VPN tunnel from home behind ISP provided device

I have a client that wants to create an IPSEC VPN tunnel between his home and the office. I have a Sonicwall SOHOw at the office.

He is using a PPPoE based Internet service at his house that provides him with a modem/router device as well as WiFi mesh APs. The APs work in conjunction with the modem/router device. (Bell Internet, Home Hub 3000)

I can’t just place the modem in bridge mode and deploy another router to create the VPN tunnel as I believe he would lose his APs.

Is there a way to put a device (Sonicwall or other) to create the VPN tunnel behind the ISP provided device but not have my device act as the router?

• SonicWall Global VPN Client

• SonicWall Mobile Client

• IKEv2 client built into Windows and mobiles.

• openVPN - Requires different VPN concentrator.

You could spin up a openvpn appliance or installer and have him activate the openvpn client from his house to the office.

On my ATT connection putting the modem in bridge mode gives one device of your choosing the public IP via DHCP. Any other things plugged in still get a private range but still have internet access. If that’s how it works via this setup as well that could work. But the WiFi wouldn’t be behind the sonicwall so it wouldn’t be able to tunnel vpn traffic from the wireless network.

Aggressive mode vpn tunnel will work in this “double NAT” scenario. A little annoying to manage with no WAN access but have done it plenty of times with SonicWalls. The wan int on the SonicWall is the same as a device on the lan so…SonicWall has some documentation on it. On mobile or else I’d look it up.

https://www.zerotier.com/ Still shocked that more people don’t use this.

Great implementation of openVPN that makes it way easier to manage. I have a few dozen nodes on this and it’s been rock solid.

Hardware device is coming soon too.

You can make an IPSec tunnel with some device in the DMZ and mapped to the public IP of the ISP
NAT traversal must be enabled on both site

If no other option works, you can fall back on SoftEther. I would not recommend it as first or second choice, only as a last resort if absolutely necessary: LAN to LAN Bridge - SoftEther VPN Project

Setup a Mikrotik at the home. As long as the modem doesn’t block IPSec traffic, this should be easy.

Do it directly on the computer or come up with a different wifi solution.

This is the way to go. Have his computer connect to the VPN instead of connecting his entire home network to the work network. Connecting a user’s entire home network to the work network via IPSEC VPN is just asking for trouble. SonicWall gives you the ability to connect two devices via SSL VPN before you need to buy additional licensing.

The main purpose of the VPN is so that they can run offsite backup to a NAS at his home. I suppose I could set it up so that he can backup to a home PC connected via the SSL client, but I would rather have a permanent tunnel.

Global VPN client is cake. Spent four years dealing with SonicWall at my old job, now I don’t even want to touch anything else. Not just because it’s what I cut my teeth on, everything just works. Support can be meh but the upside is I rarely needed to contact them.

I don’t need the WiFi to work with the VPN but I did speak with the ISP and they said they didn’t think it would work.

So just connect the Sonicwall X1 (WAN) port to a LAN port on the ISP device?

I checked out their website, documentation and some youtube videos and I still have no idea what this product is.

Lots of NAS devices have VPN clients built in as well.

I havent had good luck with the ssl vpn. Its always so much slower than than a ip sec vpn.

Ouch, uhh…yeah I wouldn’t recommend VPN for off-site backups lol.

What type of backups are you guys running and what type of storage repository are you using at the business? QNAP? Synology?