Setting up a VPN

Just an add-on to John's excellent advice......

Make sure that the bandwidth between the sites will give you reasonable performance.  What do you have for upload and download speeds at each location?  You may go through the trouble only to find that it's not responsive enough.

If you will always have only one remote computer at the remote location, consider setting up a VPN to the server, if nothing else as a test of performance.  You shouldn't need to spend money on software or hardware to try this.

What is the objection to LogMeIn or GoToMyPC?  I have often set up VNC (free or $30 one-time cost with security) to an extra computer to accomplish such things.  Since keystrokes, mousestrokes, and screens are all that get transmitted, performance may be much better.

The VPN router that is presently in the main office is being used for another VPN source.    Can that VPN router be used for two different  incoming VPNs?   Can two different VPNs even be set up on one network to access the single server?

Yes, according to the specs "Up to 20 IPsec VPN tunnels and 16 PPTP VPN tunnels are simultaneously supported".

This is very common. For example, within an environment where you have a main office (where server is located) and 3 remote offices, there would be 3 site-to-site VPN tunnels created between each remote office and the main office. Local LAN IP addresses would be configured in each local router such as:
MAIN - 192.168.1.x
Office1 - 192.168.2.x
Office2 - 192.168.3.x
Office3 - 192.168.4.x

Here are some directions directly from TP-Link for site-to-site VPNs:  http://www.tp-link.com/us/faq-380.html

Use this in combination with the other directions provided.

Are there plans to have additional computers at this new office eventually?

Have you identified your upload and download speeds at both locations to determine if VPN performance will be acceptable?

Further to concerns about Internet Bandwidth, you could always run a speedtest.net to determine what your actual up/down is (could vary from what you think you paid for especially with ADSL). And then cross reference with sys requirements for the application you are using.

Also consider if the office is expanding in the future, sure you can setup tunnels on each PC to the remote main office router but this does not scale well as more users join the network

Not to forget that other things will consume bandwidth alongside your db application

The separate office is in the process of acquiring the ISP.   Internet should be installed within the next week.  I purchased a new TLR600VPN gigabit router for the new office.

The ISP came in and put there Modem/Router in.   Can I make the TPLink router a VPN switch?

If the TP-Link has a VPN section, yes. Log into the TP-Link GUI and look at the main setups. If it has a VPN tab then set it up. If not, you need a VPN router.

It is a VPN router, so I just need to shutdown DHCP and DNS on the VPN router since those will be coming from my ISP's router?

You need to set up the VPN parameters (often a half-dozen to a dozen) and mirror the parameters in the client app or at the other end.

Is your goal to have all of the machines on the same subnet?

I don't know if it is necessary.   I am just looking to be able to click on an icon and sign in to access the main database of the main office server.  

So the main office has a TP-Link R600VPN in the main office, and now I am trying to install the TP-Link R600VPN in the remote office.   But in the remote office the ISP installed a Modem/router so I shut down the DHCP and put the ISP router as the gateway, just to try to access the internet before I try to set up the VPN, but it won't connect to the internet locally.   I will use the link that CompProbSolv put in his link.  Why can't I connect locally first to the internet?   Once I do that I can then try to set up the vpn.

So the main office has a TP-Link R600VPN in the main office, and now I am trying to install the TP-Link R600VPN in the remote office.  

So you need a site-to-site tunnel between the two boxes. Set up the connection using the guide provided above.

Hi John.  Yes, that is correct, but the fly in the ointment, at least for me, is that the ISP put their modem/router in and now I need to change the TP link in the remote office from a vpn router to a vpn switch since the ISP is the gateway and the DHCP deliverer.   I haven't got that part working yet.

For site to site at least one end must be static. The DHCP end can only change IP rarely. Mine changes every 2 or 3 years.

Two questions....
1) Who is the ISP?
2) Do you have static or dynamic IPs?

Assuming that this one user has cable internet, what would make the most sense would be the following (unless connection is Comcast BUSINESS, in which case look at the directions in this post related to DSL, as it will fall closer to that)...
1) Get rid of the modem/router in favor of separate modem and router (one that can also act as an AP).
2) Get a static IP.
3) Set up the new TP-Link router and connect to the modem.
4) Set up the wireless router as an AP and connect to the TP-LINK router.
5) Create your site to site VPN.

If they for some reason have DSL, then step one is to get a wireless router that can act as an AP, and configure the existing one as a pass through (and disable the wireless). Everything else is the same.

The home office is static, I believe we are getting one for remote office.   The remote office is Comcast Business.

You can easily have the new router handle the work without disabling everything. With Comcast business, you can connect your configured router directly to the business gateway. Obviously, you will be hooking everything to the TP-Link. At the worst, you will be need to disabling a few items on the Comcast gateway, but the the router you bought for the site should be doing the work and can easily be set up to do so.

If we can get away with out having one, which John Hurst said you only need one (which the main office has), then we will not at remote office.   SO I don't make any changes to the remote office TP LInk Router except to set the VPN up, but what changes should I make o the Comcast router?

You need to mirror the VPN settings on both ends. And for the DHCP end, use a static IP setting on the assumption it will not change except rarely.

What model is your gateway? That is going to be one of the biggest factors. (Comcast uses many brands and models)

Comcast router:   Cisco DPC3941B

Here's what I will warn: I have never seen a Comcast unit allow you to configure it for a VPN. Their custom firmware has never allowed for it, and it actually forces you to provide your own router if you want VPN services and the like. You're going to save a considerable time in getting the second TP-Link router and following the directions I provided.

Just to use the static IP addresses, you have to provide your own router/firewall. Comcast gateways will either have a dynamic address OR the address of the default gateway that goes along your static IP addresses. You're going to need your own router regardless. However, you don't have to choose a matching TP-Link router, but it will make your life a heck of a lot easier.

So we should send back the Comcast router and get a modem and just use the new TPLInk as the router and VPN link.  That is why I said to John earlier that there was a fly in ointment which is that Comcast put in their own modem/router.   I agree that it would seem easier to have a modem, and use just the TP LINK router.

No, because you HAVE to have the unit Comcast provided in order to use your static IP addresses. What I'm saying get a matching router to the one you have at the home office, connect it to the unit Comcast provided, and configure it. Trust me, it's easier than you're thinking. I dealt with Comcast stuff a lot.

I use a Cisco RV325 VPN router and my cable modem is in bridged mode. No issue.

Ok  I bridged the router that Comcast provided.   I am going through the set up on the TP-Link R600VPN (both sites have identical vpn router) at the remote site.  I am using the link masnrock gave me with John Hursts setup settings.    But I keep getting an error message on the IPSec Policy Settings.  It is something like "Peer subnet Invalid".   I cannot get past this point.    In the directions it is telling me the peer should be 192.168.0.0.   I tried this and I tried 192.168.0.1 which is the gateway from the main office.  neither work.   Not sure where to go now.

I put in actual remote subnet mask and it took it.

I assume the subnet on your machine is NOT .0 . Then on the office end , the internal address is 192.168.0.0 and the subnet mask is 255.255.255.0 . This will let you talk to any device on the office end.

Do you have BOTH sides using 192.168.0.x? If so, you should change the IP scheme of the remote office. The subnets should differ for each site. Then you'll easily be able to fit that.

So for example, home site might be 192.168.0.x and remote site would be 192.168.1.x ... and the settings in the site to site VPN need to reflect that.

How do I access the VPN?   So at the remote office I need to open EXCEL and access a database on a server at the main office.   How do I do this?   Do I open Excel and go to file open and somehow direct it to the main office server via an IP?   Sorry this is the first time setting this up.

VPN is a connection. For site to site, once set up an connected, forget it. Just map a folder at the other end

Under adapter settings  there are no new connections.  

Do I map to the Policy Name in IKE policy Settings?   Or do I map to the Remote Gateway?

Site to site uses the hardware VPN in the routers. So there is nothing about VPN in the network connections.

Map to the PC inside the LAN at the other end.

Was the connection between the two routers successful? You need that first, then you should be able to map drives and whatnot. Also, you could actually have the DNS servers assigned by DHCP point to the DNS server at the home office as well as some outside server (the second one being in case the VPN link goes down).

How do I test if the VPN link was successful?

From the local end, ping a device (computer) inside the other end. You need to know what its address is, but pinging will tell you if the tunnel is alive.

Within the routers, there should be an indicator of some sort. Another way you could test is to connect to a machine on one side and to ping a device in the other office.

My Cisco box, under the VPN tabs shows me connected tunnels, but ping is almost as good.

Nothing pings.  And there is nothing showing whether VPN is live under router dashboard tabs.   Not sure where to start troubleshooting.  Everything appears to be correct in relation to the link for TP-Link

Could you please provide screenshots of the VPN settings from both TP-LINK routers?

I finally got the two to show connection on the List of Security Association on both routers.   But under under Computer the Main Office computer is not showing.  WHat do I have to do to access this Excel Spreadsheet under the Main office computer?

Try mapping the Main Office computer by IP address ( \\IP of PC\folder). If that works, you make an entry in your local HOSTS file to match the office computer name with IP address.

One other thing is that the connection is not showing under adapter settings under Network and internet properties

Now we're cooking with gas.... so if you look in the DHCP settings on the router of the remote office, you can should be able to change the DNS servers that get sent to DHCP clients. Make the first one the IP of the DNS server at the home office. That should make your life a little bit easier. Remember that with the tunnel up, you can do lookups across locations.

Masnrock, would putting in  the Home Office DNS server setting into the remote office router make the initial opening of the database that they are accessing quicker?   When people are on the database at the home office, it takes 17 mins for the database lists to load at the remote office.  Once it is opened at the remote office you can go from record to record within about 3-4 secs.   When no one is on the database at the home office, the remote opens first time in about 7-8 mins.   When the remote office just looks to open a word or excel file from the server, it opens within about 10 secs.

I think this is the first you mentioned a database server. You should not run a database application over a remote connection. Any hiccup could corrupt the database.

Log into the computer at the other end and then run the database "locally" . Improving DNS won't speed up VPN much.

Hi John.   I am not sure what do you mean about opening it locally,   When you are referring to the computer at the other end are you talking about the remote office computer?

I mean log into the computer that houses the database. Then use the DB from that computer. That makes the DB operation look local to the computer

Here's the mixed bag of a site to site VPN... the speed is not guaranteed, but far less monetarily than a private line. What is the speed of the internet connections at each office? Upping the bandwidth at both locations MIGHT help, and it would be a lot less expensive than a private line (which assumes that fiber is even available at both sites). Maybe there is a way to work with bandwidth management to reserve enough to improve performance.

Where is the database server located, remote office?

I would rather not give location details but the offices are about 35 mi apart.  One has Comcast and the other has Atlantic Broadband and both sites have 30+ download.    The main office may now change over to the cloud for this application and keep the vpn so remote can access random Excel, word and PDF documents off the server.

"One has Comcast and the other has Atlantic Broadband and both sites have 30+ download."
Bandwidth has been a concern since the start of this post.  Keep in mind that when communicating between sites, one side is uploading and the other is downloading.  Since upload speeds are typically (certainly not always) much slower than download speeds, the upload speed will be the bottleneck in either direction.

What are you seeing for upload speeds to the internet from both locations?  I typically use speedtest.net for such a measurement.

Thanks for the help setting up the VPN.  After I test the upload speed I will start a new question to discuss this if need be.

Thank you for following up.