Sunday Morning Hacking: Enabling IPsec/L2TP Forwarding on a Telekom Speedport W 724V

Sunday Morning Hacking:
Enabling IPsec/L2TP Forwarding on a Telekom Speedport W 724V

Note: I dug up the original post I wrote back in 2015 using archive.org's wayback machine because my analytics tool showed me that people were still looking for this even today! I'm quite impressed – in a very disturbed way – that people are still seem to be using this piece of crap device.

Ever since the day I moved all my data from Dropbox (see #DropDropbox and the Snowden revelations) to my private cloud – a Synology 415play with ~12TB of storage — I’ve been looking for a way to make this data available to me on the go. Synology provides a handful of solutions to do so, like for example their DS Cloud apps. Unfortunately these apps require you to either punch some holes into your firewall and allow direct access to the NAS’ web-service or use Synology’s QuickConnect, which is yet another man-in-the-middle that could theoretically read the data being transferred from the storage to the clients.

However, after a group of hackers began exploiting vulnerabilities inside the NAS’ services in August 2014 and achieved to install a ransomware named SynoLocker onto many people’s devices, allowing direct access from the internet to the Synology clearly didn’t sound like a great plan. The solution: A VPN.

A VPN would allow me to only make the VPN server – a piece of software that’s quite challenging to hack when implemented correctly – reachable from the internet and allow my laptop and smartphone to connect from anywhere in the world as if I was at home, using DS file or even AFP/SMB.

To do so I set up an IPsec/L2TP server, as this type of VPN is supported by my Mac/Android natively and only needed to have my internet router forward the required UDP ports 500, 1701 and 4500 to my VPN server. And that’s where the tricky part began:

The devices shipped with a regular Telekom DSL contract here in Germany include some specialities named WLAN TO GO and EasySupport. In order for these to function correctly, Telekom reserves a number of ports on their devices, which therefor can not be forwarded to an internal host. One of these reserved ports is UDP 1701.

“Well, simply disable WLAN TO GO and EasySupport, so you can make use of these ports?”, you might think now. Unfortunately this doesn’t help, as the firmware still disallows forwarding these ports, even with the named functions turned off. It appears that Telekom’s developers simply defined a list of ports that are blocked by default, regardless of whether they’re actually in use by any of their internal services or not.

To cut a long story short: I began looking for a trick I could use to bypass these restrictions, even though hacking proprietary firmwares usually is quite complex and require a lot of work. Especially when developed by huge companies like Telekom and used on a bazillion of devices, right?
15 minutes later I achieved redirecting all the required ports to my IPsec/L2TP server. In a way that is achievable by the average Joe without greater knowhow. Here’s the step by step guide:

Step One: Disable all the Bullshit

Make sure to disable EasySupport and WLAN TO GO

Step Two: Configure Port Forwarding

Create the required UDP port forwarding for IPsec/L2TP

Step Three: Open your Browser’s Web Developer Console & Hack some JavaScript

Replace the function checking for reserved ports by a custom one

You’re done, press the “Save” button.

That was easy, wasn’t it? Unfortunately, there’s a tiny downside to this trick: As soon as the changes were saved and the page was reloaded, this hack is gone and you will need to re-type the JavaScript and hit Enter again, before trying to Save another set of changes to the port forwarding. This could be easily solved by writing a Chrome/Firefox/Safari extensions, that automatically executes this code as soon as you browse https://speedport.ip.