LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-20-2007, 02:31 PM   #1
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Rep: Reputation: 15
Question multiple site-2-site openvpn connections?


There are several local branch offices and one headquarter, each of these is configured with a LAN/Intranet behind a gateway (firewall, routing, etc.). Each branch office has traffic to headquarter for accessing some internal servers. In addition, there is occasional access from one branch office to another.

Goal: we want each gateway to each gateway to be a VPN connection. However, traffic via LAN is not expected to be VPNed.

Is it better to configure this VPN to be a bridged or routed?

As to connections, it seems there are two options:

1. For each LAN, create a point-to-point VPN between its gateway and every other LAN's gateway.

pros: it meets our goal to have vpn between pair of gateways.

cons: I have little experience of openvpn configuration. However, it seems to me that, in this configuration, the following facts and issues make it complex: multiple openvpn instances running on each gateway (one for a VPN to either another branch office or to headquarter), assign different port numbers for these instances, avoid overlap of ip ranges among these vpns.

2. On headquarter, configure its gateway as a "many-client" openvpn server. Configure each branch office's gateway as openvpn client.

pros: simple, only one configuration for each gateway.

cons: since I have no previous experience in openvpn, I am not sure if this is a valid configuration and if it meets our goal to have vpn connection between gateway pairs. Since all these LANs use private IP addresses, NAT is used on each gateway for Internet access. How OpenVPN works with NAT in this configuration? Can branch office users access other branch offices and headquarter?

Thanks!

Last edited by licht; 07-20-2007 at 02:36 PM.
 
Old 07-20-2007, 04:11 PM   #2
karpi
Member
 
Registered: Oct 2005
Location: Germany
Distribution: Suse
Posts: 133

Rep: Reputation: 15
hello,

1. with openvpn you create a set of keys/certificates for each branch.
- Every Branch connects via openvpn-client to the headquter
- Use of bridged mode should be enough.

pro: once you become accustomed to the keys/certificates generation, you can connect new
branches very effectively.
The openvpn-documentation is straightforward and there are tons of howtos

cons: you have to implement a strong networking scheme (IP adresses etc)


2. The docs say you can configure Openvpn to let the clients see each other clients.
But this is a all or nothing solution. (Sorry no experience with this)


Openvpn works witH NAT, even with private IP addresses.

HTH
 
Old 07-20-2007, 10:00 PM   #3
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by karpi
hello,

1. with openvpn you create a set of keys/certificates for each branch.
- Every Branch connects via openvpn-client to the headquter
- Use of bridged mode should be enough.
I guess this means for each vpn connection, we have a separate configuration for both server and client. Right? For example, say, we have 2 branch offices O1 and O2 and 1 headquarter H. We want openvpn for traffic between O1 and O2, O1 and H, O2 and H. As I understand so far (may be wrong, on each site, there are 2 configuration files, one for each vpn. For example, on H, it has one server configuration as openvpn server for connection to O1 and one configuration for O2. So, we need to run 2 openvpn instances. On O1, there are also 2 configurations, one for connection to O2 and one for connection to H. For each configuration, different IP address ranges are used. Is this right? Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache2 vhost site makes default site inaccessible jyamada1 Linux - Server 4 01-17-2007 08:42 PM
multiple domains on one web site? maxsanders Linux - General 1 04-26-2006 03:22 PM
Moving to new site; critique my old site? Hosiah General 1 03-13-2006 03:14 AM
Do you know sourceforge site? How to upload to this site? TruongAn General 2 07-02-2005 05:26 AM


All times are GMT -5. The time now is 07:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration