I came across an interesting situation at work this week. We needed to bridge a device at a remote site (a phone actually) to a VLAN at our office, but both sites are behind NAT without the ability to create port forwards. I combined PeerVPN, OpenWRT and a RouterBOARD to make this work. Note that this probably isn’t going to be a very tidy post as it’s more for my reference than anything else!
I know that double VPN encapsulation is bad, but even so, using 3G I was able to conduct a call over SCCP and the person on the other end couldn’t tell the difference!
In this case I used a RB951-2n for the client end and a RB2011UAS for the server end but any mipsbe RouterBOARD will work (well any will but the files I’m providing are compiled for mipsbe). Two of the RB951-2n would do nicely for most uses, which would mean a total cost for the project of around $150
To start you should be running the latest version of RouterOS and then download this file and fire it up as a MetaROUTER. Basically it’s a custom compiled OpenWRT with PeerVPN and Screen added. You can compile this yourself reasonably easy, but I’m not going to document that here.
What you do need apart from the two ends is a server that you *can* do port forwards on. If you don’t have one you can buy one from us! Basically all you need is a super low resources server that can run PeerVPN and act as a broker for NAT Traversal. Download PeerVPN from here
networkname MyNetwork psk MyPassword enabletunneling no port 7000 enableipv4 yes enablerelay no
You need 3 IP ranges (ranges I used in brackets so you can follow along)
- Server OpenWRT -> Server RouterOS (172.25.156.0/30)
- PeerVPN Subnet (172.25.155.0/24)
- Client OpenWRT -> Client RouteroS (172.25.154.0/30)
I made the PeerVPN subnet a full /24 because there is the potential for multiple clients. As you set everything up make sure you add all the required routes. The RouterBOARDs require the PeerVPN and the opposite end’s link subnet while the MetaROUTERs just require the opposite end’s link subnet. For links between the RouterOS and MetaROUTER I just created a bridge and attached the MetaROUTER to it and then configured the RouterOS IP directly on that bridge.
To configure OpenWRT networking run the following commands (this example from my client OpenWRT):
uci set network.lan.proto=static uci set network.lan.ipaddr=172.25.154.2 uci set network.lan.netmask=255.255.255.252 uci set network.lan.gateway=172.16.250.1 uci set network.lan.dns=22.214.171.124 /etc/init.d/network restart
Then you need to add PeerVPN config into /etc/peervpn/peervpn.conf:
networkname MyNetwork psk MyPassword initpeers MyBroker 7000 enabletunneling yes interface peervpn0 ifconfig4 172.25.155.2/24 port 7000 enableipv4 yes
I also add a few things to /etc/rc.local on OpenWRT and some similar code on the broker.
screen -dmS PeerVPN peervpn /etc/peervpn/peervpn.conf sleep 30 route add -net 172.25.156.0/30 gw 172.25.155.1 iptables -P FORWARD ACCEPT iptables -F
Of course you will need to modify the routes to suit your setup.
Once this is done you should fire them all up and wait as PeerVPN works it’s magic and connects everything together. You can confirm by pinging the other end.
This was pretty brief so let me know if you have any questions if you try and implement!