Let's say there are two locations. Both locations have their own fast Internet connections. How do you join these two networks together such that every computer can see every other computer?
Do you need a domain controller, or can you do this with workgroups?
The obvious solution seems to be VPN, but can VPN be implemented on the routers only? Can the computers on the network be configuration-free?
The standard solution is to use use a VPN between two routers, and you adjust the routing so all LAN-to-LAN traffic crosses the VPN.
Domains/Workgroups are really not related at all. A more relevant bit of information would be what type of routers both sites have, and if they can create L2TP, PPTP, or some other encrypted tunnel, or if they are running a standard OS like Linux where you can install software. There are many routers that already support VPN connections. Even some home-routers can do it if you install custom firmware. You can create a VPN between your servers, though getting the routing right may be a bit tricky.
I really like OpenVPN as a solution if I have a system that will support it. Many other good VPN solutions exist.
These completely depends on what type of router you have. If your router is a computer running Linux then yes. If your router is an inexpensive broadband router, then maybe your current hardware can do this. If your current hardware can't do this, you can certainly buy routers that will.
The clients really shouldn't need to know anything about the VPN.
Yes. Assuming reasonable routers and a reasonable network layout. If your sites are all sharing the same IP range (i.e. they are all using 192.168.0.0/24 and therefore overlapping) then you'll have to do full NAT and things get messy.
If you provisioned each site in its own subnet, then this is simple, and your only considerations are:
While the "open" suggestions are great, if you're asking this question, my guess is that you're unlikely to have success implementing them.
Save yourself alot of trouble and pick up two routers with VPN capabilities from a vendor like Linksys, Netgear, D-Link, or even Sonicwall. They are very easy to set up and will connect two networks together securely.
Once that is done, whether the computers "see" each other, is very dependent on the network being run and how that traffic passes over the VPN. Windows Workgroups are broadcast based systems which may interfere with the "network neighborhood" showing all the systems. Use of "lmhosts" files can help with name resolution. This is typically what domains are used for along with trusts between domains if they are different. By having a central registration for computers (Active Directory and DNS), they are able to "find" each other without configuring name resolution on each machine.
OpenBSD and IPSEC. Use an OpenBSD server at the respective ends of the link to act as an IPSEC gateway. It is very easy to setup.
We have this exact scenario with 4 sites accross the UK.
Each site has a draytek VPN device that are a few hundred quid.
They are all connected to one another by VPN and it works like a charm.
VPN tunnels. I prefer hardware based VPN, this is at router level. There are many out there from very cheap to very expensive. On the cheap side there is Linksys, DLINK and on the other side you have Cisco, sonicwall and others.
The expensive routers allow more configurations for routing and so on.
Here is the catch...your VPN is only as efficient as the lines supporting the tunnels, for heavens sake, please don't try to load group policy from a domain controller down to a client half way around the world over a 512KB line.
Also try to control your broadcast traffic accross network if both sites will have different subnets.
Good Luck!
When you setup a VPN connection, you probably want to have each location with its own subnet to limit the broadcast domain. Why clog your limited bandwidth connection with extraneous traffic?
Your router/vpn devices should have routes to the other locations, just setup the local DNS servers to address the machines the "other" side.
This kind of configuration has been used for years.
Establish VPNs between sites. Then enable a dynamic routing protocol to share network information between the sites.
In my experience, the routers will have some kind of virtual Point-to-Point link between them, perhaps a GRE tunnel or L2TP. The dynamic routing protocols treat this link like any other interface.
There are some vendor/implementation specific configuration issues with the VPN configuration - consult the documentation, the vendor's support organization, or describe what products you are using.
One key point relating to network design - you need to treat all the sites as part of one large network. For example, you can't configure all the remote sites to have a 192.168.1.0 subnet. Rather, you might be able to get such a nightmare to work with NAT and with a very convoluted routing configuration, but it is so much easier to design all the sites as being part of one network space.
If the WAN-connecting routers on both sites support it, an IPSEC VPN sounds like the sensible option. Alternatively, a firewall or dedicated VPN-termination box (and possibly some static routing) should make it transparent to the individual computers that you're hauling the packets across a VP{N.
There are lots of good VPN solutions out there, but sometimes you need something quick and dirty. You can set up a VPN using PPP over SSH. This solution has lots of drawbacks but the advantage is that it needs no special tools or programs, just standard ssh and ppp. It could probably work on Windows too with a little tweaking.