Reverse Tunnel VPN?

justinlvs · March 6, 2014, 6:34pm

I have an idea but am unsure if this is possible.

I want to have a mikrotik I can send someone that can tunnel out of their network that I can VPN into so that my computer would be on the same L2/L3 network that the mikrotik is on. This way no port forwarding is needed it is a plug and play operation as long as there is not a restrictive outbound policy for the network.

How would I do this?

shane3673 · March 7, 2014, 6:04pm

The way I would do this is setup a PPTP server on your router (must have a public static ip). Connect the remote router to your router using PPTP. Once you have a connection, you can make an EOIP tunnel using the ip addresses of the PPTP tunnel. Then you use the EIOP tunnel just like a normal interface. You can bridge both ends to both networks. The only thing to be careful with here is IP ranges for connectivity, but you can use MAC access and even NetBios names in this way. In order for IP connectivity both networks will need to be on the same range or you will need to add an IP address on the main router’s bridge in the same range as the remote router. It acts as if you have a cable between the two. I have used this to setup quite a bit of VPNs, you can also use bridge filters to filter DHCP between routers. The remote router does not need a public IP, all it needs is an internet connection. I believe you would want a setup something like this:

Main Router:
Public IP for Internet - xx.xx.xx.xx
LAN IP and Range - 192.168.1.1/24
PPTP Server IP - 192.168.2.1 also giving out 192.168.2.2 for remote
EOIP Local IP - 192.168.2.1
EOIP Remote IP - 192.168.2.2
EOIP bridged to LAN
DHCP Server on LAN - 192.168.1.100-200

Remote Router:
DHCP Client for Internet
Lan IP and Range - 192.168.1.2/24
PPTP Client connecting to Main Routers public IP and recieving the IP of 192.168.2.2
EOIP Local IP - 192.168.2.2
EOIP Remote IP - 192.168.2.1
EOIP Bridged to LAN
No DHCP Server because the main router will handle that for this LAN also

The alternate way to do this is to have a DHCP server on both using each routers IP as the gateway for their own networks and putting in bridge filters on the EOIP interfaces to block DHCP between networks. I do it this way for VPN’s that need to have layer 2 access, but this way they go out the correct internet connection and only use the tunnel for traffic that needs to go through it. It also allows for the remote sites to still get online when the tunnel is down for any reason.

Rudios · March 7, 2014, 6:13pm

You should setup a VPN server on your side and let thr customer device connect to it.

justinlvs · March 7, 2014, 7:12pm

The objective here is to get on the clients network as if on the L2, able to pull ip from their dhcp etc, with zero config on the clients side.

It might be a possibility to do that if I vpn back into the device via my vpn but that makes for a lot of overhead.

shane3673 · March 11, 2014, 7:22pm

I’m pretty sure without a Static Public IP you won’t be able to pre-configure a VPN server on the remote side so the only option would be to setup a client on their side, but with a EOIP tunnel you can still get DHCP from them as it fakes like there is a cable running from their Mikrotik to yours.