I am running the main server for my company and would like to setup a VPN so that the remote offices (in different countries) could be in the same network.
I would like to achieve the following network structure:
-------------- --------------
| Remote Net 1 | ------------------------------ | Remote Net 2 |
| 192.168.2.X | | | 192.168.3.X |
-------------- | --------------
|
-----------------
| The Internet |
-----------------
|
|
-----------------
| Local Network |
| 192.168.1.X |
-----------------
I would like it to be that all the computers are visible and can communicate and use the network services in the other LAN's (i.e. localnet can use file server in remote net 1 and a computer on remotenet 1 can use the file server from localnet)
Details: All clients using ubuntu 10.10 and main server running Debian Lenny Preferably VPN server will be OpenVPN
Could someone please advise me how I should go about implementing this system?
Help would be greatly appreciated, Thanks, RayQuang
If you run one client on each remote network, and have client-to-client enabled in the server config they can communicate with each others. To also let clients behind each gateway at remote network to communicate, you need to use 'iroute' through ccd.
If you don't intend to route all traffic through "local network", you probably need static routes per each side to know about the networks behind the other vpn ends. you can push the routes using the "push" command in the openvpn server config.
I would aim at first create a basic server config and connect the two remote sides. Once they can communicate with the server, you can use iroute (through ccd) and push routes to get them to find each others through the vpn server (and of course the networks behind the vpn server).
Hints: use udp, use tun, start without any additional settings for mtu/mssfix/fragment (run clients with --mtu-test in case of problems). Use a non 192.-network for the vpn communication.
You obviously need ip_forwarding and ACCEPT rules in iptables FORWARD chain for this to work, but apart from that I think it's a fairly simple setup.
There's excellent examples at http://openvpn.net/index.php/open-source/documentation/howto.html.
Edit 70: Like Harv said, it can make sense to connect Remote net 1 & 2 directly to each others.
I would think the easiest way to do this would be to get actual VPN routers. Have one at each office, each on its own static IP. The two branch offices would connect to the main office. If you wanted to get a bit more fancy (and complex..) you would have each VPN router connect to each other VPN router.. I'm not sure how that would work though.
I haven't used OpenVPN but I had used the IPSec Network-to-Network configuration to achieve a similar setup. In a network-to-network setup your clients wouldn't need a VPN client either. For them to access the hosts on other network would be like accessing a local host minus the latency. The IPSec end point would server as a IPSec router doing all the encryption and decryption.
I had used this setup to create IPSec tunnels between India and US and it worked very well for me.
If RHEL/CentOS is an option then setting this up would be a breeze. Just follow the guide. It is definitely possible in Debian/Ubuntu too but I don't have experience with them.
http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-ipsec-net2net.html