Connect two networks over Internet with VPN?

C

civic00typer

Gawd
Joined
Dec 5, 2003
Messages
517
I am just starting to put together some ideas for an upcoming project. Basically I have a site with 16 client computers, connected to the internet with two DSL modems. I purchased the Linksys RV016 router to load balance between the two lines. This site will be accessing a server in a remote location on a separate network.

I am not sure how to connect the clients to the server, and make it transparent to the end user. I believe the server and clients should be on the same network connected via VPN. Not sure how to implement... perhaps there is a better solution. The router is capable of terminating VPN connections.

The basic setup is:
Server (public IP) ---> Router (no NAT) ---> Internet <--- RV016 (NAT) <--- Client Workstations

The 16 clients will need to see the server and upload/download files via CIFS. I need something that is reliable... that won't block NETBIOS broadcasts. One solution that came to surface is simply installing the VPN client software on the server and connecting to the VPN gateway at the site. Howerver, I am not sure how reliable this is... and again perhaps there is a better (more reliable) method. If the VPN connection goes down the clients will not be able to locate the server.... its not possible for the end-user to bring the VPN connection online if the server is connecting with a client. I may be going about this all wrong, my network experience is limited.
 
Is the router on the other end capable of doing a site to site VPN? If so you'll want to NAT the server on the remote side. If both routers are capable of a site to site VPN that is probably your best bet as it encrypts all the traffic but allows the remote server to basically be an extension of your internal network.

If both routers are capable I would recommend a site-to-site VPN, you manage it on the routers and leave the clients out of the picture.
 
Don't hang the server on a public IP...get it behind another NAT box..like another RV0. Setup an IPSec router to router VPN tunnel between the two. Server nice and safe behind NAT, clients nice 'n safe behind the NAT, full time connection in between.

IMO, VPN tunnels done via hardware at each end are more reliable and perform better than software client tunnels.

A rock solid alternative....pair of PFSense boxes at each end.

PFSense also does well with IPSec tunnels to RV0 units....I run PF at home, we have an RV016 at the office..tunnel from home to office is solid for me.
 
No the router on the other end is not within my control. I work for a small research center within a University. If I did have a router capable of terminating a VPN connection, why do I need to NAT the server? I am not sure if I understand what you are saying? The single server, located at the University, must be accessible to local clients and also (on a separate network) available to clients at the remote site.
 
StarTrek4U said:
Is the router on the other end capable of doing a site to site VPN? If so you'll want to NAT the server on the remote side. If both routers are capable of a site to site VPN that is probably your best bet as it encrypts all the traffic but allows the remote server to basically be an extension of your internal network.

If both routers are capable I would recommend a site-to-site VPN, you manage it on the routers and leave the clients out of the picture.
Click to expand...

When you say capable routers, you mean a router capable of terminating a VPN connection? I am not sure how routing is handled between these two differnet networks. At what point does a router become a gateway between these two networks?
 
YeOldeStonecat said:
Don't hang the server on a public IP...get it behind another NAT box..like another RV0. Setup an IPSec router to router VPN tunnel between the two. Server nice and safe behind NAT, clients nice 'n safe behind the NAT, full time connection in between.

IMO, VPN tunnels done via hardware at each end are more reliable and perform better than software client tunnels.

A rock solid alternative....pair of PFSense boxes at each end.

PFSense also does well with IPSec tunnels to RV0 units....I run PF at home, we have an RV016 at the office..tunnel from home to office is solid for me.
Click to expand...

Well the server needs to be accessible via the public IP, a public website will be hosted from their server. There will be a few local users connecting to the server as well. Can you please explain the concept of NAT... perhaps I am confused.

When you do a router/router tunnel, is routing between the networks performed? If so, how is this done. My network skills are very limited, I apologize in advance.

Can you explain more about your PFSense and RV016 tunnel. How does this work? Starting with the basics, you are opening an encrypted communication channel between the two networks. Now addressing and broadcasting comes into play between these two networks. Is it assumes they are on the same network/subnet? Is there a single DHCP server that serves IP addresses to both sides of your VPN tunnel?

Thanks
 
A server can still be accessible by the public even when it's behind a router (and NAT). You open/forward the bare minimum of ports necessary to make that service available to the public side. For example...a web server, that's port 80, so you'd forward port 80 on the firewall to the internal IP address of the server. This way..requests on port 80 hitting the public IP side of the router get translated to the internal IP address of the server. This way, all the other 65,000 ports on your server remain hidden behind the NAT firewall...protected. If you take a Windows server..and stick it on a public IP address (so no NAT router, no firewall)...it has over 65,000 ports exposed. You can bet within a minute or two it's already been poked and probed and there may already be some baddies in it. There are quite a few steps in stripping services and locking down Windows server to help make it more secure on a public IP address, but even then...it's still a risk.

However...side note..you mention public website..and internal network...other internal clients on the network...these are two things that are commonly frowned upon. http/port 80 traffic is very heavily exploited, quite a gaping hole. Web servers are more commonly kept apart from the primary internal network.

Router to router tunnel....yes.
Network A 192.168.0.xxx
Network B at another location across the state, 192.168.2.xxx

Both sites have a router which does VPN tunnels, and they're configured to run a tunnel together. So if your're sitting at Network A, and you ping a computers IP address at Network B...you can get replies, basically the networks are connected. DHCP is usually run at each branch location, it is usually set to not pass through the tunnel. DNS is properly setup at each location so browsing by name can occur. You can browse the network places and see the other network just like it is part of your own, if setup correctly.

civic00typer said:
Well the server needs to be accessible via the public IP, a public website will be hosted from their server. There will be a few local users connecting to the server as well. Can you please explain the concept of NAT... perhaps I am confused.

When you do a router/router tunnel, is routing between the networks performed? If so, how is this done. My network skills are very limited, I apologize in advance.

Can you explain more about your PFSense and RV016 tunnel. How does this work? Starting with the basics, you are opening an encrypted communication channel between the two networks. Now addressing and broadcasting comes into play between these two networks. Is it assumes they are on the same network/subnet? Is there a single DHCP server that serves IP addresses to both sides of your VPN tunnel?

Thanks
Click to expand...
 
You must log in or register to reply here.
Back
Top