Setting up site-to-site VPN with one site behind AT&T's wall of stupid


#1

I have a Balance 20 running 5.4.7. I got it years ago for failover because my ISP at the time was unreliable. This router has been rock-solid and wonderful.

Now let’s switch gears.

I have not been able to connect to the computers at my parents’ house via Mac screen sharing since they became AT&T U-verse® customers. The all-singing all-dancing router/telephone/television CPE that AT&T installed doesn’t support UPnP or NAT-PMP and its router cannot be placed into a dumb bridge mode. There are super-complicated and obviously fragile quasi-official instructions online about how to make this box mostly kinda-sorta work as if it were in bridge mode, but I’m not going there. Also please note there are multiple computers at their house, so configuring IP reservations and port mapping isn’t gonna fly either.

Today, I checked the the Peplink web site just to see what if any wonderful things might have transpired since I last visited, and, happily, some have. Apparently, there’s a major new firmware upgrade (6.x) which not only supports easy site-to-site VPN configuration but may even (if I’m reading correctly, I hope I hope) deal with NAT issues as well. And apparently it’ll run on my Balance 20. Wow.

I could totally see buying another Balance 20 (and upgrading the firmware on my existing one) and plunking the new 20 down at my parents’ house behind AT&T’s crippled router if I could set up a site-to-site VPN that way and thus be able to make screen sharing work via VPN. The new Balance 20 would be scandalously underutilized and mostly redundant given its position behind the AT&T box, but if all it does is solve the screen sharing problem for me it will be worth it. As a bonus, it would be cool to have a site-to-site VPN. (Why, yes, I am a geek. How could you tell?)

Has anybody done anything like this before, with specific regard to one of the routers being stuck behind another like this?

Any ideas for how to solve this screen sharing problem another way?


#2

Hi,

Based on my finding here, Apple Screen Sharing is using TCP 5900. Your requirements can be achieve (without NAT between 2 MAC machines) by having SpeedFusion tunnel between 2 Balance 20.


#3

SpeedFusion sounds like a bonding technology; I only need VPN, which would seem to suggest PepVPN will be sufficient. I don’t want to require my parents to provision an additional WAN. As well, the data sheet for SpeedFusion seems to indicate it is not available on Balance 20. Can anyone clear that up for me? And, regardless, has anyone used a Balance 20 to overcome the limitations of AT&T U-verse® CPE?


#4

Hi,

Yes you are right, you requirement can be achieve by having PepVPN. PepVPN is available in all product family.


#5

I have had a very good experience with site to site VPN between a Balance 20 and a Surf SOHO. The Surf SOHO retails for about half what the Balance 20 costs.

Linking your LAN with your parents has a couple benefits. For one, you can use remote control software that works exclusively over the LAN, without a middle-man brokering the connection. That is, you can directly access the computers at your parents house, as long as they have static IP addresses.

Another great benefit is that you can be an offiste backup location for their important files, and vice-versa. Just using normal file copying will transfer files between the two locations. Secure, simple and easy. I’ve been doing this and it has worked well.

One requirement is that each location use a different subnet. That is, if you use 192.168.1.x, then your parents can’t. They should use 192.168.2.x or 192.168.3.x or whatever.

The only complication in your case is that in the ATT gateway, you will need to port forward the port(s) used to setup the site to site VPN connection to the Peplink router. But that assumes you connect to them to setup the VPN. You could configure things so that their Peplink router connects to you for the initial site to site VPN link. That, hopefully will work without touching the ATT gateway at all.


#6

Hi Michael,

Thanks for sharing! :up:


#7

Thanks; that last detail sounds like the sort of thing I needed to hear. I really want to avoid entanglements with the CPE because that stands a good chance of dragging me into provider drama. I guess the only way this would fail is if the provider goes out of its way to block outgoing VPN connections. I bet I could spend hours trying to find whether they do … and then maybe be wrong because with providers reality often differs from their claims … or I could just buy a box and hope. Maybe the latter would be less aggravation …