Hi all. Hoping that someone in this community has some experience with this.
I am trying to solve the problem of IPSec being broken for clients that have dynamic WAN IP’s. I am also looking for a solution that doesn’t involve making changes to clients Firewall/Router except for maybe allowing one port through. Definitely no port forwarding. I need to have 24/7 access to sometimes hundreds of devices onsite, not just computers.
I monitor devices onsite using a Raspberry Pi as the data collector which sends information back to my Zabbix server. Could the Pi be also used as a permanent VPN and proxy for accessing devices? Or is there a better way?
Thanks.
First off, IPsec works just fine if one side has a dynamic wan. It can even work fine if both sides are dynamic, provided a dynamic DNS service is used. I’m not sure what limitation you’re having trouble with, but IPsec is a fairly hardy protocol. It can handle NAT and dynamic WAN fairly easily, if configured to do so.
Outside that, I would look at openvpn. It’s proven, secure, and will run on anything you want it to. Wireguard is a newbie to the VPN world (2016) but a lot of people swear by it. That another good one to look at.
Moving from VPN to “zero trust” services (which is just a fancy word for VPN with lots of ACLs) you’d be looking at something like ZeroTier, or Z Scaler
As long as at least one side of the connection is static then you could use Wireguard to access the network remotely via the PI. Zabbix would be fine as I guess you’re using the agent in an active set up.
Setup MeshCentral (r/meshcentral)
Install the linux agent on the Pi
Now you can use Mesh Router to do a relay port map to any device the Pi can access.
No VPN to worry about. The agent calls back to your HTTPS endpoint and you use that connection backwards.
Want a commercial solution? OVRC Pro will allow for this.
Want to build it yourself? You are looking for reverse SSH and a Proxy on the Pi.
Thanks for your input.
Problem I have with IPsec is that not all routers allow domain entry and expect IP address entered. However I may be wrong that both sides need addresses added? My side is static.
Second issue I have is actually setting up clients routers. I’m really looking for a solution where I can install a preconfigured inexpensive device in the clients network (with their authorisation of course) and be able to access equipment on certain vlans without even touching client router.
The solution would need to be able to route traffic via the clients router as they often have multiple vlans we need access to. That’s the part I am currently struggling with.
Thanks a lot for pointing me in the right direction. Do you know how routing would be handled on the client side? I assume routes would need to be setup at both locations. Office location to route traffic through the Wireguard VPN, and on the PI, reverse to Office, and also client network routes via their router.
If your side is static, you can set the “remote” IP to “0.0.0.0” to allow any public IP.
You can use Netmaker for this. It configures WireGuard, handles changing WAN IP’s, and can create “egress gateways” on clients to access a LAN, in this case your office network. You should be able to deploy the client onto a Pi as well.
Thanks! I am going to look into egress gateways. This seems like it could be a perfect solution.
Looking forward to testing this out.