venkataramanaiahsr
asked on
Establishing site to site VPN connectivity between HO and Branch thro Linux
I Have two locations (HO and Branch) Both places i Have taken 2mbps ADSL Broadband. I have static ip
at both the places. I need to establish site to site VPN so that users can access the resources either way.
but due to budget constraints ( less than 1000 us dollers) i cannot go with an ideal solution like going for cisco integrated routers.
One of the vendors has suggested to do this connectivity thro linux as it comes with inbuilt firewall and
proxy server and there is no licencing cost. All we need to do is buy 2 systems with dual ethernet card whcih would cost us 500 us dollers and his configuratuion charges of around 250 us dollers. This whole thing fits very well into our budget.
I want experts advice whether this workaround solution give accepatable level of performance.
venkat
at both the places. I need to establish site to site VPN so that users can access the resources either way.
but due to budget constraints ( less than 1000 us dollers) i cannot go with an ideal solution like going for cisco integrated routers.
One of the vendors has suggested to do this connectivity thro linux as it comes with inbuilt firewall and
proxy server and there is no licencing cost. All we need to do is buy 2 systems with dual ethernet card whcih would cost us 500 us dollers and his configuratuion charges of around 250 us dollers. This whole thing fits very well into our budget.
I want experts advice whether this workaround solution give accepatable level of performance.
venkat
I recommend OpenVPN (on XP or above, or Linux). It's free, and you won't need a load of knowledge when using the supplied configuration examples.
ASKER
hi Qlemo
Can y suggest the method as how to go about this. we are comfortable with windows. if it can be installed on xp above it is all the more easy. we have already got the necessary hardware ( 2 systems)
also the advantages and disadvantages of the same.
I request an early help in this regard
Can y suggest the method as how to go about this. we are comfortable with windows. if it can be installed on xp above it is all the more easy. we have already got the necessary hardware ( 2 systems)
also the advantages and disadvantages of the same.
I request an early help in this regard
Download OpenVPN from http://openvpn.net/download.html, I recommend 2.1 RC4 version.
Install OpenVPN as a service on both XP boxes
Enable routing by changing registry key:
HKLM\System\CurrenControlS et\Service s\Tcpip\Pa rameters\I PEnableRou ter=DWORD: 1
Rename created LAN connection in your network properties to "OpenVPN" or something, if you like
For a quick start, I choose a direct link (aka point-to-point connection), using a preshared key. Later, you might change this to certificates, which can be generated with contained easy-rsa package.
Therefor, create a config file e.g. "site-1.ovpn" in "config" folder, containing:
dev tun
proto udp
remote site-1.ath.cx 1194
ifconfig 192.168.254.253 192.168.254.254
secret ..\\keys\\static-key.txt
resolv-retry infinite
comp-lzo
persist-key
persist-tun
verb 3
Copy it to "site-2.ovpn", and change following two lines
remote site-2.ath.cx 1194
ifconfig 192.168.254.254 192.168.254.253
Of course, the remote addresses must be adepted to your set up ... On each XP box one of those files must be placed in "config" folder, the file name does not matter. That way, it is used automatically when OpenVPN service is started.
Additionally you needed the same (!) file "key\static-key.txt" on both sites. This file has to be generated, either by selecting the "Generate Key" option in the start menu, or by openvpn --genkey --secret static-key.txt.
If your firewalls allow traffic on the used port (1194/udp), the connection is ready to be established. For test purpose, you might want to double click on .ovpn files to start connecting, so you have a console windows to look at what happens. With Service, you should log into files (see manual and samples).
One site will appear as 192.168.254.253, the other as 192.168.254.254. You should be able to use those addresses to ping or make drive connection or rdp or whatever to the XP boxes which run OpenVPN. The network will not be reachable, since other boxes do not now how to forward traffic.
So, last step is to define a static route to either site on each box, with the OpenVPN box as gateway:
route -p add 192.168.254.254 192.168.1.1 (if this is your OpenVPN box on this (!) site).
Much better: define your XP box as default gateway, or put the above route to your existing default gateway.
Hope that was detailed enough. Don't worry, it's easier than it sounds :-)
Install OpenVPN as a service on both XP boxes
Enable routing by changing registry key:
HKLM\System\CurrenControlS
Rename created LAN connection in your network properties to "OpenVPN" or something, if you like
For a quick start, I choose a direct link (aka point-to-point connection), using a preshared key. Later, you might change this to certificates, which can be generated with contained easy-rsa package.
Therefor, create a config file e.g. "site-1.ovpn" in "config" folder, containing:
dev tun
proto udp
remote site-1.ath.cx 1194
ifconfig 192.168.254.253 192.168.254.254
secret ..\\keys\\static-key.txt
resolv-retry infinite
comp-lzo
persist-key
persist-tun
verb 3
Copy it to "site-2.ovpn", and change following two lines
remote site-2.ath.cx 1194
ifconfig 192.168.254.254 192.168.254.253
Of course, the remote addresses must be adepted to your set up ... On each XP box one of those files must be placed in "config" folder, the file name does not matter. That way, it is used automatically when OpenVPN service is started.
Additionally you needed the same (!) file "key\static-key.txt" on both sites. This file has to be generated, either by selecting the "Generate Key" option in the start menu, or by openvpn --genkey --secret static-key.txt.
If your firewalls allow traffic on the used port (1194/udp), the connection is ready to be established. For test purpose, you might want to double click on .ovpn files to start connecting, so you have a console windows to look at what happens. With Service, you should log into files (see manual and samples).
One site will appear as 192.168.254.253, the other as 192.168.254.254. You should be able to use those addresses to ping or make drive connection or rdp or whatever to the XP boxes which run OpenVPN. The network will not be reachable, since other boxes do not now how to forward traffic.
So, last step is to define a static route to either site on each box, with the OpenVPN box as gateway:
route -p add 192.168.254.254 192.168.1.1 (if this is your OpenVPN box on this (!) site).
Much better: define your XP box as default gateway, or put the above route to your existing default gateway.
Hope that was detailed enough. Don't worry, it's easier than it sounds :-)
ASKER
Dear Qlemo
Thanks for your detailed explanation. I have one more clarifciation . I request your answer so that
we can go ahead and try the above solution
I have a hardware router/Firewall (Dlink Di 524) at either ends. Each router is configured static ip on the public side and an internal ip. and this internal ip is given as gateway in all the internal machines wherever internet needs to accessed.
Now to set up the above scenario for OPEN vpn connectivity between two sites, can i retain the router or I have to remove the di524 router at both ends.
We could establish the RDP connectivity across two locations thro rdp port forwarding in the di524 to some internal ip address system. to do this thro vpn connectivity will the above solution is the only option
Thanks for your detailed explanation. I have one more clarifciation . I request your answer so that
we can go ahead and try the above solution
I have a hardware router/Firewall (Dlink Di 524) at either ends. Each router is configured static ip on the public side and an internal ip. and this internal ip is given as gateway in all the internal machines wherever internet needs to accessed.
Now to set up the above scenario for OPEN vpn connectivity between two sites, can i retain the router or I have to remove the di524 router at both ends.
We could establish the RDP connectivity across two locations thro rdp port forwarding in the di524 to some internal ip address system. to do this thro vpn connectivity will the above solution is the only option
You do not need to change anything with your configuration, besides opening port 1194/udp in each DLink (outgoing), if it is blocked. And put a route to your internal OpenVPN server in each DLink.
For RDP, you can implement a public-ip:port scenario where each port is forwarded to one client's RDP port. Even better, using OpenVPN, you can RDP directly to internal addresses, and traffic is encrypted.
For RDP, you can implement a public-ip:port scenario where each port is forwarded to one client's RDP port. Even better, using OpenVPN, you can RDP directly to internal addresses, and traffic is encrypted.
ASKER
For RDP, you can implement a public-ip:port scenario where each port is forwarded to one client's RDP port. Even better, using OpenVPN, you can RDP directly to internal addresses, and traffic is encrypted.back to top
Can you explain in detail what it means and how to set it up
I think I do not get your intention here. Either you use VPN to have all network resources at your fingertips, or you use RDP with port forwarding to have RDP access from internet.
I recommend using OpenVPN, and RDP with internal addresses thru the VPN tunnel.
I recommend using OpenVPN, and RDP with internal addresses thru the VPN tunnel.
ASKER
I would definitely like to use VPN tunner to access network resources. if am not wrong what you are
suggesting is to establish vpn tunnel between two locations using OPEN VPN and then use internal address thro RDP for accessing internal resources.
suggesting is to establish vpn tunnel between two locations using OPEN VPN and then use internal address thro RDP for accessing internal resources.
Yessir!
ASKER
I have installed Win XP in 2 new systems with 2 network adapters. I have installed open VPN. i am unable to configure the VPN. How to do the configuration. Can anyone please tell me in detail.
Have a look at my "proposed solution" given earlier. Important point: There may be ONE .ovpn file only on each client.
If you cannot get further, tell us in more detail what your problem is.
If you cannot get further, tell us in more detail what your problem is.
ASKER
I have installed win XP in 2 systems with 2 network adapters.
I have installed open VPN software in both the systems.
Then I have configured the network adapter 1 of system A with class B ip address, configured network adapter1 of System B with class B ip address. Both the systems are in the same IP range but their default gateways are different.
I have created site.ovpn files in both the systems and generated key in both the systems.
what I want to do next?
I have installed open VPN software in both the systems.
Then I have configured the network adapter 1 of system A with class B ip address, configured network adapter1 of System B with class B ip address. Both the systems are in the same IP range but their default gateways are different.
I have created site.ovpn files in both the systems and generated key in both the systems.
what I want to do next?
Please give exact figure about configuration:
* IP subnet of LAN A
* IP subnet of LAN B
* why two NICs?
* why same IP subnet for system A and system B?
* IP subnet of LAN A
* IP subnet of LAN B
* why two NICs?
* why same IP subnet for system A and system B?
ASKER
Let me tell u my present set up in
site A (HO)
We have two internet connections and two static ip for redundancy at ho.
each static ip is configured for two dlink routers in the following manner.
and hence we have two gateways
Dlink router is configured to Static ip on wan settings and on lan settings to an internal ip 128.128. x.x series (we are shortly changing the ip range to private ip addressing scheme) . This lan settings ip address we have given as default gateway on lan systems whereever people are accessing the
internet.
Site B (Branch)
Dlink router is configured to Static ip on wan settings and on lan settings to an internal ip 192.168. x.x series . This lan settings ip address we have given as default gateway on lan systems whereever people are accessing the internet.
We need to establish VPN connectivity between HO and Branch.
We have got two systems with xp sp2 loaded. We just wanted to configure everything on both the systems and test the vpn connectivity before we move one of the systems to the branch.
Hence we have loaded openvpn software in both the systems and put the two systems on same subnet but with different default gateays
In an earlier explanation you said i donot have to disturb my router setup.
Pls let me know whether this set up works and if not let me alternate solution to test this connectivity
at HO in the above setup at HO ( i,e two separate broadband internet connections with two static ips
and hence two different default gateways)
I am really thankful for your patience and help and expect an early answer to this
in HO before we
site A (HO)
We have two internet connections and two static ip for redundancy at ho.
each static ip is configured for two dlink routers in the following manner.
and hence we have two gateways
Dlink router is configured to Static ip on wan settings and on lan settings to an internal ip 128.128. x.x series (we are shortly changing the ip range to private ip addressing scheme) . This lan settings ip address we have given as default gateway on lan systems whereever people are accessing the
internet.
Site B (Branch)
Dlink router is configured to Static ip on wan settings and on lan settings to an internal ip 192.168. x.x series . This lan settings ip address we have given as default gateway on lan systems whereever people are accessing the internet.
We need to establish VPN connectivity between HO and Branch.
We have got two systems with xp sp2 loaded. We just wanted to configure everything on both the systems and test the vpn connectivity before we move one of the systems to the branch.
Hence we have loaded openvpn software in both the systems and put the two systems on same subnet but with different default gateays
In an earlier explanation you said i donot have to disturb my router setup.
Pls let me know whether this set up works and if not let me alternate solution to test this connectivity
at HO in the above setup at HO ( i,e two separate broadband internet connections with two static ips
and hence two different default gateways)
I am really thankful for your patience and help and expect an early answer to this
in HO before we
I'll analyze that info and return later, I'm on heavy work here at the moment.
ASKER
Hi Qlemo
Any Updates on this
Any Updates on this
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay in accepting your solution. I really appreciate your valuable feedback on this matter.
But for time being we are going with win2000 vpn server and terminal services as myself and my team
are familiar with microsoft environment. and it has to be set up immediately. once it is up and running
i will try this.
Once again i thank you very much for patience in sharing the knowledge .
But for time being we are going with win2000 vpn server and terminal services as myself and my team
are familiar with microsoft environment. and it has to be set up immediately. once it is up and running
i will try this.
Once again i thank you very much for patience in sharing the knowledge .
Be careful on that and make sure you obtain a "statement of work" from the vendor if this is the route that you decide to go, one that states it will (without the purchase of additional hardware, i.e VPN Concentrator) give you the VPN capability, as well as Firewall and Proxy functions.