Solved

OpenVPN to branch offices

Posted on 2010-09-09
9
876 Views
Last Modified: 2012-05-10
I'm hoping someone can assist or point me in the right direction.

Here's the scenario:

Our company has 4 Offices one of which is of coarse HQ; each one of 3 branches have a Untangle FW installed and configured; our HQ has 2 Untangle FW's, one of which is used purely for web traffic and the second for VPN and mail which is connected on a diginet line, the other is on ADSL.
Current configuration for all sites is that all Untangle FW's are configured as OpenVPN servers allowing any one of my users access from anywhere.
What I would like to achieve is to setup a site to site VPN for all my branches. Ideally HQ would be configured as OpenVPN server and my 3 branches as clients. With this being said I would like all my users in all my branches to be able to access data from any of the 4 file servers.
So, like this:
A --> B    B --> A
A --> C    C --> A
A --> D    D --> A
B --> C    C --> B

and so on and so on.

So, can anyone help?
0
Comment
Question by:DJMohr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 12

Accepted Solution

by:
mccracky earned 500 total points
ID: 33638220
I'm not completely familiar with untangle, but if it's an option, I'd probably use untangle at the branch offices too.  From my experience its usually MUCH easier setting up VPNs between boxes that are the same than between boxes that aren't. If not untangle, the next thing I'd do would probably be pfsense or monowall at the branches.  

The VPNs should be pretty straightforward to set up in any case.

As to routing, the main (and maybe most time consuming/difficult) is to make sure that the different branches use different IP ranges and also that they can be subnetted as a group.  You then need to set up a "star" routing configuration.  Something like:

A: 192.168.0.0/24 (HQ?)
B: 192.168.1.0/24
C: 192.168.2.0/24
D: 192.168.3.0/24

Set up each VPN from HQ as /24 networks, but from each branch to HQ as /22 networks.  That should send all traffic from B to C first to A and then on through to C.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33638650
@ mccracky

All the branches are running Untangle. Networking for the branches are as you mentioned:
A: 192.168.0.0/24 (HQ?)
B: 192.168.1.0/24
C: 192.168.2.0/24
D: 192.168.3.0/24

I have managed to connect B to A and able to access data on B from A but only from the File Server, but I am unable to access data from B to A. Should routing be configured on the UT boxes or on my File Servers?
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
ID: 33638766
If the untangle boxes are your default gateways for the network, routing should be fine (don't need to change the servers).  Untangle should, if the VPNs are set up correctly, put in the correct routes back to A from B when the VPN connects.  can you ping A's untangle box from B (probably 192.168.0.1)?

One other thing to check on B's server is the IP configuration and netmask (Linux: ifconfig -a  Windows: ipconfig /all).  If B's server thinks the IP of A's server is local, it won't use the gateway.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 1

Author Comment

by:DJMohr
ID: 33639338
Site A has 2 UT boxes one 192.168.0.1 and the other 192.168.0.254; 254 for used web traffic and is the DG on all the workstations where as 0.1 is the DG on my file server. Site B's UT box is 192.168.1.1 and is the DG of all workstations and server; from site B I can ping site A's UT box and file server but cant browse the network (shares).
I'll double check IP config on B's UT box.
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
ID: 33639440
re: browsing network shares, you may need to look for and enable "netbios" over the VPN in the UT box config.  Try rather than browsing connecting directly:  \\<ip address>\<sharename>

If the network shares you're looking to browse are on other boxes than the file server, you'll need to add in the route to the VPN UT box.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33643890
Morning

Ok, ifconfig -a result from site B's UT box:

eth0      Link encap:Ethernet  HWaddr 00:21:85:5a:03:50
          inet addr:192.168.99.2  Bcast:192.168.99.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19777308 errors:0 dropped:1727400567 overruns:0 frame:0
          TX packets:14336908 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2300380550 (2.1 GiB)  TX bytes:1460336556 (1.3 GiB)
          Interrupt:221 Base address:0x4000

eth1      Link encap:Ethernet  HWaddr 00:a0:cc:39:0e:de
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2323615 errors:1 dropped:0 overruns:0 frame:0
          TX packets:3037966 errors:1 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:562229479 (536.1 MiB)  TX bytes:2643601931 (2.4 GiB)
          Interrupt:16 Base address:0xe800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5541124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5541124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1092787090 (1.0 GiB)  TX bytes:1092787090 (1.0 GiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.16.45  P-t-P:172.16.16.46  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:116 errors:0 dropped:0 overruns:0 frame:0
          TX packets:105 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:16614 (16.2 KiB)  TX bytes:15964 (15.5 KiB)

utun      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.0.2.43  P-t-P:192.0.2.43  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1046 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:50284 (49.1 KiB)  TX bytes:0 (0.0 B)

Site B's file server ipconfig \all results:

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8168B/8111B Family PCI-E
GBE NIC
        Physical Address. . . . . . . . . : 00-1C-C0-AE-48-02
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.1

I also tried connecting to the share instead of browsing from site B but no luck. from site A I can browse site B's file server with out issue.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33643914
Also just wondering about this, is it better to have your firewalls create the PPPOE connection to the internet or have the ADSL router do it?
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
ID: 33647093
I find it easier to just let the ADSL router do that part and then I just worry about the ethernet/VPN connections on the firewall.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33669301
I have managed to sort this out. Site to Site is up and running, my users can access data on remote servers and my road warriors are able to vpn in and access data from any branch.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question