Remote Working Solutions

Remote Working Solutions


The demand for the ability to work remotely is the highest it has ever been. A number of solutions are available depending on your requirements. Here are a few ways you can get connected remotely using solutions offered by Scoop.


Port Forwarding

Also known as 'Destination Nat' or 'Port Mapping', Port Forwarding is a method of Network Address Translation (NAT) which allows changing of the destination IP address and port via the router's firewall. It is commonly used for accessing private network resources over a public network (the internet) and is already built into Tenda, Ubiquiti and MikroTik routers. Port forwarding is very efficient but does not offer any encryption service, making it less secure.

Port forwarding to a Remote Desktop Server
Port forwarding to a Remote Desktop Server


View some configuration examples here:



VPN

Virtual Private Networks allow you to create a virtual tunnel to a remote resource as well as provide encryption services to add additional security to the connection. This requires the use of a VPN server which will authenticate connections based on user credentials. Encryption is dependent on the type of VPN service and there are a number available depending on client support, performance overhead and security requirements

Here are some common VPN types:
  • PPTP - Point to Point Tunnelling Protocol
  • L2TP/IPsec - Layer2 Tunnelling Protocol with IP Security
  • IKEv2/IPsec - Internet Key Exchange v2 with IP Security
  • SSTP - Secure Socket Tunnelling Protocol
  • OVPN - Open VPN

VPN Protocol Encryption Common Usage Compatibility
PPTP TCP 128-bit key Not recommended MikroTik, Ubiquiti, Fanvil, Tenda
L2TP/IPsec UDP 256-bit key Real-time applications MikroTik, Ubiquiti, Fanvil, Tenda
IKEv2/IPsec UDP 256-bit key Real-time applications MikroTik, Ubiquiti
SSTP TCP SSL/TLS Secure applications MikroTik
OVPN TCP/UDP SSL/TLS Any MikroTik, Ubiquiti, Fanvil, Tenda



Remote Client VPN's

Common VPN types are usually natively available across most operating systems and in cases where they are not available, third party software can assist. End devices like VoIP phones should also have VPN clients built in to configure with your network. Fanvil, for example, has native support for L2TP and OVPN and can be connected without the need for an additional VPN interface. If you are using Yeastar, it is possible to configure an Open VPN server directly on the PBX. When coupled with their Linkus softphone application, it is an ideal mobile VoIP telephone solution.

Individual L2TP connections from clients to Edgerouter
Individual L2TP connections from clients to Edgerouter


View some configuration examples here:



Site-to-Site VPN's

In cases where multiple devices are required to share the VPN connection, it is possible to merge two networks with a site-to-site configuration. This will require a router at each end with compatible VPN's. It is also possible to create a Layer2 bridge based on protocol. For example, EoIP (Ethernet over IP) is a proprietary MikroTik protocol designed to do just this and can be encapsulated with IPsec for robust encryption.

Site-to-Site connection with Mikrotik's EoIP with IPSec
Site-to-Site connection with MikroTik's EoIP with IPSec


View some configuration examples here:



  • Static vs Dynamic IP Addresses

    Regardless of which type of remote connectivity option you decide on, you will need to know the public IP address of each site of the link to properly secure the connection. Ideally, a static IP is best but where dynamic IP's are in use, you will need to make use of DDNS (Dynamic DNS) to resolve your public IP address as it is prone to change. There are many free and paid services available like https://www.duckdns.org/ which can provide you with this service. If you are using MikroTik, DDNS is available for free on all MikroTik routers with a click of a button via their cloud service - https://wiki.mikrotik.com/wiki/Manual:IP/Cloud



    Blog post by Timothy Symonds