Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User Steve333
(newbie) Fri 26-Mar-21 17:23:36
Print Post

Setting up port redirection to Draytek on LAN for VPN access


[link to this post]
 
Hello all,
This is my first post on this forum, so please accept my apology if this is in the incorrect place.

I have a BT Smart hub. I have setup port forwarding on this to forward all traffic coming in on port 3389 to port 1723 and the IP of my internal Draytek 2860 router.
I have setup a VPN user on the Draytek and all protocols are enabled, including PPTP.
When I try to connect to this from another computer that is using my phone hotspot, it will not connect.
I have also tried it with the Draytek VPN client and this also fails.
Does anyone have any ideas please?
Standard User Michael_Chare
(fountain of knowledge) Fri 26-Mar-21 19:43:17
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: Steve333] [link to this post]
 
When I have used VPN software I have had a VPN client trying to connect to a VPN server. Your post suggests to me that you are trying to connect two VPN clients together which I would not expect to be possible.

Michael Chare
Standard User Pheasant
(experienced) Fri 26-Mar-21 21:04:22
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: Steve333] [link to this post]
 
Please confirm your use case. The presumption is you’re using something like openVPN as the server on the Draytek and using the hotspot connected computer as a client. Think of this as teleworker / road warrior type setup.

This is quite different to a site to site VPN.

Before setting up the VPN confirm first you can ping the VPN server (draytek) from the client. Ensure you routes and ports work before anything else.

My Broadband Speed Test


Register (or login) on our website and you will not see this ad.

Standard User caffn8me
(eat-sleep-adslguide) Sat 27-Mar-21 12:10:36
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: Steve333] [link to this post]
 
You're using the Microsoft Remote Desktop Protocol port (3389 TCP) on the external interface to forward to the PPTP VPN port (1723 TCP) on the Draytek so I'm not sure whether you've quite worked out how to connect things together.

The first things to say would be never run Microsoft RDP live to the outside world and also never use a PPTP VPN as it's obsolete and insecure. Those are hard and fast nevers, not sometimes nevers that can be ignored in some circumstances.

The Draytek supports several modern VPN encryption standards for LAN-LAN and mobile client to LAN but the easiest to get working for you is probably SSL VPN. Follow the instructions here and note the following;

1) On the Draytek router under VPN and Remote Access >> Remote Access Control make sure that only 'Enable SSL VPN service' is ticked.

2) Under VPN and Remote Access >> Remote Dial-in User ensure that only allowed dial-in type is SSL Tunnel.

On the BT Hub forward an external TCP port to the Draytek's WAN IP address, Port 433 TCP. You can forward any external TCP port from the BT Hub, it doesn't have to be 443, but that is the port number you will subsequently connect to with your VPN client from the outside world. 443 is the default TCP port for SSL but it means it will get scanned by legitimate and not so legitimate third parties almost immediately and may be targeted with username and password combinations in an attempt to guess your login details.

Choosing a random high numbered TCP port means it will take longer for external scanners to discover your VPN. If you keep an eye on your Draytek logs (I suggest you put a USB stick in the router for log storage) you will be able to identify persistent offenders and block their originating IP ranges with the Draytek's firewall.

Once you are able to connect the SSL VPN from the outside world to the Draytek, you can then use Microsoft Remote Desktop client to access your internal computer using its internal IP address - not the address of the BT Hub or the Draytek.

Does this make any sense? Shoiut out if you need more help and good luck.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Pipexer
(eat-sleep-adslguide) Sat 27-Mar-21 21:32:07
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: caffn8me] [link to this post]
 
There's nothing wrong with RDP open from the internet as long as you're up to date on patching and have a secure password set (in other words you're totally in control of the machine). It has a pretty good track record of being secure all things considered.

Andrews & Arnold Home ::1 on Draytek 2862ac - Why settle for inferior?
Standard User caffn8me
(eat-sleep-adslguide) Sat 27-Mar-21 23:21:26
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: Pipexer] [link to this post]
 
I would absolutely rule it out behind a domestic or even a Draytek router because of the huge number of probes that constantly look to exploit it. Its default installation requires neither multi factor authentication nor does it block access after a certain number of failed brute force authentication attempts. The chances are that once your RDP service has been discovered by a bad actor*, they'll be able to exploit newly discovered vulnerabilities before a typical end user can apply patches.

If you run it on a non standard port and have a business grade firewall which detects and automatically blocks the sources of unauthorized connection attempts for a significant period of time (hours) you're probably OK to run it, provided that it is combined with multifactor authentication and automatic lockout after a small number of failed connection attempts. Just the same as running SSH securely.

You may be happy with a less paranoid security level on systems under your control than I am but there's no good reason not to use a VPN for RDP access.

*I am currently observing high numbers of RDP connection attempts from IP addresses in Russia and Iran. This is not an imagined threat.

A quick tally of RDP connection attempts over the last two years for one of my firewalls, which has never had RDP running through it, shows 37,485 separate attempts. Had there been a valid RDP response to any of these, that number would have increased enormously and the RDP server would have been flooded with brute force attacks.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sat 27-Mar-21 23:34:38)

Standard User Pheasant
(experienced) Sun 28-Mar-21 18:45:30
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: caffn8me] [link to this post]
 
I've just finished setting up an OpenVPN client to server VPN from scratch with a MikroTik router as the VPN server - certainly not the easiest or most straightforward thing in the world to get right.

Although slightly less secure the L2TP based VPN connections on the same boxes were a doddle in comparison and throughput appears better too.

IPSec site to site was also fairly straightforward.

My Broadband Speed Test
Standard User caffn8me
(eat-sleep-adslguide) Sun 28-Mar-21 21:01:06
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: Pheasant] [link to this post]
 
I think that on a Draytek the SSL VPN is the easiest to set up but in the past I've used everything except PPTP for various mobile endpoints. I don't have an active Draytek gateway to play with these days. I haven't tred with MikroTik but had good success with a LAN-LAN VTI VPN between a Ubiquiti EdgeRouter and a WatchGuard.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User danielhyde
(member) Mon 29-Mar-21 10:45:14
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: Steve333] [link to this post]
 
In reply to a post by Steve333:
Hello all,
This is my first post on this forum, so please accept my apology if this is in the incorrect place.

I have a BT Smart hub. I have setup port forwarding on this to forward all traffic coming in on port 3389 to port 1723 and the IP of my internal Draytek 2860 router.
I have setup a VPN user on the Draytek and all protocols are enabled, including PPTP.
When I try to connect to this from another computer that is using my phone hotspot, it will not connect.
I have also tried it with the Draytek VPN client and this also fails.
Does anyone have any ideas please?


Is the BT Hub connected to the WAN port of the DrayTek?
As far as i'm aware it will only accept VPN coonections on the WAN port not the LAN ports.

Thanks Dan
Standard User ft247
(regular) Mon 29-Mar-21 10:59:15
Print Post

Re: Setting up port redirection to Draytek on LAN for VPN ac


[re: Pheasant] [link to this post]
 
In reply to a post by Pheasant:
I've just finished setting up an OpenVPN client to server VPN from scratch with a MikroTik router as the VPN server - certainly not the easiest or most straightforward thing in the world to get right.


It certainly isn't, and I agree that L2TP/IPsec feels like it will offer better throughput for site-site applications. OpenVPN on 443 seems to be the way forward for road warriors on hotel internet, though.

My Mikrotik/OpenVPN server has been up and running for the best part of a year now - which means it is time to get my head properly around certificate management as some are coming up for expiry.
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to