Access into a PEPVPN from a single client

Vincent_Royer · November 17, 2018, 5:52pm

I have a mobile site with an HD4 bonded over PEPVPN to a Balance20 in a DC.

I want to connect into the mobile site’s LAN from a remote location, unrelated to the DC.

Can I join in on the PEPVPN link with virtual hardware somehow? I’m thinking something like zerotier, where I could add a pepvpn virtual interface to my local machine.

Failing that, what’s the recommended way to let clients on my remote LAN access clients on at the mobile site’s LAN? Remote client uses PFsense.

MartinLangmaid · November 18, 2018, 9:25am

The likely best options are:
IPSEC from PFsense to the Balance 20.
PPTP over IPSEC to the Balance 20 from from any windows / ios device.

Stick a cheap Pepvpn enabled device into the remote site. We’ll sometimes use an AP One Mini as a remote access device.

Vincent_Royer · November 18, 2018, 11:14am

Ok, so ipsec from remote pfsense into B20 is my preference, so that all clients on the remote side can get in.

Could you elaborate on the settings required in the balance 20 to forward this traffic through the pepvpn tunnel and to clients at the mobile site?

For example I have a client at 10.48.20.1 in the mobile lan behind the HD4, and a client at 192.168.100.1 at the remote site behind pfsense. I want to access the mobile client from the remote client as if it were local. The B20 does have a publicly reachable IP on it’s WAN.

MartinLangmaid · November 18, 2018, 12:21pm

The balance will forward over the PepVPN any traffic targeted at the IP address range of the LAN at the mobile remote site. You will need to add a route in your Pfsense for the LAN subnet of the mobile site so that it knows to send that traffic over the IPSEC tunnel.

So when your client at 192.168.100.1 wants to send traffic to 10.48.20.1, it will be sent to the pfsense as the default gateway, and pfsense will forward the traffic to the balance over ipsec, the balance will forward to the HD4 over pepvpn.

You just need to make sure that the pfsense knows the route to the 10.48.20.x network, and that the balance knows the route to the 192.168.100.x network (and is advertising that to the HD4).

Vincent_Royer · November 18, 2018, 4:23pm

Ok great, that’s very helpful, thanks Martin!

It works exactly as you’ve described. Both PFsense and Peplink automatically added the necessary routes from the remote site, through the balance at the DC, over the pepvpn tunnel, and to the mobile clients behind the HD4.

Thanks again!