DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Some questions on the 2955 VPN router

  • peter-h
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
31 Mar 2010 16:25 #61468 by peter-h
Some questions on the 2955 VPN router was created by peter-h
The router is described here
http://www.draytek.co.uk/products/vigor2955.html

and the SSL mode here
http://www.draytek.co.uk/support/kb_vigor_ssl.html

Currently I am running with the 2900 router's PPTP VPN for "teleworker" connections; PPTP is supported natively by windoze but is not propagated by most 3G networks or many wifi networks.

So I am looking at SSL which, running over port 443, is sure to work everywhere...

Reading the above Draytek stuff, they seem to just use a standard www browser as the client, but this obviously works only with host apps which interact with an HTTPS browser (I cannot think of any such app myself; we are not talking of the slick "Citrix" functionality here whereby a remote web browser becomes the client for a remote desktop server).

They also offer the option of a download of a client tunneling program (a java active-x thingy) which then gives a normal VPN functionality. This is the bit I would need for e.g. pc/anywhere which is the main app I run over the VPN.

Curiously the HTTPS browser needs to remain loaded throughout the VPN session even if one is using the tunnel mode. That's OK.

The attraction of this product, over a separate "SSL VPN box", is that I could replace the 2900 router with the 2955 and it "should just work" :)

Also curiously one needs to enable the remote management mode in the router, on HTTPS only, for the SSL VPN to work. I can understand this, but surely this means port 443 is going to be hacked mercilessly. On the 2900 we had many password (dictionary) attacks on port 443; the 2900 router had/has a bug in that disabling remote management totally still did not disable remote management on p443 so a port sniffer quickly detected a response on that port and then went to work on it... We solved this by port forwarding p443 to an internal IP on which nothing is responding and that made p443 appear dead to the sniffers.

Maybe a response to a port sniffer on port 443 is just an unavoidable side effect of any SSL VPN?

Which begs the question of which ports does a PPTP VPN appear on? I got somebody to do a port scan on my IP and apart from the obvious ports he found nothing open.

I would expect a VPN router to not respond to port sniffers unless it first receives a data packet which contains a part of the user's password or something like that. Otherwise, this opens up the router to an easy DOS attack, especially on an ADSL connection with a fast downlink speed e.g. 8Mbits/sec :)

The other thing I can't get my head around is how would one run an HTTPS server behind this router. Currently we run an HTTP server behind ours, which is trivial. Presumably the 2955 must be configurable for an automatic "pass-through" so any traffic not destined for the remote admin function, and not destined for one of the VPN users, gets passed through to the internal network?

Please Log in or Create an account to join the conversation.

More
10 Jun 2010 11:18 #62304 by roboughton
Replied by roboughton on topic Some questions on the 2955 VPN router
I too have many questions about this piece of kit doesnt look like many know much about it though.

I will just have to suck it and see

Please Log in or Create an account to join the conversation.

More
24 Jun 2010 22:52 #62482 by admin
Replied by admin on topic Re: Some questions on the 2955 VPN router

peter-h wrote:
I would expect a VPN router to not respond to port sniffers unless it first receives a data packet which contains a part of the user's password or something like that.



I don't think that would work. It's a bit like saying someone's doorbell shouldn't ring unless someone says "Hey, it's Peter" whilst they hold the button down :-) The RFCs most likely require responses to requests (I am guessing). A strong password should defeat any sniffing point.



Forum Administrator

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami