OpenVPN Site to Site Connection
Hello Experts,
We have 3 LANs in different locations wanting to be connected into a WAN via OpenVPN. Connecting them through Cisco routers isn't an option because on 2 of the LANs we have NO control over the networking equipment(Let's call that site the Site B & C), i.e. we can't open ports on them or configure any routings.
This leave our only choice on OpenVPN. We would like to host our OpenVPN server(windows based) in Site A and have the site B & C to connect to A as clients. All the hosts in Site A, B & C can ping each other without having openVPN client installed individually except the 3 computers that act as Server and Clients at Site A, B & C respectively.
My question is, is it even technically possible to implement such thing under the above-mentioned constraints? If so then what would the configurations be like?
As of this point, I am able to configure a host-to-site a.k.a. RoadWarrior configuration that allows clients(but not hosts that doesnt have openVPN clients configured) on B & C to ping all the hosts on A, but not vice versa. Thank you in advance to all the experts for any input.
Alex
We have 3 LANs in different locations wanting to be connected into a WAN via OpenVPN. Connecting them through Cisco routers isn't an option because on 2 of the LANs we have NO control over the networking equipment(Let's call that site the Site B & C), i.e. we can't open ports on them or configure any routings.
This leave our only choice on OpenVPN. We would like to host our OpenVPN server(windows based) in Site A and have the site B & C to connect to A as clients. All the hosts in Site A, B & C can ping each other without having openVPN client installed individually except the 3 computers that act as Server and Clients at Site A, B & C respectively.
My question is, is it even technically possible to implement such thing under the above-mentioned constraints? If so then what would the configurations be like?
As of this point, I am able to configure a host-to-site a.k.a. RoadWarrior configuration that allows clients(but not hosts that doesnt have openVPN clients configured) on B & C to ping all the hosts on A, but not vice versa. Thank you in advance to all the experts for any input.
Alex
Rob Williams
If you have "NO control over the networking equipment" you cannot configure a site to site VPN. I haven't used OpenVPN but most VPN solutions require the VPN server to have a public IP. Therefore you need to have the VPN server; as the perimeter device, configure 1-to-1 NAT on the existing router, or at a minimum assuming the VPN solution supports NAT-T configure port forwarding on the routers at each site. It sounds as if none of these is possible.
ASKER
We only have control over the network equipment at the site that we host the OpenVPN server. I am thinking if I could configure 2 clients on each site that we have no control over the equipment to bridge all 3 LANs together.
I always think that In OpenVPN(or any other VPN Software), each server/client is acting as a router at each end of the bridge to route packets to hosts. All the packets are encapsulated with the VPN headers with routing information that routes themselves to the OpenVPN server/client through each default gateway, and the openVPN server/client would route them to the intended host after decapsulating the VPN headers, so as long as the client/server has the right OpenVPN configuration and routing table, packets will go to any host on the each LAN as long as the physical routers allows traffic of IPSec, L2TP, PPTP. Please correct me if I am wrong though.
I always think that In OpenVPN(or any other VPN Software), each server/client is acting as a router at each end of the bridge to route packets to hosts. All the packets are encapsulated with the VPN headers with routing information that routes themselves to the OpenVPN server/client through each default gateway, and the openVPN server/client would route them to the intended host after decapsulating the VPN headers, so as long as the client/server has the right OpenVPN configuration and routing table, packets will go to any host on the each LAN as long as the physical routers allows traffic of IPSec, L2TP, PPTP. Please correct me if I am wrong though.
ASKER
We do have a public IP for the OpenVPN server, just that not on the cleints that are intended to bridge the LANs with the OpenVPN server.
Are you using a VPN client at the remote site? That may work, but highly doubtful you can configure site-to-site. The VPN configuration uses the public IP to verify the connection.
ASKER
We are using a VPN client on the site that we have no control over the router. The OpenVPN server is at the site that we have control over the router, and we can connect to all the hosts in that LAN from whatever computer that has the client installed from whatever network.
I've been messing with the configuration until I finally wonder if that's even possible with using Windows based computer as server/clients under the constraints of not having control over clients' side network equipment.
I've been messing with the configuration until I finally wonder if that's even possible with using Windows based computer as server/clients under the constraints of not having control over clients' side network equipment.
If the VPN client can connect you should be able to access other devices on wither network but you will need to add static routes.
Can the VPN clients connect? They will only be able to do so if the OpenVPN server supports NAT-T (Network Address Translation - Traversal)
Can the VPN clients connect? They will only be able to do so if the OpenVPN server supports NAT-T (Network Address Translation - Traversal)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So let's say that I am on a Windows Server environment... and it goes back to the infrastructure aspect.
What I need to do is to establish the Server in LAN B or C to be a DHCP server that all workstations connect to via a switch, and have the switch connect only to that Windows Server on NIC1 , and then connect the server's NIC2 to the router.
So now all the traffic of workstations @ LAN B would be routed to the Windows Server @ LAN B first, and those meant for the other side's (LAN A) would be encapsulated in an openVPN packet and decapsulated by the openVPN server on the other side and get routed back to the LAN A.
Is my concept correct?
What I need to do is to establish the Server in LAN B or C to be a DHCP server that all workstations connect to via a switch, and have the switch connect only to that Windows Server on NIC1 , and then connect the server's NIC2 to the router.
So now all the traffic of workstations @ LAN B would be routed to the Windows Server @ LAN B first, and those meant for the other side's (LAN A) would be encapsulated in an openVPN packet and decapsulated by the openVPN server on the other side and get routed back to the LAN A.
Is my concept correct?
The server at site B would need to be configured to also be a VPN server (rather than a client) and you then create a site to site VPN between the two servers. This would be more easily achieved if the servers at each site were running OpenVPN, or Windows and not mixing the two.
The other option as m_adamczyk is to use a workstation or server running the VPN client and then share that connection using ICS (Internet Connection Sharing), though it would not be my preferred method.
The other option as m_adamczyk is to use a workstation or server running the VPN client and then share that connection using ICS (Internet Connection Sharing), though it would not be my preferred method.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks m_adamczyk! I currently have all 3 sites (a server & 2Xclients) configured as routing and I am using Windows server's Routing and Remote Access to route the connections. I am running VPN Server/Client on top of DHCP and NAT on each server and have all the clients connected to a 2nd NIC. Now all of them from each LAN can PING each other across the LAN just fine. The problem with it is there's a big single point of failure.
The immediate problem is DNS don't seem to be working well. Our clients are running Windows XP and each client is only resolving the DNS name that are belonged to the same domain with the client itself. We are running Windows server 2003's DNS server across the board and we have the other each DNS servers added to the forwarders in the DNS configurations.
The immediate problem is DNS don't seem to be working well. Our clients are running Windows XP and each client is only resolving the DNS name that are belonged to the same domain with the client itself. We are running Windows server 2003's DNS server across the board and we have the other each DNS servers added to the forwarders in the DNS configurations.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.