# Is it possible to setup a VPN over a 3G network?



## Bryan84 (Aug 2, 2003)

Basically I am trying to try to see if I can setup a VPN server over a 3G network. So my small setup would be:

3G Network >_connects via_< Windows Server 2008 (where my VPN server is setup) >_connects to_< VPN Client

I'm asking because I understand that the Server 2008 IP that it has is not a "real ip" address. Currently assuming is just 192.168.2.2.

So if I get home and use my VPN client to connect to my Windows Server 2008 in the office, it is not possible right?

I hope I explain to what you can understand.


----------



## JohnWill (Oct 19, 2002)

Your VPN would be connecting to your public IP address, not the server address directly. It is possible to use VPN over a 3G network, though it's apparently in a state of flux based on this thread I found: http://forum.tipb.com/iphone-forum/167878-vpn-working-over-wifi-but-not-3g.html


----------



## Bryan84 (Aug 2, 2003)

Woah JohnWill, I remember you once helped me before. Must have been here for YEARS eh you?  Thanks againf or helping.

But my Server is being assigned a static 192.168.2.2. And if my client wants to connect in, surely it can't be trying to connect to 192.168.2.2 from home right?


----------



## JohnWill (Oct 19, 2002)

Correct, as I mentioned, they would be connecting in via the public IP address. Truthfully, if you want to have a VPN at the office, I'd seriously consider a VPN router at the office and dispense with the complication of software VPN. 

One question. Are you saying the server is connected to a 3G network for it's access? That may be a lot more problematic, I don't have any experience with that environment or if it'll work.


----------



## Bryan84 (Aug 2, 2003)

I'm an intern and just was tasked to see if it is possible to connect a VPN over 3G. Then with a small lab of a few computers for developing/testing environment. And it's connection to the Internet is via 3G only. That's why I'm asking. Do I have other options to explore? I can even recommend others if VPN is not good for this case. I supposed objective is to work from home.


----------



## Bryan84 (Aug 2, 2003)

Yeah earlier in the officer, I've configured Server 2008 added the role to allow VPN. I was able to establish connection from Client to Server since it was all within 192.168.2.*

But now I'm trying to go one step more, that is to connect from another network/subnet or even home into that Server.


----------



## JohnWill (Oct 19, 2002)

Again, how does the server connect to the Internet, I'm not interested in the remote connections right now.


----------



## Bryan84 (Aug 2, 2003)

The server is connected to the Internet via a router that is connected to a wireless USB dongle.


----------



## JohnWill (Oct 19, 2002)

I'll leave this one to someone that has actually tried to do this. You have a number of obstacles that I can envision here, perhaps our resident VPN expert *zx10guy* will happen along and see this thread.


----------



## Bryan84 (Aug 2, 2003)

Thank you so much for your help thus far!


----------



## zx10guy (Mar 30, 2008)

The first question I have is what type of 3G connection device are you using? Are you using a connection card via USB? Are you using a 3G router device? The answer to this is important. If the server is directly attached to a connection card, then your VPN server will have a public IP address assigned to it by your 3G provider. If you are using a 3G router device, then you have to either do the appropriate port forward configurations to allow the outside client traffic through to your server or nothing (or very minor configurations) if the 3G router already has built in VPN pass through support.

I have done different types of VPN connections of my Sprint 3G service. The first VPN configuration I set up was with a Netgear FVS338 router to my home network. I ran a Pantech PX500 connection card on my Acer laptop running the Netgear ProSafe VPN client without any issues. The next setup I tested and ran on my home network was to use Cisco's WebVPN. In this scenario, I created a port forward rule for the SSL port on my ASA 5505 to allow outside traffic to hit the 5505 firewall. The WebVPN configuration was to download the Cisco AnyConnect client which installs itself onto my laptop and then creates a VPN connection over an SSL tunnel back to the ASA5505. The last configuration was with a former company. I used my corporate laptop with my Sprint 3G connection card service to VPN to the corporate firewall which was a Cisco PIX 515E. I used the Cisco VPN client on the corporate laptop to connect in. All of the above scenarios worked pretty much flawlessly. The only time I had issues was an intermittent disconnect that may occur every once in a while after having the tunnel up for a few hours. This could be due to cellular signal quality or network congestion at the tower.

Another aspect you'll have to look into depending on your client side setup is to take into account if your client is directly attached to the internet (meaning has a public IP address) or is behind a router/firewall using a private address. If it is the latter, you'll need to run NAT-T (or NAT traversal.) NAT-T allows VPNs to be established when you have clients with private addresses being routed through routers/firewalls.


----------



## Bryan84 (Aug 2, 2003)

Thanks for your reply.

When I go back to office tomorrow and I get more information, I will come back to post more.


----------



## srhoades (May 15, 2003)

I'll chime in and say connecting a server wireless is never a good idea, especially if you are running any sort of database.


----------

