There are several local branch offices and one headquarter, each of these is configured with a LAN/Intranet behind a gateway (firewall, routing, etc.). Each branch office has traffic to headquarter for accessing some internal servers. In addition, there is occasional access from one branch office to another.

Goal: we want each gateway to each gateway to be a VPN connection. However, traffic via LAN is not expected to be VPNed.

Is it better to configure this VPN to be a bridged or routed?

As to connections, it seems there are two options:

1. For each LAN, create a point-to-point VPN between its gateway and every other LAN's gateway.

pros: it meets our goal to have vpn between pair of gateways.

cons: I have little experience of openvpn configuration. However, it seems to me that, in this configuration, the following facts and issues make it complex: multiple openvpn instances running on each gateway (one for a VPN to either another branch office or to headquarter), assign different port numbers for these instances, avoid overlap of ip ranges among these vpns.

2. On headquarter, configure its gateway as a "many-client" openvpn server. Configure each branch office's gateway as openvpn client.

pros: simple, only one configuration for each gateway.

cons: since I have no previous experience in openvpn, I am not sure if this is a valid configuration and if it meets our goal to have vpn connection between gateway pairs. Since all these LANs use private IP addresses, NAT is used on each gateway for Internet access. How OpenVPN works with NAT in this configuration? Can branch office users access other branch offices and headquarter?

Thanks!

hello,

1. with openvpn you create a set of keys/certificates for each branch.
- Every Branch connects via openvpn-client to the headquter
- Use of bridged mode should be enough.

pro: once you become accustomed to the keys/certificates generation, you can connect new
branches very effectively.
The openvpn-documentation is straightforward and there are tons of howtos

cons: you have to implement a strong networking scheme (IP adresses etc)


2. The docs say you can configure Openvpn to let the clients see each other clients.
But this is a all or nothing solution. (Sorry no experience with this)


Openvpn works witH NAT, even with private IP addresses.

HTH

I guess this means for each vpn connection, we have a separate configuration for both server and client. Right? For example, say, we have 2 branch offices O1 and O2 and 1 headquarter H. We want openvpn for traffic between O1 and O2, O1 and H, O2 and H. As I understand so far (may be wrong, on each site, there are 2 configuration files, one for each vpn. For example, on H, it has one server configuration as openvpn server for connection to O1 and one configuration for O2. So, we need to run 2 openvpn instances. On O1, there are also 2 configurations, one for connection to O2 and one for connection to H. For each configuration, different IP address ranges are used. Is this right? Thanks!