Solved

OpenVPN Site to Site Connection

Posted on 2008-06-10
12
4,295 Views
Last Modified: 2010-05-18
Hello Experts,

We have 3 LANs in different locations wanting to be connected into a WAN via OpenVPN. Connecting them through Cisco routers isn't an option because on 2 of the LANs we have NO control over the networking equipment(Let's call that site the Site B & C), i.e. we can't open ports on them or configure any routings.
This leave our only choice on OpenVPN. We would like to host our OpenVPN server(windows based) in Site A and have the site B & C to connect to A as clients. All the hosts in Site A, B & C can ping each other without having openVPN client installed individually except the 3 computers that act as Server and Clients at Site A, B & C respectively.

My question is, is it even technically possible to implement such thing under the above-mentioned constraints? If so then what would the configurations be like?

As of this point, I am able to configure a host-to-site a.k.a. RoadWarrior configuration that allows clients(but not hosts that doesnt have openVPN clients configured) on B & C to ping all the hosts on A, but not vice versa. Thank you in advance to all the experts for any input.

Alex
0
Comment
Question by:jayglass
  • 5
  • 4
  • 3
12 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If you have "NO control over the networking equipment" you cannot configure a site to site VPN. I haven't used OpenVPN but most VPN solutions require the VPN server to have a public IP. Therefore you need to have the VPN server; as the perimeter device, configure 1-to-1 NAT on the existing router, or at a minimum assuming the VPN solution supports NAT-T configure port forwarding on the routers at each site. It sounds as if none of these is possible.
0
 

Author Comment

by:jayglass
Comment Utility
We only have control over the network equipment at the site that we host the OpenVPN server. I am thinking if I could configure 2 clients on each site that we have no control over the equipment to bridge all 3 LANs together.

I always think that In OpenVPN(or any other VPN Software), each server/client is acting as a router at each end of the bridge to route packets to hosts. All the packets are encapsulated with the VPN headers with routing information that routes themselves to the OpenVPN server/client through each default gateway, and the openVPN server/client would route them to the intended host after decapsulating the VPN headers, so as long as the client/server has the right OpenVPN configuration and routing table, packets will go to any host on the each LAN as long as the physical routers allows traffic of IPSec, L2TP, PPTP. Please correct me if I am wrong though.
0
 

Author Comment

by:jayglass
Comment Utility
We do have a public IP for the OpenVPN server, just that not on the cleints that are intended to bridge the LANs with the OpenVPN server.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Are you using a VPN client at the remote site? That may work, but highly doubtful you can configure site-to-site. The VPN configuration uses the public IP to verify the connection.
0
 

Author Comment

by:jayglass
Comment Utility
We are using a VPN client on the site that we have no control over the router.  The OpenVPN server is at the site that we have control over the router, and we can connect to all the hosts in that LAN from whatever computer that has the client installed from whatever network.

I've been messing with the configuration until I finally wonder if that's even possible with using Windows based computer as server/clients under the constraints of not having control over clients' side network equipment.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If the VPN client can connect you should be able to access other devices on wither network but you will need to add static routes.
Can the VPN clients connect? They will only be able to do so if the OpenVPN server supports NAT-T (Network Address Translation - Traversal)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Accepted Solution

by:
m_adamczyk earned 500 total points
Comment Utility
While this issue is old, it still remains open. I hope the info below is helpful.

I have configured a few networks using OpenVPN in both bridging and routing scenarios using permanent connections and user-initiated connections (RoadWarrior?). What I understand you're trying to do is connect sites A, B, & C as B-to-A and C-to-A connections so computers on either end of the connection may ping each other.

In my experiences, a properly configured OpenVPN server config file and firewall should accomplish this. I think your key solution will be found on whatever device is acting as OpenVPN server at site A. First, ensure that in the OpenVPN Server Config, client-to-client is enabled; this enables different  VPN clients to see each other when connected. Also make sure you have a PUSH "route lan.ip.address.pool sub.net.ma.sk" command. If you are able to ping all Site A computers from a connected computer at Site B or C, then the above steps are likely already in place.

The tricky part is in setting firewall commands on the server device. My experience is with Linux embedded routers (aka BusyBox) using the IPTABLES command. One key settings in the firewall is:
iptables -I FORWARD -i tun+ -j ACCEPT
This line instructs the router to pass along any outgoing traffic destined for VPN clients.

I also have the following line, but I don't think you'll need it:
iptables -t nat -A PREROUTING -i vlan1 -p udp --dport 1194 -j DNAT --to-destination $4:1194

You do not need control of the networking devices at sites B & C to be successful. If you have more than one computer at sites B & C, then you may want to consider establishing the connection to Site A using 1 computer and then share that connection with other computers at that site.

Good luck.
0
 

Author Comment

by:jayglass
Comment Utility
So let's say that I am on a Windows Server environment... and it goes back to the infrastructure aspect.
What I need to do is to establish the Server in LAN B or C to be a DHCP server that all workstations connect to via a switch, and have the switch connect only to that Windows Server on NIC1 , and then connect the server's NIC2 to the router.
So now all the traffic of workstations @ LAN B would be routed to the Windows Server @ LAN B first, and those meant for the other side's  (LAN A) would be encapsulated in an openVPN packet and decapsulated by the openVPN server on the other side and get routed back to the LAN A.
Is my concept correct?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The server at site B would need to be configured to also be a VPN server (rather than a client) and you then create a site to site VPN between the two servers. This would be more easily achieved if the servers at each site were running OpenVPN, or Windows and not mixing the two.

The other option as m_adamczyk is to use a workstation or server running the VPN client and then share that connection using ICS (Internet Connection Sharing), though it would not be my preferred method.
0
 
LVL 2

Assisted Solution

by:m_adamczyk
m_adamczyk earned 500 total points
Comment Utility
jayglass, I want to say your concept is 90% correct. I DON'T think you MUST connect all LAN B PCs to Server B NIC 1 via a switch and then bridge via NIC 2. Infrastructure-wise, if you configure Windows Server B as the local DHCP server, you can designate it is as something of a proxy server (I don't think that's the right term in this case) for connections to the other LANs.

So rather than route all traffic through Server B, just disseminate routing information to all client PCs that traffic for the internet can go through your regular router, while traffic to one of the other LANs must go through Server B (which will in turn encrypt said comm, send it back on NIC1 through the router to LAN A). I'm not sure if it's Active Directory or DHCP that will accomplish this for you. This doc talks about routing tables but not specifically about disseminating them to client machines: http://www.tech-faq.com/windows-routing-table.shtml

While a workstation running ICS is not necessarily preferred, I disagree about not mixing Windows and OpenVPN. I consider OpenVPN a legitimate add-on like one would run Apache or SSH, and one cannot run ONLY OpenVPN as it isn't an operating system. HOWEVER, loading your server to run email, file/print sharing, VPN connections, and let's say a Database, would be one heck of a busy, overloaded server. As for not wanting to use ICS, ICS is reserved more for workstations (think peer-to-peer networks) where a server is intended to handle more robust network communications.
 
Either way, first determine if you want the VPN to bridge or route the connections. Find out the differences here: http://openvpn.net/index.php/documentation/faq.html#bridge2

Next, whatever you decide, OpenVPN uses distinct Server or Client config files to do what's intended. The service either listens for (acts as Server) or initiates (acts as Client) connections. You can run multiple instances of OpenVPN on a single machine thereby doing both (listening and initiating connections). Also, OpenVPN in server mode may listen for several connections on multiple inbound ports.

But back to your specific situation, assume the following:
Site A IP: 172.16.1.x/24
Site B IP: 172.16.2.x/24
Site C IP: 172.16.3.x/24

If your router at each end is x.x.x.1, and your server at each is x.x.x.10 then you'd have Site B's Server run OpenVPN in client mode to connect to the PUBLIC IP address of Site A, and the router there will route the connection to the Server running OpenVPN in server mode. Site C will be configured ALMOST exactly as Site B's server EXCEPT you'll have to use a different key (same Cert Authority) and a different port number. Site A's Server will likely be the trickiest regarding proper routing tables configuration.

I suggest going through the basic step-by-step tutorials provided by OpenVPN and FIRST establishing a routed VPN connection from Site B to Site A. Then configure a second and simultaneous routed VPN connection from Site C to Site A. If configured properly, you should be able to ping reciprocally from A to B, B to A, A to C, C to A... at this point try to work out pinging B to C and C to B via A. It will all be in the firewall & routing tables, assuming the client-to-client option is enabled in OpenVPN.

For best troubleshooting, DO NOT run OpenVPN as a Daemon/Service at first. Run it from the command line so you see any messages/errors in realtime rather than digging through logs. Once it's running correctly, then switch to Daemon/Service.

I hope this gets you closer to your final goal. Please write if more questions come up. Just try to go through the tutorials (in complete detail) before improvising your own configs.

Cheers!
0
 

Author Comment

by:jayglass
Comment Utility
Thanks m_adamczyk!  I currently have all 3 sites (a server & 2Xclients) configured as routing and I am using Windows server's Routing and Remote Access to route the connections. I am running VPN Server/Client on top of DHCP and NAT on each server and have all the clients connected to a 2nd NIC. Now all of them from each LAN can PING each other across the LAN just fine. The problem with it is there's a big single point of failure.

The immediate problem is DNS don't seem to be working well. Our clients are running Windows XP and each client is only resolving the DNS name that are belonged to the same domain with the client itself. We are running Windows server 2003's DNS server across the board and we have the other each DNS servers added to the forwarders in the DNS configurations.
0
 
LVL 2

Assisted Solution

by:m_adamczyk
m_adamczyk earned 500 total points
Comment Utility
First, confirm that you can ping across the domains in all directions using IP address; if so, you're on the right track. If not, something needs to be changed in the routing tables.

Secondly, I'm pulling here from an example I found elsewhere:
As an example you have company1.local and company2.local

1) On the company1.local windows server setup DNS to pull down the company2.local zone file.
2) On the company2.local windows server setup DNS to pull down the company1.local zone file.
3) Using DHCP set the dns search domain on all the pcs to have both company1.local and company2.local

So if you were to enter \\company1pc\share the pc would look up company1pc.company1.local and get the correct IP address.
Credit for the example goes to: (http://forums.whirlpool.net.au/forum-replies-archive.cfm/944119.html)

Hope this helps.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now