I have an unusual issue that I hope someone could help me with. I currently work for a company that requires IP whitelisting of my home network.
If I go on overseas trips, how do I connect to my hotel's wifi, redirect it to my home network to do work related tasks ?
That is in a way strange. How does your company deal with the home IP changing. What do they do say if someone is using a ISP where you share IP addresses with other customers. Someone who is using a mobile broadband provider or maybe using their phone as a hotspot will not have a fixed IP address.
In any case if we assume your IP does not change then it should be pretty easy.
You buy a router that has a vpn server function. This is much more common that a client vpn that allows you to connect to say a vpn service.
These are desigened to allow remote access to your home network. I have not kept up with the details of all the newer releases but some used to not allow allowed you to use the vpn to the house and then go back to the internet. Just read the fine print I suspect most can now do that. You can of course us third party firmware like dd-wrt on a compatible router and that can do ti for sure. If you want a slightly simpler solution you could buy a asus router that supports merlin firmware.
Your possible new problem how do you access the company network. If you use a vpn you now would have 2 vpn clients on your pc. The first to talk to your home router and then the second to talk to the company router. It will be complex if you can do it at all to force the company vpn software to use the home vpn software as a data path. You are then better off using another router in the hotel that has the vpn "client" function. You would run the one vpn between your 2 routers and then run the company vpn between your computer and the company router using your router vpn to get it though your house.
This is not a trivial project you are going to have to learn lots of things.
Note the company can still detect that you are doing this. Other people have asked a similar question and you can not hide the extra time it takes for data to travel from another country. It will be very obvious you latency is much higher than other people if they would look on their vpn server. It will also have a large effect on things like video conference. Other people will see this extra delay and you may get echo in the audio because of it.
That is in a way strange. How does your company deal with the home IP changing. What do they do say if someone is using a ISP where you share IP addresses with other customers. Someone who is using a mobile broadband provider or maybe using their phone as a hotspot will not have a fixed IP address.
In any case if we assume your IP does not change then it should be pretty easy.
You buy a router that has a vpn server function. This is much more common that a client vpn that allows you to connect to say a vpn service.
These are desigened to allow remote access to your home network. I have not kept up with the details of all the newer releases but some used to not allow allowed you to use the vpn to the house and then go back to the internet. Just read the fine print I suspect most can now do that. You can of course us third party firmware like dd-wrt on a compatible router and that can do ti for sure. If you want a slightly simpler solution you could buy a asus router that supports merlin firmware.
Your possible new problem how do you access the company network. If you use a vpn you now would have 2 vpn clients on your pc. The first to talk to your home router and then the second to talk to the company router. It will be complex if you can do it at all to force the company vpn software to use the home vpn software as a data path. You are then better off using another router in the hotel that has the vpn "client" function. You would run the one vpn between your 2 routers and then run the company vpn between your computer and the company router using your router vpn to get it though your house.
This is not a trivial project you are going to have to learn lots of things.
Note the company can still detect that you are doing this. Other people have asked a similar question and you can not hide the extra time it takes for data to travel from another country. It will be very obvious you latency is much higher than other people if they would look on their vpn server. It will also have a large effect on things like video conference. Other people will see this extra delay and you may get echo in the audio because of it.
Our company deals with IP changing by having to call the oncall dev to whitelist our IP, as in for ISP sharing, we SSH into our servers so that can be sort of overlooked and a person who is not in my team will not be able to use a mobile broadband provider or a phone hotspot which is exactly why I'm asking here for advice to eliminate that issue.
Just to be clear, my company runs 100% on AWS and does not require a company router so I do not need 2 VPNs. Just something that would be able to change my overseas/hotel IP to my house's IP which is static. My company's video conference is all on zoom, so no worries there either.
I plan to buy a asus router that supports merlin firmware as this seems to be the cheapest choice, would this be the best way to go about this?
You load free openvpn software on your pc and connect to your home vpn router. You then just run SSH as normal and it will easily pass through the vpn tunnel.
I have not actually done this is few years and merlin has been updated hopefully making it easier. They used to have sample on how to do this exactly over on smallnetwork builders forums which is where merlin is supported.
The only other concern would be if the IP changes while you are away who is going to call you up and tell you the new IP. You will want to use a service called DYNDNS to solve that issue, most routers also support that function.
Also note performance is going to be not real high. You might get 20mbps because of the router cpu. In addition your UPLOAD rate at your house is going to limit the download rates you see when are using the vpn remotely.
Ok this is way bigger then you think it is. I'm currently running my own VPN server at home to allow me to connect remotely from anywhere in the world and I highly recommend setting up a dedicated system at home to do this, SOHO router "vpn server" is terribad at the best of times.
The trick is you need to redirect default gateway on the client device while also allowing IP masquerading of the new IP range. Also you'll need to generate some SSL key pairs to use for the server and client connections.
Example of the server config for creating a VPN subnet on 10.10.1.1/24 and operating it as as switch. Read the documentation on how to install OpenVPN for the distro of your choice then enable port forwarding on it.
port 1194
proto udp
dev tun0
cipher AES-256-GCM
topology subnet
server 10.10.1.0 255.255.255.0
tls-server
persist-tun
persist-key
ca /etc/openvpn/server/keys/ca.crt
cert /etc/openvpn/server/keys/vpnserver.crt
key /etc/openvpn/server/keys/vpnserver.key
dh /etc/openvpn/server/keys/dh2048.pem
user nobody
group nobody
log-append /var/log/openvpn/server.log
verb 3
mute 20
max-clients 24
tun-mtu 1500
mssfix 1350
keepalive 30 120
float
daemon
explicit-exit-notify 1
Client side config for connecting to that
client
proto udp
dev tun
dev-node TAP1 #Name of the Virtual TAP adapter that gets installed in windows
cipher AES-256-CBC
tls-client
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client.crt"
key "C:\\Program Files\\OpenVPN\\config\\client.key"
resolv-retry infinite
remote <home public IP or DNS name here> 1194
persist-key
persist-tun
topology subnet
pull
redirect-gateway def1
Then on your home router you do a port forward of port 1194 (or whatever you chose) to the system running the OpenVPN service, also add a static route of the VPN subnet to the VPN server.
And viola, you can remote back into home office and appear to be there from anywhere in the world. I've had stuff like this running for over a decade because I used to travel a lot for work and wanted access to my home NAS from the road. Now to try to get this running without a dedicated system means running it on one of those stripped down SOHO routers with limited CPU, memory and configuration. It might work but it'll likely give you nothing but problems as there are so many things to setup in OpenVPN to do it correctly.
Facebook
Twitter
Instagram