[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] RE: Questions about openVPN

  • Subject: Re: [Openvpn-users] RE: Questions about openVPN
  • From: John Locke <mail@xxxxxxxxxxxx>
  • Date: Mon, 22 Mar 2004 12:09:21 -0800

On Mon, 2004-03-22 at 12:15, Michael Kelly wrote:
> Hello all,
> I am considering the installation of a VPN to connect our offices to a
> couple of other remote offices. I will give our basic setup and then
> pose my questions.
> Currently our office connects to the Internet via a DLink DI-624
> wireless hardware router. Behind the router there are approximately 12
> Windows desktop machines, and 2 RedHat Linux 9.0 machines, one setup
> with Apache as a web server and one setup with Samba as a file server.
> The first office I would like to link up with via VPN is protected with
> the same hardware router (DLink DI-624) and has a few windows client
> machines behind it on the network.

The hardware router won't be a problem at all.

> I want to be again to give the remote office full access to the Linux
> File server in our office and allow them to map a drive as if they were
> connected directly to my LAN. Remote access to any other machine would
> be nice, but not necessary.

The biggest issue is going to be managing all these individual remote
machines, vs. having one end connection for the entire site.
> The biggest challenge I see if I chose to go this route is getting the
> VPN to pass through the hardware router,

No issue at all. That's one of the great things about OpenVPN.

>  if it is at all possible. I can
> setup a firewall rule(s) to allow two-directional pass through of UDP
> port 5000 for openVPN to use,

If both ends know the IP address of the other end, it's not even
necessary to open ports. Much easier, though, since you have one end
with a dynamic address, to just forward VPN ports on the router on the
static side to whatever machine you use as your OpenVPN gateway. Then
have the client side initiate the connection.

>  but I do not know, nor could I find any
> information on whether or not openVPN will work through a hardware
> router. If someone could give me a heads up on this it would be
> appreciated. The firewall does allow VPN pass-through, but with
> protocols such as IPSEC.

Works fine. VPN pass-through features are not necessary.
> Second thing refers to dynamic IP address. The remote office is served
> its Internet connections via a dynamic IP address and I am wondering
> what challenges, if any, will be presented given this situation.

Initiate the connection from the remote office. Keep OpenVPN running (or
use the xinetd option) on the local office end, and forward enough UDP
ports to handle your connections.

> I think that is enough to get me started as knowing details about the
> above two things will let me decide if openVPN is a viable solution to
> what I am trying to do.

Now, the issues. You're going to have to decide whether you're going to
bridge or route. If you route, you can set up a mostly permanent
site-to-site VPN tunnel, and the entire remote office will be able to
see the entire local office. You need to be able to add static routes to
your Linksys routers for this to work--some models provide this feature,
others don't. For this to work with Windows networking/file sharing,
you'll need to set up a WINS server (very easy to do with Samba) and
tell all computers on both networks to use it.

If you bridge, you won't need to use WINS--but you'll have to set up and
manage a separate tunnel for each computer. (There are ways around this,
but they give me a headache trying to understand how..)

John Locke
Open Source solutions for small business problems

Openvpn-users mailing list