Intersite VPN

I have two sites that sit behind NATted DSL routers (Netgear DG834),
and I want to link the two networks together.

Background info:

Site A (Main office)
====================
We have full control over the infrastructure, the DSL link has a
static WAN IP address.

Site B (Remote office)
======================
Long story, but the DSL router isn't ours, we have no physical access
to it, however we do have exclusive use of this device and we have
admin access to the router. We don't own the phone line, or the
broadband connection, so we are limited as to what we can do. The DSL
link has a dynamic WAN IP address, this can't be changed.

I'm open to using either hardware or software (open source or
commercial) to accomplish this, however the devices on site B must be
able to seamlessly connect to the site A network.

I'm considering putting a Linux box at site A to act as a PPTP VPN
server (using port forwarding from the DSL router), with a Linux box
at site B to act as the gateway to route the traffic to site A via the
PPTP tunnel.

Does this sound like the right way forward?

Re: Intersite VPN

Bryhhh wrote:
> I have two sites that sit behind NATted DSL routers (Netgear DG834),
> and I want to link the two networks together.
>
> Background info:
>
> Site A (Main office)
> ====================
> We have full control over the infrastructure, the DSL link has a
> static WAN IP address.
>
> Site B (Remote office)
> ======================
> Long story, but the DSL router isn't ours, we have no physical access
> to it, however we do have exclusive use of this device and we have
> admin access to the router. We don't own the phone line, or the
> broadband connection, so we are limited as to what we can do. The DSL
> link has a dynamic WAN IP address, this can't be changed.
>
> I'm open to using either hardware or software (open source or
> commercial) to accomplish this, however the devices on site B must be
> able to seamlessly connect to the site A network.
>
> I'm considering putting a Linux box at site A to act as a PPTP VPN
> server (using port forwarding from the DSL router), with a Linux box
> at site B to act as the gateway to route the traffic to site A via the
> PPTP tunnel.
>
> Does this sound like the right way forward?

If you consider making a secure tunnel between the two sites I recommend
you to use protocols like IPsec, SSL-VPN or L2TP (the follower of pptp).

PPTP has had its security issues and the Windows implementation has still
some problems with packets getting out of the tunnel for obscure reasons.
(No clue if the Linux implementation has the same problem).

Depending on your knowledge of Linux (or other operating systems) you
have to make the decision of the way to build this tunnel.
Software: on Linux, Windows, ...
or Hardware: dedicated boxes or firewalls with VPN functionality build-in.

This choice should be made based on the time and knowledge you have. It
might be more expensive to do it with a linux box than with a cheap
firewall (with an easy config and maintenance).

Does your current firewall support vpn's?
Linux: Openswan (ipsec), openvpn (sslvpn)
Hardware: many solutions exist, for small sites brands like Fortinet are
a good choice as they are fairly cheap. Higher-end firewalls like Check
Point, Netscreen and ASA also support this of course.

It's a good idea to check the Wikipedia pages concerning the different
technologies.
http://en.wikipedia.org/wiki/Virtual_private_network
http://en.wikipedia.org/wiki/Pptp
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/Transport_Layer_Security



Personally I prefer using IPsec for site-to-site tunnels.
With IPsec it's fairly simple to use dynamic tunnels.
On site B you just configure the tunnel to site A, enable aggressive
mode. On site A you need to configure the tunnel as dynamic (accept ip
0.0.0.0/0). It's a good idea to choose strong shared-keys, you only have
to type them once...so...
The configuration depends on the choosen solution of course.

Hope this helps.

--
mailto:christophe@vandeplas.com
http://christophe.vandeplas.com

Re: Intersite VPN

On 30 Sep, 08:30, Christophe Vandeplas
wrote:
> Bryhhh wrote:
> > I have two sites that sit behind NATted DSL routers (Netgear DG834),
> > and I want to link the two networks together.
>
> > Background info:
>
> > Site A (Main office)
> > ====================
> > We have full control over the infrastructure, the DSL link has a
> > static WAN IP address.
>
> > Site B (Remote office)
> > ======================
> > Long story, but the DSL router isn't ours, we have no physical access
> > to it, however we do have exclusive use of this device and we have
> > admin access to the router. We don't own the phone line, or the
> > broadband connection, so we are limited as to what we can do. The DSL
> > link has a dynamic WAN IP address, this can't be changed.
>
> > I'm open to using either hardware or software (open source or
> > commercial) to accomplish this, however the devices on site B must be
> > able to seamlessly connect to the site A network.
>
> > I'm considering putting a Linux box at site A to act as a PPTP VPN
> > server (using port forwarding from the DSL router), with a Linux box
> > at site B to act as the gateway to route the traffic to site A via the
> > PPTP tunnel.
>
> > Does this sound like the right way forward?
>
> If you consider making a secure tunnel between the two sites I recommend
> you to use protocols like IPsec, SSL-VPN or L2TP (the follower of pptp).
>
> PPTP has had its security issues and the Windows implementation has still
> some problems with packets getting out of the tunnel for obscure reasons.
> (No clue if the Linux implementation has the same problem).
>
> Depending on your knowledge of Linux (or other operating systems) you
> have to make the decision of the way to build this tunnel.
> Software: on Linux, Windows, ...
> or Hardware: dedicated boxes or firewalls with VPN functionality build-in.
>
> This choice should be made based on the time and knowledge you have. It
> might be more expensive to do it with a linux box than with a cheap
> firewall (with an easy config and maintenance).
>
> Does your current firewall support vpn's?
> Linux: Openswan (ipsec), openvpn (sslvpn)
> Hardware: many solutions exist, for small sites brands like Fortinet are
> a good choice as they are fairly cheap. Higher-end firewalls like Check
> Point, Netscreen and ASA also support this of course.
>
> It's a good idea to check the Wikipedia pages concerning the different
> technologies.http://en.wikipedia.org/wiki/Virtual_private_ne tworkhttp://en.wikipedia.org/wiki/Pptphttp://en.wikipedia.or g/wiki/IPsechttp://en.wikipedia.org/wiki/Transport_Layer_Sec urity
>
> Personally I prefer using IPsec for site-to-site tunnels.
> With IPsec it's fairly simple to use dynamic tunnels.
> On site B you just configure the tunnel to site A, enable aggressive
> mode. On site A you need to configure the tunnel as dynamic (accept ip
> 0.0.0.0/0). It's a good idea to choose strong shared-keys, you only have
> to type them once...so...
> The configuration depends on the choosen solution of course.
>
> Hope this helps.
>
> --
> mailto:christo...@vandeplas.comhttp://christophe.vandeplas.c om

Many thanks. I've been playing with openvpn running on a pair of Linux
boxes, mainly because I happen to have a Linux box at each site.
Unfortunately my networking skills is the part that is letting me
down!

If site A uses 192.168.16.0/24 and site B uses 192.168.17.0/24 and I
want to create a routed VPN between the two, do both endpoints of the
tunnel need to be on a third (virtual) subnet?

e.g. (Apologies for poor ASCII art)

+--------------------+ +------------------
+
SITE A -- | 192.168.16.2 | INTERNET | 192.168.17.2
| -- SITE B
NETWORK | Site A Server | | Site B Server
| NETWORK
| 192.168.18.1 | == VPN TUNNEL == | 192.168.18.2
|
+--------------------+ +------------------
+

In reality each server would be connected to a DSL router 192.168.(16|
17).1 on the same subnet as all the other network devices, with port
forwarding setup for openvpn between the DSL router and the server.

Many thanks
Bry.

Re: Intersite VPN

On 2 Oct, 23:13, Bryhhh wrote:
> On 30 Sep, 08:30, Christophe Vandeplas
> wrote:
>
>
>
> > Bryhhh wrote:
> > > I have two sites that sit behind NATted DSL routers (Netgear DG834),
> > > and I want to link the two networks together.
>
> > > Background info:
>
> > > Site A (Main office)
> > > ====================
> > > We have full control over the infrastructure, the DSL link has a
> > > static WAN IP address.
>
> > > Site B (Remote office)
> > > ======================
> > > Long story, but the DSL router isn't ours, we have no physical access
> > > to it, however we do have exclusive use of this device and we have
> > > admin access to the router. We don't own the phone line, or the
> > > broadband connection, so we are limited as to what we can do. The DSL
> > > link has a dynamic WAN IP address, this can't be changed.
>
> > > I'm open to using either hardware or software (open source or
> > > commercial) to accomplish this, however the devices on site B must be
> > > able to seamlessly connect to the site A network.
>
> > > I'm considering putting a Linux box at site A to act as a PPTP VPN
> > > server (using port forwarding from the DSL router), with a Linux box
> > > at site B to act as the gateway to route the traffic to site A via the
> > > PPTP tunnel.
>
> > > Does this sound like the right way forward?
>
> > If you consider making a secure tunnel between the two sites I recommend
> > you to use protocols like IPsec, SSL-VPN or L2TP (the follower of pptp).
>
> > PPTP has had its security issues and the Windows implementation has still
> > some problems with packets getting out of the tunnel for obscure reasons.
> > (No clue if the Linux implementation has the same problem).
>
> > Depending on your knowledge of Linux (or other operating systems) you
> > have to make the decision of the way to build this tunnel.
> > Software: on Linux, Windows, ...
> > or Hardware: dedicated boxes or firewalls with VPN functionality build-in.
>
> > This choice should be made based on the time and knowledge you have. It
> > might be more expensive to do it with a linux box than with a cheap
> > firewall (with an easy config and maintenance).
>
> > Does your current firewall support vpn's?
> > Linux: Openswan (ipsec), openvpn (sslvpn)
> > Hardware: many solutions exist, for small sites brands like Fortinet are
> > a good choice as they are fairly cheap. Higher-end firewalls like Check
> > Point, Netscreen and ASA also support this of course.
>
> > It's a good idea to check the Wikipedia pages concerning the different
> > technologies.http://en.wikipedia.org/wiki/Virtual_private_ne tworkhttp://en.wikiped...
>
> > Personally I prefer using IPsec for site-to-site tunnels.
> > With IPsec it's fairly simple to use dynamic tunnels.
> > On site B you just configure the tunnel to site A, enable aggressive
> > mode. On site A you need to configure the tunnel as dynamic (accept ip
> > 0.0.0.0/0). It's a good idea to choose strong shared-keys, you only have
> > to type them once...so...
> > The configuration depends on the choosen solution of course.
>
> > Hope this helps.
>
> > --
> > mailto:christo...@vandeplas.comhttp://christophe.vandeplas.c om
>
> Many thanks. I've been playing with openvpn running on a pair of Linux
> boxes, mainly because I happen to have a Linux box at each site.
> Unfortunately my networking skills is the part that is letting me
> down!
>
> If site A uses 192.168.16.0/24 and site B uses 192.168.17.0/24 and I
> want to create a routed VPN between the two, do both endpoints of the
> tunnel need to be on a third (virtual) subnet?
>
> e.g. (Apologies for poor ASCII art)
>
> +--------------------+ +------------------
> +
> SITE A -- | 192.168.16.2 | INTERNET | 192.168.17.2
> | -- SITE B
> NETWORK | Site A Server | | Site B Server
> | NETWORK
> | 192.168.18.1 | == VPN TUNNEL == | 192.168.18.2
> |
> +--------------------+ +------------------
> +
>
> In reality each server would be connected to a DSL router 192.168.(16|
> 17).1 on the same subnet as all the other network devices, with port
> forwarding setup for openvpn between the DSL router and the server.
>
> Many thanks
> Bry.

Or, would the Site B server be presented with an interface on
192.168.16.0/24, and the site B server was left to deal with routing
between the two? If this was the case though, how would I route back
in the other direction? Surely the site A server must have a virtual
interface of some description too?

Re: Intersite VPN

Bryhhh wrote:

> Or, would the Site B server be presented with an interface on
> 192.168.16.0/24, and the site B server was left to deal with routing
> between the two? If this was the case though, how would I route back
> in the other direction? Surely the site A server must have a virtual
> interface of some description too?

Usually we use ipsec tunnels between sites. With an ipsec tunnel you
don't have that .18 network needed. I'm not a site-to-site ssl-vpn
expert, but I have already configured client-ssl-vpn's in a not to
distant past.
Depending on your distro you will have more or less tutorials with the
installation and configuration instructions.
Don't forget you'll have to generate SSL certificates for both sides.
(self-signed is perfect)

btw: You'll probably want a routed tunnel.

A good place to start is: http://openvpn.net/howto.html
Also look at your favorite encyclopedia: http://en.wikipedia.org/wiki/OpenVPN

But remember this: The advantage of OpenVPN is you can do many many
things with it. And the disadvante of OpenVPN is that you can do many
many things with it.

You'll probably really understand this after playing a few hours with it
while digging the net for good tuts.


--
mailto:christophe@vandeplas.com
http://christophe.vandeplas.com