multiple site-2-site openvpn connections?
There are several local branch offices and one headquarter, each of these is configured with a LAN/Intranet behind a gateway (firewall, routing, etc.). Each branch office has traffic to headquarter for accessing some internal servers. In addition, there is occasional access from one branch office to another.
Goal: we want each gateway to each gateway to be a VPN connection. However, traffic via LAN is not expected to be VPNed.
Is it better to configure this VPN to be a bridged or routed?
As to connections, it seems there are two options:
1. For each LAN, create a point-to-point VPN between its gateway and every other LAN's gateway.
pros: it meets our goal to have vpn between pair of gateways.
cons: I have little experience of openvpn configuration. However, it seems to me that, in this configuration, the following facts and issues make it complex: multiple openvpn instances running on each gateway (one for a VPN to either another branch office or to headquarter), assign different port numbers for these instances, avoid overlap of ip ranges among these vpns.
2. On headquarter, configure its gateway as a "many-client" openvpn server. Configure each branch office's gateway as openvpn client.
pros: simple, only one configuration for each gateway.
cons: since I have no previous experience in openvpn, I am not sure if this is a valid configuration and if it meets our goal to have vpn connection between gateway pairs. Since all these LANs use private IP addresses, NAT is used on each gateway for Internet access. How OpenVPN works with NAT in this configuration? Can branch office users access other branch offices and headquarter?
1. with openvpn you create a set of keys/certificates for each branch.
- Every Branch connects via openvpn-client to the headquter
- Use of bridged mode should be enough.
pro: once you become accustomed to the keys/certificates generation, you can connect new
branches very effectively.
The openvpn-documentation is straightforward and there are tons of howtos
cons: you have to implement a strong networking scheme (IP adresses etc)
2. The docs say you can configure Openvpn to let the clients see each other clients.
But this is a all or nothing solution. (Sorry no experience with this)
Openvpn works witH NAT, even with private IP addresses.
|All times are GMT -5. The time now is 10:23 PM.|