Single-Arm VPN Configuration

Single-Arm VPN allows the router's VPN to work only on the WAN interface, instead of working on traffic sent between LAN and WAN. When doing single-arm VPN, traffic arrives on the WAN interface, gets encrypted, and sent out through the same WAN interface. It's the solution to add VPN compatibility to the network without replacing the Internet gateway. To use the Single-Arm VPN, it’ s required to open the corresponding ports for VPN protocols to Vigor Routers and create the static routing rule for the VPN traffic on the Internet gateway. an illustration of single arm vpn

Since 3.8.4.2 version firmware, Vigor Router supports single-arm VPN for PPTP (TCP 1723), IPsec (UDP 500 and 4500) and SSL (TCP 443 or user-defined).

Vigor Router Configuration (The Router on LAN A)

1. Go to VPN and Remote Access >> LAN to LAN and click an available index

  1. Enable profile and choose "Dial-In" for Call Direction a screenshot of DrayOS
  2. Enable PPTP and give a Username and Password in Dial-In Settings a screenshot of DrayOS
  3. Type LAN B for Remote Network in TCP/IP Network Settings
  4. Type LAN A (WAN network) for Local Network
  5. a screenshot of DrayOS

2. To avoid LAN network conflict with WAN network, please change the LAN network of the Vigor Router.

a screenshot of DrayOS

3. Go to Routing > Route Policy and click an available index to add a new rule:

  1. Enter LAN A in Source IP
  2. Enter LAN B in Destination IP
  3. Select the VPN profile for Interface
s screenshot of route policy settings

Remote Router Configuration (The Router on LAN B)

Go to VPN and Remote Access >> LAN to LAN and click an available index to add a new profile:

  1. Enable the profile and choose "Dial-Out" for Call Direction
  2. Select PPTP for Type of Server I am calling
  3. Type WAN IP or domain name of the internet gateway.
  4. Type Username and Password
  5. a screenshot of VPN Settings
  6. Type LAN A for Remote Network in TCP/IP Network Settings
  7. a screenshot of VPN Settings

Internet Gateway Configuration

To make the single-arm VPN work, we must make the VPN traffic pass through the internet gateway and be sent to the VPN tunnel. Here we take a Vigor300B for example.

1. Go to NAT >> Port Redirection and click Add to create a new rule:

  1. Enable profile and Select One-to-One for Port Redirection Mode
  2. Type "1723" for Pubilc Port and Private Port (This is the port used by PPTP VPN)
  3. Type Vigor Router WAN IP for the Private IP
a screenhot of Vigor300B

2. Go to Routing >> Static Route and click Add to create a new rule

  1. Enable profile
  2. Type LAN B for the Destination IP Address
  3. Type Vigor Router WAN IP as the Gateway
a screenshot of Vigor300B

The latest DrayOS 5 routers can also support Single-Arm VPN since 5.3.1 version and above for the following protocols:
- IPsec (UDP 500, 4500)
- OpenVPN (TCP/UDP 1194)
- WireGuard (UDP 51820)

Internet Gateway Configuration

To make the Single-Arm VPN work, we must make the VPN traffic pass through the Internet Gateway and forward to the VPN server. Here we take a Vigor2927 for example.

  1. Go to VPN and Remote Access >> Remote Access Control page, disable all VPN services.
  2. Go to NAT >> Open Ports page and select available index to edit as follows:
    1. Enable Open Ports.
    2. Give a name in the Comment.
    3. Enter VPN server router WAN IP: 192.168.1.10 as the Private IP.
    4. Edit the port for the VPN service.
    5. Click OK to save the profile.
  3. Go to Routing >> Static Route page and select available index to edit as follows:
    1. Enable the profile.
    2. 192.168.2.0 as the Destination IP Address.
    3. 255.255.255.0/24 as the Subnet Mask.
    4. Enter VPN server router WAN IP: 192.168.1.10 as the Gateway IP Address
    5. Choose the Network Interface.
    6. Click OK to save the profile.

Vigor Router Configuration (The Router on LAN A)

Here we take a Vigor2136 as the example for VPN server router.

  1. Navigate to VPN / Site-to-Site VPN page, click Add and create a VPN profile as follows:
    1. Give a Profile Name.
    2. Enable the profile.
    3. Select Dial-in as the Direction.
    4. Choose the VPN Type, here we take IPsec for example.

    5. For Local Network and Subnet Mask, input the IP subnet used on the local router.
    6. For Remote Network IP and Subnet Mask, input the IP subnet used by the remote VPN client router.
    7. Click Apply to save the profile.
  2. Navigate to Configuration / Routing / Route Policy page, click Add and create a policy profile as follows:
    1. Give a Policy Name.
    2. Enable the profile.
    3. Choose IPv4 Subnet for Source and input the IP Address and Subnet mask used on the local router.
    4. Choose IPv4 Subnet for Destination and input the IP Adress and Subnet Mask used by the remote VPN client router.
    5. Choose VPN for Primary Path.
    6. Click +Add and select the VPN Profile we just created in step 1
    7. Click Apply to save the profile.

Remote Router Configuration (The Router on LAN B)

Here we take a Vigor2962 as the example for VPN client router.

  1. Go to VPN and Remote Access >> LAN to LAN page, click an available index to add a new profile as follows:
    1. Enable the profile.
    2. Choose "Dial-Out" for Call Direction.
    3. Enter the WAN IP or Domain name of the Internet Gateway.
    4. Enter Pre-Shared Key.
    5. Enter the IP Address and Mask used by VPN server router as the remote Network IP and Mask.
    6. Click OK to save the profile.

Published On:2017-01-11 

Share

Was this helpful?   

book icon

Knowledge Base