How to organize hidden VPN for Corporate network ?


How to organize a hidden VPN access to Corporate Network ?

The VPN access should be bi-direction type:

Incoming - to get access into Corporate Network from Public Internet.
Outgoing - to get unrestricted Secure internet access from Corporate Network.

It’s very easy to build such kind of VPN system if you know how is organized the Corporate Network environment.

Down here I'm going to show you how to do it on example of one typical network scheme.

This is our sample Network Diagram Schema with implemented VPN Servers:

Picture N:1
VPN-main-schema
How remote client gain access into remote network

1) Install new VPN client settings  on your Laptop (Windows/MacOSX/Linux/Solaris) or mobile device (Windows M/ iOS/ Android) based on L2TP/IPSec Protocol with shared key phrase.
Connect  to remote Internet Public VPN Server.

2) This VPN Server are routing all incoming connecting to internal VPN HUB, which is inside Data Center of Corp LAN Network. The traffic  is transfered over revers SSH tunnel connection between Internal VPN Hub and External Internet Public IP VPN Server.

3) All revers SSH tunneling sessions are managing by gateway server. This gateway server is have two connections: one is - to Internal LAN, and second - to the Public Internet Access (ADSL / PPPoE / WiFi … etc)

4) Users Authentication is based on RADIUS protocol from Remote Access Server on Windows 2003 Ent Server.
Win 2003 Server is a guest host on Oracle VirtualBox VM Environment which is running Solaris 10/11 x86_64 System. The VBox Network configuration have port forwarding settings for Radius UDP/IP 1812 port between Guest and Host Systems to allow process incoming authentication packages  from SoftetherVPN Server.

5) How to make remote VPN server able to use RADIUS Service from Internal Server ?
The RADIUS Server is using default 1812 UDP/IP port as a listener. The UDP/IP protocol is not so flexible as TCP/IP protocol to be able translating over SSH tunneling link.
To translate UDP/IP packages between VPN Server and RADIUS Service over SSH tunnel connection we are using SOCAT (socket translator) to incapsulate UDP/IP packages inside TCP/IP frames and route it across virtual connection network.

This is schema of UDP/IP datagram packages translation between RADIUS Server and External VPN HUB on Internet Public Server:

Picture N:2
 VPN-SOCAT-schema

This is system settings recommendation which is necessary to implement to enable RADIUS authentication on VPN Server:

In our example we will use next data for IP configuration:

Internet Public Server IP: 200.200.200.200
SSH Tunneling Gateway IP: 10.10.1.1
Solaris x86 Server IP: 10.10.1.20

>on Solaris x86 Server (Host System):
/opt/SUNWsocat/bin/socat tcp4-listen:8000,reuseaddr,fork,sndbuf=32768,rcvbuf=32768 udp:10.10.1.20:1812

>on SSH Tunneling Gateway:
/usr/bin/ssh -q -R 8000:10.10.1.20:8000 -N -T -f 200.200.200.200

>on Internet Public Server:
/opt/SUNWsocat/bin/socat -T15 udp4-recvfrom:1812,reuseaddr,fork tcp:localhost:8000

6) This is a typical VPN settings for L2TP/IPSec protocol for various Clients (click on link to get details):




Later in next article I will show more details how to set up VPN Server with several virtual HUBs, Cascade Connections and Virtual Bridge.