Two Remote Sites Connecting Via VPN

B

BuGaLoU

[H]ard|Gawd
Joined
Apr 24, 2002
Messages
1,156
I have a pretty typical challenge here with a few minor nuances causing me trouble in how to set this up. I just moved into a new house and would like to connect with the computers in the previous house. Both places have a broadband ISP. A VPN solutions seems ideal but I am not sure how to approach it. Once a network is in place I would like to setup a Windows 2k3 DC at the old place talking back to a master DC at the new places. No static IP is in place both sites have a dynamic IP. The old site is setup with dyndns and I plan to do the same with the new site.


Goals:
* Single AD domain for both houses
* Routing setup in a way to allow access to any machine between the two networks.
* Seamless as possible. I need things to "just work" at the old house. (parents at old house :) )
* Internet traffic will route out via local ISP pipe. Traffic on the LAN will route over the VPN tunnel as needed.

Networks:
* Old House: 3 clients, all windows XP. Linksys VOIP router doing NAT
* New House: 6 clients, 1 vista, 1 linux, 3 XP, 1 Windows 2k3 box (Domain controller). Linksys WRT 54G doing NAT.

Resources:
* 1 basic laptop (planned to set it up as the old house's remote DC. A small footprint would be a plus for this area.
* 1 WRT54G V4 running HyperWRT (Wireless at new site and NAT)
* 1 WRT54G V5 running factory firmware (Wireless AP only)
* $1000 budget, cheaper is better though.



I would like to keep the NATing as is, but I realize some things will more than likely need moved around. I was looking at the HotBrick routers too as they seem to fit the bill. I could probably figure this all out myself, but I figured someone has already pulled this off. Any suggestions would be appreciated.
 
You could setup a site-to-site VPN tunnel using pfsense or untangle boxes. Then you would change the wireless routers to run in AP mode and not do any routing/NATing.
 
if this is just for home use, just flash a few routers with dd-wrt and try openvpn. that would be cheap.

only reason i mention is i saw you mentioned parents house for the vpn.

but for business i use 2 freeguard 100 utm firewalls from freedom9 for firewall/vpn
 
i'm a big fan of the netscreen firewall/vpn units, i work with it on a daily basis - it's good kit, rock solid, and a piece of piss to work with...as this is only for 'home' use, there is tons of ex-corporate netscreen kit available on the bay for not a huge amount of cash. even something like a pair of 5-gt's would probably suffice for this - dependant upon whether you want to all of a sudden grow your home network, and also what the internet bandwidth is that your looking at. enterprise kit at home is always nice...if you fancy giving the netscreen kit a go, and you want some help with the config, drop me a line.
 
A site-to-site VPN can easily be accomplished, using one of many VPN protocols. Because both sites are on dynamic IP's an IPSEC VPN will require a fair bit of tinkering for it to work, and to be honest i dont think IPSEC is the right protocol for such simple use. Id recomend wither using windows 2003's RRAS capabilites to use PPTP to set a site to site VPN OR using a linux firewall box to set up a site to site openvpn connection. OpenVPN would be the most simple solution, just set up two pfsense routers using some cheap piece of shit off ebay (128 meg ram and a p3 and 2 network cards isnt very expensive).

It's either these two solutions or expensive hardware routers and IPSEC (which for home use is total overkill, and expensive) Then turn all of your wireless routers into access points, and keep hold of your 1000$ and spend it on ur sweetheart or get some more useful computer stuff.

If you want some help setting this up id be willing to help
 
Thus far the pfsense boxes seem like the best solution for my challenge. How would these guys work with the VOIP linksys at the old house? Would it need to be before or after it? I would think I could disable the NAT portion on that box and use it as a voice gateway only, but I don't have a lot of experience with this device. I don't want to be double NATing.
 
i use pfsense for many site-site vpns. a trick that helps a lot, is to set up some dyndns.org accounts for each site, and have the pfsense box check them in and keep them update (there is a config page for that in the pfsense admin panel). say, newhouse.dyndns.org and oldhouse.dyndns.org... this way the 2 firewalls can look each other up by name to make their connection to each other (since youll be on dynamic IP.

second, the VoIP stuff should be behind the firewall, just like any other host. there will be some sort of configuration that directs them to the IP on the other end of t he VPN (well, the onces ive configured over a vpn are a phone, to a PBX located on the other end, but the network config is the same... they are basically network hosts that traverse the firewall/vpns.

finally, youll need to get your TCP/IP straighened out before you start. both sites need to have seperate subnets. example, one site will be 192.168.0.0/24, and the other site will be 192.168.1.0/24. locally, they are not compatible, but over the VPN they will talk to each other.

if you have a windows server, i would use that for your DHCP and DNS. set up an active directory, and have all the computers check in and the server will keep all the DNS records updated (and yes, it will look up anything you need to resolve 'the internet' as well).
 
You must log in or register to reply here.
Back
Top