Solved

OpenVPN to branch offices

Posted on 2010-09-09
9
869 Views
Last Modified: 2012-05-10
I'm hoping someone can assist or point me in the right direction.

Here's the scenario:

Our company has 4 Offices one of which is of coarse HQ; each one of 3 branches have a Untangle FW installed and configured; our HQ has 2 Untangle FW's, one of which is used purely for web traffic and the second for VPN and mail which is connected on a diginet line, the other is on ADSL.
Current configuration for all sites is that all Untangle FW's are configured as OpenVPN servers allowing any one of my users access from anywhere.
What I would like to achieve is to setup a site to site VPN for all my branches. Ideally HQ would be configured as OpenVPN server and my 3 branches as clients. With this being said I would like all my users in all my branches to be able to access data from any of the 4 file servers.
So, like this:
A --> B    B --> A
A --> C    C --> A
A --> D    D --> A
B --> C    C --> B

and so on and so on.

So, can anyone help?
0
Comment
Question by:DJMohr
  • 5
  • 4
9 Comments
 
LVL 12

Accepted Solution

by:
mccracky earned 500 total points
ID: 33638220
I'm not completely familiar with untangle, but if it's an option, I'd probably use untangle at the branch offices too.  From my experience its usually MUCH easier setting up VPNs between boxes that are the same than between boxes that aren't. If not untangle, the next thing I'd do would probably be pfsense or monowall at the branches.  

The VPNs should be pretty straightforward to set up in any case.

As to routing, the main (and maybe most time consuming/difficult) is to make sure that the different branches use different IP ranges and also that they can be subnetted as a group.  You then need to set up a "star" routing configuration.  Something like:

A: 192.168.0.0/24 (HQ?)
B: 192.168.1.0/24
C: 192.168.2.0/24
D: 192.168.3.0/24

Set up each VPN from HQ as /24 networks, but from each branch to HQ as /22 networks.  That should send all traffic from B to C first to A and then on through to C.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33638650
@ mccracky

All the branches are running Untangle. Networking for the branches are as you mentioned:
A: 192.168.0.0/24 (HQ?)
B: 192.168.1.0/24
C: 192.168.2.0/24
D: 192.168.3.0/24

I have managed to connect B to A and able to access data on B from A but only from the File Server, but I am unable to access data from B to A. Should routing be configured on the UT boxes or on my File Servers?
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
ID: 33638766
If the untangle boxes are your default gateways for the network, routing should be fine (don't need to change the servers).  Untangle should, if the VPNs are set up correctly, put in the correct routes back to A from B when the VPN connects.  can you ping A's untangle box from B (probably 192.168.0.1)?

One other thing to check on B's server is the IP configuration and netmask (Linux: ifconfig -a  Windows: ipconfig /all).  If B's server thinks the IP of A's server is local, it won't use the gateway.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33639338
Site A has 2 UT boxes one 192.168.0.1 and the other 192.168.0.254; 254 for used web traffic and is the DG on all the workstations where as 0.1 is the DG on my file server. Site B's UT box is 192.168.1.1 and is the DG of all workstations and server; from site B I can ping site A's UT box and file server but cant browse the network (shares).
I'll double check IP config on B's UT box.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
ID: 33639440
re: browsing network shares, you may need to look for and enable "netbios" over the VPN in the UT box config.  Try rather than browsing connecting directly:  \\<ip address>\<sharename>

If the network shares you're looking to browse are on other boxes than the file server, you'll need to add in the route to the VPN UT box.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33643890
Morning

Ok, ifconfig -a result from site B's UT box:

eth0      Link encap:Ethernet  HWaddr 00:21:85:5a:03:50
          inet addr:192.168.99.2  Bcast:192.168.99.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19777308 errors:0 dropped:1727400567 overruns:0 frame:0
          TX packets:14336908 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2300380550 (2.1 GiB)  TX bytes:1460336556 (1.3 GiB)
          Interrupt:221 Base address:0x4000

eth1      Link encap:Ethernet  HWaddr 00:a0:cc:39:0e:de
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2323615 errors:1 dropped:0 overruns:0 frame:0
          TX packets:3037966 errors:1 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:562229479 (536.1 MiB)  TX bytes:2643601931 (2.4 GiB)
          Interrupt:16 Base address:0xe800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5541124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5541124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1092787090 (1.0 GiB)  TX bytes:1092787090 (1.0 GiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.16.45  P-t-P:172.16.16.46  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:116 errors:0 dropped:0 overruns:0 frame:0
          TX packets:105 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:16614 (16.2 KiB)  TX bytes:15964 (15.5 KiB)

utun      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.0.2.43  P-t-P:192.0.2.43  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1046 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:50284 (49.1 KiB)  TX bytes:0 (0.0 B)

Site B's file server ipconfig \all results:

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8168B/8111B Family PCI-E
GBE NIC
        Physical Address. . . . . . . . . : 00-1C-C0-AE-48-02
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.1

I also tried connecting to the share instead of browsing from site B but no luck. from site A I can browse site B's file server with out issue.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33643914
Also just wondering about this, is it better to have your firewalls create the PPPOE connection to the internet or have the ADSL router do it?
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
ID: 33647093
I find it easier to just let the ADSL router do that part and then I just worry about the ethernet/VPN connections on the firewall.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33669301
I have managed to sort this out. Site to Site is up and running, my users can access data on remote servers and my road warriors are able to vpn in and access data from any branch.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now