I have 2 networks
HOSTED: 10.0.1.0/24 (hosted server infrastructure (web-apps, databases, etc))
OFFICE: 10.0.2.0/24 (office infrastructure (file & print, databases))
Each has an ubuntu (NAT+Proxy) based firewall at 10.0.[12].1. (10.04 LTS server).
Each firewall has a second interface to the Internet (Internet-routable static IP presented on a standard ethernet interface).
Server infrastructure on both HOSTED and OFFICE is VMware ESXi-based.
Networks are not heavily used - it's a 35-person company, so we're not needing a full, enterprise-class solution here.
Workstations are MacOSX, Windows, Linux, and Windows VPN clients, in particular, need to be idiot-proof.
I want do the following:
Connect both these networks together over a VPN (routed rather than bridged, I guess(?)) such that all hosts in the HOSTED and OFFICE networks can readily communicate with hosts on the other network (N2N VPN) regardless of where the connection was initiated from.
Provide generic VPN services to mobile users such that these users can access both the HOSTED and OFFICE network once their VPN clients have logged in. (CLIENT-VPN).
Question: Using free or cheap technologies, how should I best set this up? My thoughts so far have been:
- OpenVPN VMWare images, one on each network - this looks affordable and looks impressive, but seems to be CLIENT-VPN centric, rather than N2N centric. Also, it looks as if the VPN software needs to run on my firewall hosts in order to do the N2N VPN. I'm not keen to replace my firewalls with these OpenVPN virtual machines.
- Hand-roll only the N2N VPN (how?) on my existing firewall machines, and then deploy the OpenVPN VMware image on my OFFICE network behind my current firewall, and have this manage only the CLIENT VPN traffic (via port forwarding on the OFFICE firewall).
- Use DD-WRT or similar?
I don't have a view on the relative benefits of PPTP, IPSec, SSL-VPN although I think the latter is probably best (gut-feel). I don't run WINS or anything other than IP on the networks, so I don't think bridging is needed. I will probably set up some kind of split-brain DNS infrastructure on the 2 networks to provide name services on the 10.x.x.x networks.
I'd welcome any suggestions on network architecture, VPN platform selection and solution design.
Thanks
OpenVPN is definitely versatile enough for network-to-network as well as client-to-network VPN in one installation - we've done it at numerous occasions with good results. The beauty of using OpenVPN lies in the option of having it set up redundantly with dynamic routing protocols - something that is not done as easily with IPSEC solutions.
But OpenVPN clients might be not as foolproof as your users would require it to be - you'd need to do some user acceptancy tests beforehand.
Whether you use ESXi VMs or separate router devices with DD-WRT or OpenWRT is a question of your performance, management and availability requirements - technically, you would run Linux and OpenVPN in either case.