10456 questions

12462 answers

19387 comments

21897 members

0 votes
272 views 8 comments
by
Hi

We aim at transfer data from a device getting internet from a RUT955 to a server that is behind our firewall, without creating a firewallrule that allows incoming traffic from the RUT WAN ip, because the ISP is unable to provide a fixed IP-address for the RUT955, so no rule can be created on our firewall. Protected server is a Scientific Linux.

Is this at all a possible scenario, using the public/private/preshared key feature?

Thanks
by
Yes. Didi that multiple times in commercial projects, in IoT.
by
Thanks.

I'm not too familiar with the whole ssh/keys sharing business, so if you would try and tell me how I should configure the devices, like the Peer section on the RUT and the needed steps on the firewalled server, I would be most grateful.

I hope this isn't an inappropiate request ;)
by
Dear Tomas

Thanks for wrap up of the problem, and for the pointer to ZeroTier.

Best regards

Ole

2 Answers

0 votes
by
Legitimate request.

However, I wrote, that I did this for commercial projects. Which means, this was/is not for free.

Everybody has to make a living :-)
by
Fair enough, thanks for chipping in.

Regards

Ole
–1 vote
by

Hello,

Just to confirm - you have a device (with some service running) behind a CGNAT/firewall/third-party router to which you cannot gain any access or have someone configure a port forward for you? If that's the case then using a virtual private server (VPS) solution along with a WireGuard VPN tunnel to the end-device could be possible to do. In theory, by employing this method, you can create a tunnel between the RUT955 and the VPS. The result of this - you can configure a working port forward through the WireGuard tunnel. The principle of this configuration (after setting it up) is the following:

  1. Specify the public external VPS IP address and port to begin initiating connection from end-device A
  2. The packet reaches VPS at specified port, VPS forwards this packet through the WireGuard tunnel to the RUT955
  3. RUT955 processes this packet, forwards it to the end-device B (your Linux machine for example)
  4. Packet from end-device B comes back the same way to your end-device A

If this is what you'd like to do then you may want to take a look at our Helium configuration example wiki page. It may not be designed precisely for your device/use-case but the principle of this configuration is the exact same - configuring a port forward to the end-device via WG tunnel when you cannot acquire a public IP address on your RUT955. Link to the article.

If this isn't what you'd like to do then please provide additional information and some details of how things should work from your end and, ideally, provide a topology of how things should be connected and work.

Best regards,

Tomas P.

by

Hi Tomas

Sorry about the lang response time – weekend and other work-stuff came in the way ;)

 

Just to confirm - you have a device (with some service running) behind a CGNAT/firewall/third-party router to which you cannot gain any access or have someone configure a port forward for you? 

Not quite there yet. Goal is to be able to push data from the remote broadband installation, through our company firewall, even without knowing the remote BB WAN IP.

If that's the case then using a virtual private server (VPS) solution along with a WireGuard VPN tunnel to the end-device could be possible to do.

Q: Where is the VPS – a (paid) service from the Internet ?

In theory, by employing this method, you can create a tunnel between the RUT955 and the VPS.

The result of this - you can configure a working port forward through the WireGuard tunnel. The principle of this configuration (after setting it up) is the following:

<!--[if !supportLists]-->1.     <!--[endif]-->Specify the public external VPS IP address and port to begin initiating connection from end-device A

I suppose ‘end device A’ will the server behind our firewall, and thus ‘end device B’ will be the RUT955-PC?

If so I believe that I want it the other way round – traffic initiates from remote to behind firewall.

<!--[if !supportLists]-->2.     <!--[endif]-->The packet reaches VPS at specified port, VPS forwards this packet through the WireGuard tunnel to the RUT955

       This I read as the VPS is our company firewall, on which there needs to be a rule, something like this:

<!--[if !supportLists]-->·       <!--[endif]-->Allow incoming from ‘net’ on port ‘wireguard configured port#’ to firewall protected server (end-device B - ‘fps’)

<!--[if !supportLists]-->·       <!--[endif]-->Handle key exchange between RUT955 and ‘fps’ to ensure validity

3.  RUT955 processes this packet, forwards it to the end-device B (your Linux machine for example)

<!--[if !supportLists]-->4.     <!--[endif]-->Packet from end-device B comes back the same way to your end-device A

If this is what you'd like to do then you may want to take a look at our Helium configuration example wiki page. It may not be designed precisely for your device/use-case but the principle of this configuration is the exact same - configuring a port forward to the end-device via WG tunnel when you cannot acquire a public IP address on your RUT955. Link to the article.

If this isn't what you'd like to do then please provide additional information and some details of how things should work from your end and, ideally, provide a topology of how things should be connected and work.

Best regards,

Tomas P.

I haven’t had the time to dig in to the article describing the Helium setup today, but I just wanted to get back to you with this for now.

 Wireguard setup

Your help is highly appreciated, thanks!

Regards

Ole

by
It does seem like using a virtual private server solution (example from the Helium article) with a VPN server setup on it would be the answer for you, as long as the firewall (in the middle of topology) permits all ports outbound. The main principle of that setup is that your WAN IP on RUT955 side does not matter, you simply establish a VPN tunnel to your remote virtual private server. The VPS itself has to be paid for, generally monthly or yearly. The cost varies depending on the VPS provider.
by
Sorry about the unintended -1 vote, I can't correct it.

And thanks for your suggestion to use an external VPS. However we are aiming at establishing a direct connetion without the need for a 3rd. link.

For now we will put the task aside, and maybe pick up at a later time,

Br

Ole
by
No problem. Also, regarding your case, as far as I am aware there is no other way to bypass firewall using conventional methods. If your ISP supplies/has IPv6 enabled you may make use of that. Apart from that, using VPN protocols which work in a somewhat similar fashion to SD-WAN solutions may be an option. For example you may make use of ZeroTier VPN - take a look into as it may suit your needs. Our routers support ZeroTier so this could be used as an option as well.

Best regards,

Tomas.