DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

VPN from iOS to 2860 (telewoker)

  • mike wratch
  • Topic Author
  • Offline
  • Banned
  • Banned
More
07 Aug 2014 21:25 #1 by mike wratch
VPN from iOS to 2860 (telewoker) was created by mike wratch
U tried to set up a VPN from an iOS device and OSX to surveillance cameras behind a Draytek 2860n firewall.
* First try was OpenVPN which is one of the save protocols available on my 2860. It took me several hours until I discovered this the implementation is broken and was removed with subsequent firmware updates.
* Next was IPSEC with preshared secrets then with certificates. While iOS can Be configured with Apple Configurator profiles very well the configuration on the Draytek is messy, at best.
* Information is scattered across dozens of dialog, descriptions are misleading, unclear or plain wrong and then there are redundant dialogs all over the place (User setup you can do at least at 3 places).
* I never came further then:

karakum.local configd[18]: IPSec Phase1 starting.
racoon[16556]: accepted connection on vpn control socket.
configd[18]: IPSec disconnecting from server 111.111....

* Then SSL VPN was sort of working but the proxy did not allow for plain HTTPS forwarding.
* I would prefer have proper SSL VPN and proxy rather then forwarding ports to the dlink camera, where security is an afterthought.
* When I configured NAT Port Redirection I could verify with nmap that no port was open.
* The I came across this document: http://www.draytek.com/index.php?option=com_k2&view=item&id=1303&Itemid=293&lang=en
* According this document I 1st have to configure SSL VPN on port 4443 and the When I configured NAT >> Port Redirection or NAT >> Open Ports which are again redundant setups.
* This works and nmap shows that 443 and 4443 are open.
* Why I should setup SSL VPN on port 4443 without a user which, after all, is never used at all?
* Now Port 443 redirects to the camera.

I am not really happy with password only security. After all I would prefer SSL VPN and proxy.

On the Dlink 5222 I could upload a pem x509 certificate but not a pem key which is pointless (traffic on port 443 was naturally clear text).
A PKCS#12 container with key and certificate was ignored without comment.
I could generate a self singed certificate with key on the 5222.

The 2860 functionality is awesome but configuration is really horrifying.
Why I should setup SSL VPN on port 4443 without a user which after all is never used at all for prt redirection?

Cheers
Mike

Please Log in or Create an account to join the conversation.

Moderators: Sami