BOVPN between WG and a computer behind NAT router

Hi

Is it possible to establish BOVPN (site-site VPN) between a location that has router behind another NAT device ?

On primary location we have a M200 box, on secondary there is a general company router that is doing NAT to our small office network that has another SOHO router that is doing NAT.
Now we want to establish site-site VPN between M200 and this small office computers that are behind SOHO router. So far as I know this is not possible, so we're looking for other solutions that we can use to connect this small office to our M200 box.

For now, we have configured SOHO router that is doing OpenVPN connection to M200 box, so computers behind this SOHO router can connect to main office. But the problem is that from main office (M200) we can't connect to computers on SOHO router site, since this is client-server VPN.

Any ideas how can we solve this, is is possible ?

Thank you in advance
Regards,
Mike

Comments

  • Review this:
    BOVPN on a Firebox Behind a Device That Does NAT
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_nat_c.html

    The remote site router would need to forward UDP ports 500 & 4500 from your firewall public IP addr to the SOHO external IP addr for this to work.

  • Hi Bruce

    Thank you for reply. It's a problem because people who are responsible for master (remote site router) wan't allow port forwarding.
    Are there any other options we can use (maybe some kind of a SSH tunnel between two locations) ?
    I am thinking of some kind of SW solution that we can install on computer on remote site that will do SSH or any other tunnel to our master location ?

    Regards,
    Mike

  • Hi Kimmo

    For this option we need to have WG on both sites or can we do it with WG only on 'master' site and SW solution (pfsense or any other device) ?
    The problem is that we need to have communication both way from remotesite-->mastersite and from mastersite-->remotesite

    Regards,
    Mike

  • “on secondary there is a general company router that is doing NAT to our small office network that has another SOHO router that is doing NAT.”

    what device is the “another Soho router”?

  • It's a 'cheap' TP-link router that only support client-site vpn but not site-site.
    For now we configured it to establish a client-site VPN so computers behind this router can access resources in main office. But from main office we can't connect /access computers that are behind this 'soho' router.

  • okay, maybe it would be easier to just replace the TP-link device to a small Firebox T15/35 device, then you could do a normal IPsec BOVPN or TLS BOVPN.

    IPSec BOVPN is configured with IKEv2 or IKEv1+Aggessive mode.
    https://www.screencast.com/t/bZfvHq3tj

    and with Dynamic IP address and Domain name configuration:
    https://www.screencast.com/t/T1YxmE9Kmvw
    https://www.screencast.com/t/qocaFrujcs

    The remote device doesn’t need to be a WG device, if the device supports standard IPSec i.e. IKEv1 + Aggressive mode (or IKEv2) and ID by domain name.

    But it the IPSec BOVPN doesn’t work, then you can’t use TLS BOVPN…

  • Hi Kimmo

    Thank you for reply.
    But afaik the remote site router (router that is in front from our router) would need to forward UDP ports 500 & 4500 from their public IP addr to our router external IP addr for this to work.
    If this is not possible (due to company that is providing us internet access regulations) are there any other scenario that we can use ?

    Regards,
    Mike

  • Nope, the main router doesn’t need to do any port forwarding back to your router.
    your router needs to just support NAT-T with IPSec, and almost all do nowadays…

  • @Kimmo said:
    Nope, the main router doesn’t need to do any port forwarding back to your router.
    your router needs to just support NAT-T with IPSec, and almost all do nowadays…

    Our 'soho' router WAN interface is not directly on internet it is routed through another router that is also doing NAT.
    So this 'primary' router doesn't need to do port forwarding ?
    How can we than configure our router to do a site-site VPN to main office with M200 box ?

    Regards,
    Mike

  • The primary NAT router must allow following traffic out to internet.
    UDP port 500 (IKE)
    UDP port 4500 (NAT Traversal)

    you build the IPSec BOVPN with Dynamic IP and with domain name config.
    this way the remote soho firewall/router is the one that opens the BOVPN, as it knows the main Firewall (M200)
    public IP address…

    Main Firewall:
    https://www.screencast.com/t/T1YxmE9Kmvw
    Remote Firewall:
    https://www.screencast.com/t/qocaFrujcs

  • Hi Kimmo

    Thanks again.
    The primary NAT router must forward 500 in 4500 traffic to our office router or not ?
    On our office router we have a WAN interface IP address of 10.x.x.x., that is being connected to some internal VLAN to primary router that has a public internet connection.

    Regards,
    Miha

  • The primary NAT router must forward 500 in 4500 traffic to our office router or not ?
    No
  • With this setup, your end needs to initiate the BOVPN connection.

    If the UDP ports could be forwarded through the primary NAT router, then the M200 could initiate the BOVPN also. This is the normal setup - where either end can initiate.

  • @Kimmo said:
    The primary NAT router must forward 500 in 4500 traffic to our office router or not ?
    No

    The primary router that is doing NAT has external IP that we connect through. From this router we got a line to our office router that is also doing NAT for our network, but the line we got is a 'private' LAN addressed 10.x.x.x that we connect to our office router.
    So our office router has

    • WAN interface with 10.x.x.x that connects to MAIN router that is connected to the internet
    • LAN interface with 192.168.x.x that connects our computers to network.

    We only have access to office router but not to MAIN router that is directly connected to internet.
    So to establish a site-site VPN (or BOVPN) our office router needs to connect to another location that has M200 box. But since our office router isn't directly connected to internet but through another router I don't think this is possible.
    As I have understand this MAIN router needs to forward UDP 500 and 4500 traffic to our office router or not ?

    Regards,
    Mike

  • As I have understand this MAIN router needs to forward UDP 500 and 4500 traffic to our office router or not ?

    No, it does not need to do that! You can build a bovpn through a nat router!
    You just need to configure the bovpn with dynamic IP and domain name config. Just like have showed already multiple times...
Sign In to comment.