Skip to content

How to make remote work secure for your office via site-to-site VPN

In our previous article, we discussed the use of a dual-SIM mobile router and SIM Switch feature to achieve high-availability cellular connectivity. This allowed us to establish a reliable remote camera network that efficiently transmits images and videos to the Internet. However, creating the network is only half the job; we also need to find a way to remotely access and manage it.

Our plan is to utilize IPSec to establish a site-to-site VPN (Virtual Private Network) between the remote camera network and our office network. A site-to-site VPN is a type of connection that enables multiple fixed locations (sites) to establish secure connections over the internet or another public network. Unlike personal VPNs that connect individual users to a remote server, site-to-site VPNs create a secure communication tunnel between entire networks or sites.

IPSec site-to-site VPN

In our specific use case:

1. The SIM card we use in our remote camera network provides neither a Public Fixed nor Dynamic IP address. Our mobile ISP deploys CGNAT (Carrier-Grade Network Address Translation) and shares public addresses among many end-users, including us.

2. The fiber broadband service we use in our office provides a Public Dynamic IP address. We will use Dynamic DNS (DDNS) to map the Public Dynamic IP address of the router to a fixed hostname.

3. We will employ Split Tunneling at the remote camera network: all traffic will go through the public internet, except for traffic to and from internal IP address ranges, which will traverse the site-to-site VPN.

The Teltonika Networks RutOS requires a Public Dynamic IP Address at one end of the site-to-site VPN. It supports the use of either an IP address or hostname in the Remote Endpoint of its IPSec configuration page. These flexibilities enable us to use Teltonika Networks routers to implement site-to-site VPN, accommodating our constraints and meeting our needs. We successfully set up an IPSec site-to-site VPN between the RUTX11 router at our office to the RUT591 at the remote camera network.

IPSec site-to-site VPN configuration at the RUTX11 office network router
IPSec site-to-site VPN configuration at the RUT951 remote camera network router. We use a Dynamic DNS hostname, which points to the Public Dynamic IP address, in the Remote endpoint.

Remarks:

For detailed configuration steps, please refer to Teltonika Networks’ documentation: IPSec Configuration Example.

Site-to-site VPNs are a valuable tool for organizations with geographically dispersed operations, facilitating secure and efficient communication. It’s essential to carefully assess your specific needs and limitations to determine if this technology is the right fit for your business.

Aplus provides a managed site-to-site VPN service. For more information, please contact sales@aplus-da.com.