Traffic between VPN clients.

RouterOS General
1

Please forgive me if anything in this is unclear, or if the answers to my questions can be found somewhere in this forum.

I’ll start by explaining what I’d like to achieve:

In many cases, establishing a VPN connection from a PC located at one site, over the Internet, to an endpoint/VPN server located on another site behind a firewall/NAT is close to impossible. This is often desired in cases where you have an industrial machine with its own LAN, isolated from the company LAN by a firewall/NAT.

Remote PC <—> Internet <—> Firewall/NAT <—> Company LAN <—> Machine Firewall/NAT <—> Machine LAN

I have installed more than 15 Etic IPL-E VPN routers on machines where I work, and they work like this:

  • The IPL-E VPN router establishes a connection to an OpenVPN server located somewhere on the Internet - (Tunnel 1).
  • The client computer (on another site than the IPL-E) also connects to the VPN server on the Internet - (Tunnel 2).
  • A third VPN tunnel is then created through the two first, with one endpoint located at the PC and the other endpoint located at the IPL-E.
    This clears things up a bit: http://www.etictelecom.com/pages_en/ras/ras.htm

I would like to achieve something similar with the RouterBoard 750 GL. My idea is as follows (also see the attached picture):
RBserv

  • One RouterBoard (from now on called RBserv) is connected to the Internet on the WAN port.
  • A PPTP (or L2TP) server is run on the RBserv.
  • When a client connect, he is automatically given an IP in the desired range (must match the network of the machine LAN)

RBsite

  • Another RouterBoard (RBsite) is installed between the Machine LAN and Company LAN.
  • RBsite has a VPN client which connects to RBserv.

Remote PC

  • The remote PC establishes a VPN connection to RBserv.
  • The remote PC is given an IP on the same net as the machine LAN.
  • Traffic can now flow like this:
    Remote PC <-vpn-> RBserv <-vpn-> RBsite <-machine LAN-> (any host on the machine LAN)

Since both VPN connections are “outgoing”, there should usually not be any problem getting them up and running.

I my test setup, I only use RBserv, and substitute RBsite with another computer.
Both computers connects to RBserv and gets an IP. I have proxy-ARP activated, but can not get any traffic to flow between the two computers. I have been able to ping between the remote PC and RBsite a few times, but it does not always work.
Does anyone here have experience with similar setups? Or maybe if someone can see directly that I’m trying to do something impossible - please tell me :slight_smile:
vpnQuestion.png