# Best way to create tunnel from remote router?



## RevennaFox (Jul 20, 2018)

I've got a problem I'm sure is a common one, but I haven't been able to find a simple solution for it on my own. I've got a remote router (Mikrotik Routerboard) in the field I want to be able to login to via SSH, but it has a dynamic IP, and is behind another NATed and firewalled router I don't have control of.  At the office I have a FreeBSD machine I have full control of, that's acting as a gateway using the pf firewall. It also has a dynamic IP, but it doesn't change often and also has a DNS hostname that never changes.
I guess the best way to do this would be to create a tunnel from the remote router back to the FreeBSD machine, but what would be the best protocol to use? I don't want broadcast packets, internet traffic, DNS, or anything else going over the link, just a simple point-to-point tunnel. Someone told me to try using OpenVPN, but it seems like it's too complicated for what I need; after hours and hours of trying to create SSL certificates and reading the nine million or so pages of the documentation I still didn't have a working connection, just a headache. I've also tried the MPD5 and Poptop servers, but haven't had much luck establishing a connection with those either; the guides I found are either out of date or refer to the Linux versions.
I've also tried setting up a Windows machine as a PPTP server and forwarding port 1723 to it with the following pf rules:

```
rdr on $ext_if inet proto tcp from any to any port 1723 -> 10.0.0.8 port 1723
pass inet proto tcp from any to any port 1723
```
but I keep getting "Error 806", which is something about how the router may not be configured to allow GRE protocol packets, but since GRE uses TCP shouldn't that be covered by the pass rule?

There has to be an easy way to do this.


----------



## obsigna (Jul 21, 2018)

In a similar situation, I got a remote FreeBSD 11.2 machine behind NAT. The remote FreeBSD machine maintains an IKEv2-PSK/IPsec tunnel to the FreeBSD 11.2 gateway of the office. On the gateway, I configured a static route to the local IP address of the remote machine, and I am able to ssh to it using any client in the office which is sitting behind said gateway.

On the remote machine, a cron job checks every 5 minutes whether the tunnel is still alive, and in case not it establishes a new IPsec tunnel.

For configuring IPsec, I got security/strongswan installed on both machines.

In case your remote router is able to initiate an IPsec connection, I would be able to give more details about the setup on my gateway.


----------



## ShelLuser (Jul 21, 2018)

I honestly don't understand how OpenVPN could cause you so much problems.

From openvpn(8):


```
On bob:

              openvpn --remote alice.example.com --dev tun1 --ifconfig
              10.4.0.1 10.4.0.2 --verb 9

       On alice:

              openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2
              10.4.0.1 --verb 9

       Now verify the tunnel is working by pinging across the tunnel.
```
This is a solid and easy way to test tunneling. And once this works you can work your way up by applying encryption, also explained in said manualpage.

And yes: regular ("full blown") certificates don't work, that surprised me too. But this is fully explained in the documentation, you'll need a changed / alternate version of those.


----------



## RevennaFox (Jul 21, 2018)

ShelLuser said:


> I honestly don't understand how OpenVPN could cause you so much problems.




```
man openvpn | wc -l
    4987
```
I spent most of my time trying to figure out PKI, which is something I've never worked with before.
Unfortunately I can't authenticate the remote client with --remote based on its hostname because it doesn't have one, and I don't know what its IP address is currently. I can't use a static key either, because the remote machine's OpenVPN implementation doesn't support static keys, or TLS as I later found out. It does support PPP style username/password pairs, so if there's a strightforward way of setting that up I'd appreciate an example. I tried --auth-user-pass-verify and it wants to be run in server mode, which requires TLS, which my router doesn't support for OpenVPN.



obsigna said:


> In case your remote router is able to initiate an IPsec connection, I would be able to give more details about the setup on my gateway.


Yes please. I probably should have mentioned that in my original post. It does support IPSec, the documentation I'll be working off of for it is here: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Other stuff I should mention:
-Bandwidth is a concern, I only have a T1's worth at the office
-This connection makes one hop over a trusted carrier's router, so heroic levels of encryption probably aren't necessary


----------



## obsigna (Jul 21, 2018)

I had a quick look over the IPsec manual of your router, and the router seems to be reasonably capable for your goals. There might be some obstacles though, which you probably need to figure out by experiment.

Since NAT is involved, it is important to use FreeBSD 11.1 or 11.2 on the gateway, otherwise you would need to patch the kernel for NAT-T/IPsec. On the FreeBSD side, you need to install security/strongswan.

My respective configuration files on the gateway machine are:
File /usr/local/etc/ipsec.conf:

```
conn EXAMPLE-PSK
   keyexchange = ikev2
   mobike = no

   leftauth = psk
   leftid = @example.com
   left = %defaultroute
   leftsubnet = 192.168.1.0/24

   rightauth = psk
   rightid = router@example.com
   right = %any
   rightsubnet = 192.168.2.0/24

   auto = add
```
See ipsec.conf(5) – all leftxxx settings refer to the local side, i.e. the gateway, and all the rightxxx settings to the remote box. auto = add means, the gateway is awaiting connections. It is important, that leftsubnet and rightsubnet do not overlap.

File /usr/local/etc/ipsec.secrets:

```
router@example.com : PSK "TYn8yCBFmg6Dy7NvSlSjsQFn8npvcZP"
```

This is the PSK for the identifier of your router. The above one "TYn8..." came just right out of my password generator, you need to generate your own.

My main concern is about the left/right-id's, in case one side is not managed by strongswan. For your reference only, here come the respective setup of my FreeBSD remote box, which can be seen as almost a mirror of the above setup:
Remote box file /usr/local/etc/ipsec.conf:

```
conn EXAMPLE-PSK
   keyexchange = ikev2
   mobike = no

   leftauth = psk
   leftid = router@example.com
   leftsubnet = 192.168.2.0/24

   rightauth = psk
   rightid = @example.com
   right = gateway.example.com
   rightsubnet = 192.168.1.0/24

   auto = start
```

Romote box file /usr/local/etc/ipsec.secrets:

```
: PSK "TYn8yCBFmg6Dy7NvSlSjsQFn8npvcZP"
```

Finally, on the gateway you need to enable and start the strongswan ipsec daemon and add a static route over the IPsec tunnel - which hopefully would be initiated by the remote router.

Gateway file /etc/rc.conf

```
...
static_routes="REMOTEIPSEC"
route_REMOTEIPSEC="-net 192.168.2.0/24 192.168.1.1"
...
strongswan_enable="YES"
```

In order to establish the static route and to start the ipsec daemon at the same time, simply restart the gateway.


----------



## RevennaFox (Jul 22, 2018)

OK, so my local network is 10.0.0.0/24 and the address I want access to on the remote router is 192.168.2.1, so I have this config file so far:

```
conn GKBWV-MW
   keyexchange = ikev2
   mobike = no
   leftauth = psk
   leftid = @my.fqdn.net
   left = %defaultroute
   leftsubnet = 10.0.0.0/24

   rightauth = psk
   rightid = gkbwvmw@my.fqdn.net
   right = %any
   rightsubnet = 192.168.2.0/24

   auto = add
```
Something weird happens when I start the service, but I don't really know if its relevant:

```
$ service strongswan start
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
```

Then I get this when I try to turn it up

```
$ ipsec up GKBWV-MW
unable to resolve %any, initiate aborted
establishing connection 'GKBWV-MW' failed
```

Not certain what I'm doing wrong here...


----------



## obsigna (Jul 22, 2018)

RevennaFox said:


> ...
> Something weird happens when I start the service, but I don't really know if its relevant:
> 
> ```
> ...



This is the expected behaviour on FreeBSD.



RevennaFox said:


> Then I get this when I try to turn it up
> 
> ```
> $ ipsec up GKBWV-MW
> ...



The setup on the gateway is meant to behave as a listener, i.e. the passive side of the VPN tunnel. Your router is supposed  to be the initiator. This choice was made, because you said that the router is behind NAT without direct internet connection. So as long as there is no NAT forwarding of UDP ports 500 and 4500, it cannot be accessed directly from outside.

Once the ipsec (strongswan) daemon is started on the gateway, nothing else needs to be done, it is simply ready to receive connection requests from your router. That said, the router is supposed to somehow execute its equivalent of `ipsec up ...`

In case I understood it wrong, and your router can be accessed via UDP ports 500 and 4500 from the internet, then you need to change right = %any to right = public.router-url.net, and you might want to change auto = add to auto = start.


----------



## RevennaFox (Jul 31, 2018)

My fault for misreading the directions. Once I tried connecting from the remote machine it worked. Thank you, sir.


----------

