How to setup VPN-Passthrough on a TP-LINK Router TD-W8960N (for a remote client to SITE VPN session)

[Gary Pope]

Anybody out there with knowledge of TP-link TD-W8960N wireless/wired/ADSL2+/router/modem that 'allegedly' support up to 10 VPN sessions?

 

Not sure if there is anyone in MLUG community familiar with VPN-passthrough on ROUTERS.

 

I've spent 2 days, 5 international phone calls,  10 emails, and now starting to learn Chinese to try and understand how the manufacturer of TP-LINK TD-W8960N routers setup their boxes for VPN passthrough.   (excuse ramblings!).

 

Evidently there is SITE-TO-SITE VPN  (which involves setting up PAIRS of routers at the local/remote ends to link to each other permanently, thus making a WAN.)

 

But I simply want to be able to perform an infrequent VPN session from a remote box on the internet,   TO THE ROUTER at the office, in order to connect to a workstation on the office LAN to fetch some files.   Evidently this is called VPN Pass-through.

 

I'm assuming that I need to setup the router with details of the Pre-shared KEY, and outline who's at each end, and bust open ports like 1723, 1701, 500 ICMP and enable protocl 47 for GRE packets to traverse all this.

 

Wouldn't mind a dialogue with someone familiar with this.  

 

Normally I'd have a Unix firewall with MPD or racoon running as a VPN Server on the box, and link to custoemr SITE through such a beast.   But current project is NOT involving UNIX boxes yet (I know - another customer that needs to be shown the light - I'm trying - but TP-Link is more 'trying!")

 

Anybody with clues on 'pass-through' ?

 

Gaz

 

 

Gary A. Pope

[Alex Ferrara]

I have a TP Link WR1043ND running OpenWRT. It runs Linux, but since it has an ADSL2+ modem I don't think OpenWRT would go straight on.

http://wiki.openwrt.org/toh/tp-link/td-w8960n

aF

> --
> You received this message because you are subscribed to the Google Groups "mlug-au" group.
> To post to this group, send email to mlu...@googlegroups.com.
> To unsubscribe from this group, send email to mlug-au+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mlug-au?hl=en.

Alex Ferrara
Director
Receptive IT Solutions

P 0403 604 604
F (02) 4822 7700
E al...@receptiveit.com.au
W www.receptiveit.com.au

[Alex Ferrara]

Incidentally, VPN pass-through is not what you want. That is so clients on the LAN can connect using IPSec and friends to a VPN concentrator on the internet. It probably runs a standard Linux IPSec stack, but the menu would be dumbed down.

Personally, I like using OpenVPN as it is easy to route, and easy to run as a server/client on any type of box. You could port forward through the router to a computer in the network, and make the vpn termination there.

I have a howto on my website about openvpn. It isn't overly polished, but it will get you there. http://www.receptiveit.com.au/mediawiki/index.php/Debian:_SSL_OpenVPN_Server

aF

On 14/12/2011, at 9:19 PM, Gary Pope wrote:

[Gary Pope]

Alex - thanks for immediate reply......   I'm in a pure winblows environment on this project - just trying to get a low cost VPN connection wto assist the staff gain access to a workstation sharing files on the office LAN.     Whilst writing to MLUG tonight I got an overlapping email reply from TP_link tech support saying  "TD-W8960N does not support VPN server function.".   But I'm still curious if they are failing to tell me about setting up IP rulesets that would permit traffic to pass through to a box on the inside of the office LAN that is prepared to respond to VPN connection requests from a remote WAN user. 

 

I've got a sitation of the blinding leading the blind on that story - so I thought I'd turn to MLUG community to see if anyone has already run this.   I saw a 12mth old article on Whirlpool where a chap has a session running from a Draytek 2820 to tha TD-W8960N - which suggests it's possible to link as VPN Server too!

There's a lot of examples/evidence to suggest the TD-W8960N is really designed for being sold in PAIRS of routers with auto-syncing VPN session establishment between them, to create a WAN between to LAN sites.    

 

(Whereas I'm seeking to permit a series of infrequent users be capable of running a manual VPN connection session, and then browse to a SHARED file folder on the central site to fetch/store business files).

 

I'll look into your suggestion none-the-less.   Thanks Alex!

 

Cheers

 

Gaz

 

Gary A. Pope
B.Bus(ACC)
----- Original Message -----

[Alex Ferrara]

I have done this in a pure Windows environment with a low buck router. This environment was not by design, but rather what a client has evolved and then asking me to come in behind to "open up files to the internet".

I'm a big firewall guy. You don't open anything to the internet on a windows machine if you don't want the windows machine to be compromised.

My preferred situation is to comission a firewall using a disused computer with two network interfaces. I really like pfSense as it is quite powerful and has a web interface that gives some value to the clients. I used to roll my own Linux distribution designed for firewalling that fitted onto a CF disk, but I have abandoned that in favour of pfSense as my development time was limited. pfSense has support for OpenVPN, IPSec and PPTP (Which I really don't use)

If the client is adamant that they do not want a firewall, they might be more receptive to a new router. I have been using TP Link WR1043ND as a router with a ADSL2 modem on the WAN port. This router has a gigabit switch, 802.11n wireless and there is heaps of space for OpenWRT. You can install OpenVPN or any other VPN that a Linux box supports.

If the client doesn't want to buy anything, and your current router doesn't support VPN endpoints, your only option that I would take is to set up OpenVPN on one of the computers in the network, and port forward to it. OpenVPN has the advantage of being very secure and running over a single UDP port, so it is easy to route, unlike IPSec. You can install OpenVPN on Windows or any Unix including Mac. I set it up to use certificates, and it comes bundled with scripts to easily create and manage certificates from the CLI. The OpenVPN client, on Windows Vista or 7 needs to run with administrator privileges or it won't be able to add the appropriate routes, and you might need to add a route on the endpoint if you need access to other things on the network.

As I have said, my website has some useful information on OpenVPN.

I hope this helps.

aF

[Gary Pope]

Alex

 

Thanks!   That s a really great bunch of useful info for me to play with today!   I agree with the preferably Unix firewall route (we use FreeBSD firewalls that have all this VPN aspect taken care of - but this client is, as you say, adamant about MS environment.  Will explore this OpenVPN avenue on the Win7 box at their site then, and try port forwarding the VPN access thru the router to reach that Win7 box.

 

Cheers

 

Gaz

Gary A. Pope
----- Original Message -----

[Alex Ferrara]

I am feeling your pain. I have had some clients over the years that value an "all-microsoft" environment. I have snuck in Linux boxes in the form of routers and embedded devices, which they have been happy with because they are unaware that they are actually running Linux.

If only these end users appreciated that Windows at the edge of the network is like having a front door made out of cardboard.

Good luck.

aF

[Tony Langdon]

At 10:08 PM 12/14/2011, you wrote:
>Alex - thanks for immediate reply...... I'm in a pure winblows
>environment on this project - just trying to get a low cost VPN
>connection wto assist the staff gain access to a workstation sharing
>files on the office LAN. Whilst writing to MLUG tonight I got an
>overlapping email reply from TP_link tech support saying "TD-W8960N
>does not support VPN server function.". But I'm still curious if
>they are failing to tell me about setting up IP rulesets that would
>permit traffic to pass through to a box on the inside of the office
>LAN that is prepared to respond to VPN connection requests from a
>remote WAN user.

OpenVPN works well on Windows too. The structure of the openvpn
protocol is much simpler and easily handled by NAT routers (only a
single UDP port needs forwarding on the server end).

73 de VK3JED / VK3IRL
http://vkradio.com

[Gary Pope]

Alex.

 

OpenVPN running between two Windows LANS.

 

Thanks again!    WORKING!.

 

I had to do some adjustments on the TEST LAN here, which already has a Unix firewall, and a real VPN server, just to make things harder!

 

We managed to introduce the PORT FORWARDING rule for 1194 (using /etc/ppp/ppp.conf  to avoid putting a natd in the production LAN).

 

So, in the end, we got OpenVPN server running on the in house SITE on 192.168.202.x  LAN

Then we setup a REMOTE laptop with a 3G connection simulating a CLIENT,  which is on a LAN of 192.168.1.x.

 

We structured OpenVPN to run as a 192.168.199.x  VPN Subnet to be different to each of above.

 

We had to modify the SAMPLES to suit what is meant to be a pure windows scenario (despite there being a FreeBSD firewall in the way of this particular test.

 

So, we used the following modifications to the OpenVPN setup:

a)  downloaded the WIndows version of OpenVPN from: http://openvpn.net/index.php/open-source/downloads.html

b)  followed the instructions for setup at:   http://openvpn.net/index.php/open-source/documentation/howto.html

c)   In the config files (.ovpn in Windows),  for both server and client,   choose  TAP interface 
      dev tap                # rather than Unix styled dev tun.   

d)    remember to create different clientX  (ie: client1,  client2,  client3!)  and name the files accordingly, and edit the names internally!

e)   The instructions forget to tell you to move the generated files from .../easy-rsa/keys/.....   to  .../config/....  

      Move the  server.*  and client*.* files  to ..../config/.... on the SERVER
       and for EACH remote clientX,  do the same, but only one set of relevent clientX files.

       **  DO NOT move or give away the ca.*   key or certificate files!!

f)    change the server.ovpn to know the traditional LAN subnet that exists (in our case it was 192.168.202.x)

g)   change the client.ovpn  to know the STATIC WAN IP of where the OpenVPN exists  (My WAN IP at Server end)

h)   change the client.ovpn to have NUMBER clientX files:

                cert client1.crt
                key client1.key

i)     Starting the SERVER needs a little tidying up.   But heres the DOS prompt approach:

                C:\Program Files\OpenVPN\config>openvpn server.ovpn               

j)     As many of the docs mention,  you must open any firewall restrictions to let incoming udp 1194 traffic INTO the Server LAN.

k)    PLUS the udp 1194 traffic needs to be FORWARDED to the machine acting as the OpenVPN server.

 

 

Once all that was done,  we were able to sit on the CLIENT PC, make the client CONNECTION to the Server.

This resulted in the client receiving a dhcp address of 192.168.199.2.   The OpenVPN server is known as 192.168.199.1.

So, on the CLIENT PC,  we started a FileEXPLORER session, and when to:   \\192.168.199.1.

We were then able to see all the SHARED FOLDERS that the OpenVPN SERVER box was sharing.

Files were able to be copy/pasted across the WAN successfully.

 

Job done.

 

Thanks to Mark for the RDP interim workaround (useful for remotely setting this up later at real client, and Alex for showing me the way!

 

Ain't MLUG forums great to get problms solved!

 

Cheers

 

Gaz

 

 

 

Gary A. Pope
From: Gary Pope

To: mlu...@googlegroups.com

Sent: Thursday, December 15, 2011 7:56 AM

Subject: Re: [MLUG] How to setup VPN-Passthrough on a TP-LINK Router TD-W8960N (for a remote client to SITE VPN session)

Alex

 

Thanks!   That s a really great bunch of useful info for me to play with today!   I agree with the preferably Unix firewall route (we use FreeBSD firewalls that have all this VPN aspect taken care of - but this client is, as you say, adamant about MS environment.  Will explore this OpenVPN avenue on the Win7 box at their site then, and try port forwarding the VPN access thru the router to reach that Win7 box.

 

Cheers

 

Gaz

Gary A. Pope
----- Original Message -----

From: Alex Ferrara

To: mlu...@googlegroups.com

Sent: Thursday, December 15, 2011 7:47 AM

Subject: Re: [MLUG] How to setup VPN-Passthrough on a TP-LINK Router TD-W8960N (for a remote client to SITE VPN session)

I have done this in a pure Windows environment with a low buck router. This environment was not by design, but rather what a client has evolved and then asking me to come in behind to "open up files to the internet".

I'm a big firewall guy. You don't open anything to the internet on a windows machine if you don't want the windows machine to be compromised.

My preferred situation is to comission a firewall using a disused computer with two network interfaces. I really like pfSense as it is quite powerful and has a web interface that gives some value to the clients. I used to roll my own Linux distribution designed for firewalling that fitted onto a CF disk, but I have abandoned that in favour of pfSense as my development time was limited. pfSense has support for OpenVPN, IPSec and PPTP (Which I really don't use)

If the client is adamant that they do not want a firewall, they might be more receptive to a new router. I have been using TP Link WR1043ND as a router with a ADSL2 modem on the WAN port. This router has a gigabit switch, 802.11n wireless and there is heaps of space for OpenWRT. You can install OpenVPN or any other VPN that a Linux box supports.

If the client doesn't want to buy anything, and your current router doesn't support VPN endpoints, your only option that I would take is to set up OpenVPN on one of the computers in the network, and port forward to it. OpenVPN has the advantage of being very secure and running over a single UDP port, so it is easy to route, unlike IPSec. You can install OpenVPN on Windows or any Unix including Mac. I set it up to use certificates, and it comes bundled with scripts to easily create and manage certificates from the CLI. The OpenVPN client, on Windows Vista or 7 needs to run with administrator privileges or it won't be able to add the appropriate routes, and you might need to add a route on the endpoint if you need access to other things on the network.

As I have said, my website has some useful information on OpenVPN.

I hope this helps.

aF

On 14/12/2011, at 10:08 PM, Gary Pope wrote:

> Alex - thanks for immediate reply......   I'm in a pure winblows environment on this project - just trying to get a low cost VPN connection wto assist the staff gain access to a workstation sharing files on the office LAN.     Whilst writing to MLUG tonight I got an overlapping email reply from TP_link tech support saying  "TD-W8960N does not support VPN server function.".   But I'm still curious if they are failing to tell me about setting up IP rulesets that would permit traffic to pass through to a box on the inside of the office LAN that is prepared to respond to VPN connection requests from a remote WAN user.
>