. Fair enough I thought but a few days later I received an email from that webshop that the item I ordered was out of stock and would not be available before the 6th of July.

I could not try the suggested configurations mentioned above because I still haven’t been able to get my hands on a second hAP ac².

I do however have a few additional questions now.

1. What happens to remote site (Beta) traffic when the VPN server at my home network (Alpha) is down? Then the split tunnel redirection on the remote site hAP ac² is probably down? Do I run the risk that this traffic is then redirected to public internet destinations?
2. Can I use a subdomains (alpha.mydomain.org and beta.mydomain.org) or dynamic dns in the MikroTik configuration to resolve to the remote site and my home network? (then I can make my scripting more robust for when a public IP-address changes)
3. Why is the MikroTik hAP ac² out of stock at so many places? Will they be re-stocked soon or is MikroTik working on a successor of the hAP ac²?
4. What would be a good alternative to the hAP ac² for my use case?

You can define “blackhole” routes for the critical destinations, with a higher distance value than the ones via the VPN. These routes will still override the default one even when the VPN is down. For bare IPsec VPN, policies with action=drop placed after (below) the template for the dynamically created ones will do the same job.

You can use static DNS records which will be used to respond corresponding queries coming from both the clients using the router as DNS server and from the router itself. You can also use some DynDNS systems, google for the update scripts. Or use Mikrotik’s own /ip cloud functionality, where the DNS name canot be chosen freely but you don’t need to use any scripts to update it.

My favourite distributor declares to have several on stock, but I don’t know whether they ship to your country.

The cAP ac has the same CPU (with hardware encryption) but less Ethernet ports and higher price. Anything else is even much weaker or much more expensive.