0

I need to find a good software solution to implement VPN so a new branch office can use without security problems applications in our main office.

I need it to be very reliable and almost transparent for the end user

Any hints?

We have both linux and windows desktop/server on both ends.

Pitto
  • 2,009
  • 10
  • 33
  • 49
  • Do you mean "free OR affordable" ? – mfinni Apr 01 '11 at 12:56
  • I'm sorry for being not really accurate. The word "free" has the most beautiful sound ever :) – Pitto Apr 01 '11 at 13:28
  • ps I need it a really stable solution – Pitto Apr 01 '11 at 13:29
  • How much throughput do you need between offices? Lower end solutions are only going to get you a couple of Mb/s. – 3dinfluence Apr 01 '11 at 15:30
  • I'll check this asap... I thought that the main bottleneck could be internet speed or am I wrong? What could be the bottleneck? Hardware used to set up the vpn? – Pitto Apr 01 '11 at 16:10
  • 1
    Well the internet connection is certainly a bottle neck. But encryption is pretty cpu intensive so on low powered hardware it's something to be mindful of. For instance pfSense on an ALIX based system, 800MHz AMD Geode CPU will max out at around 6-8Mb/s of IPSEC throughput depending on the encryption cipher being used. To go faster you either need more raw cpu power or dedicated crypto hardware. There is a encryption accelerator available for the ALIX boxes for instance that can quadruple the throughput. – 3dinfluence Apr 01 '11 at 17:49

4 Answers4

3

Maybe your edge router supports a VPN? check the docs. If not, without changing your edge router, one possibility is to buy a couple of inexpensive routers, install a VPN build of ddwrt or openwrt. Then use OpenVPN or IPSEC. I prefer OpenVPN as it's easier to set up.

You can install the routers behind other firewalls. You'll need to ensure the firewall allows the VPN traffic. And, on the server end or the router that runs the OpenVPN server you'll need to ensure that the firewall at that end has a hole poked in it from the source ip of your other branch office so that it can link up.

Then at both ends, put a static route to the foreign network to point to the new VPN router.

I have done this a couple of years ago and it worked great. You do have to watch that the private IP ranges of both networks are different though.

Also, it'd be helpful to add a DNS server to the branch office network to reach the servers at the head office by their private IP. If you happen to have a local domain controller then that should be easy. Don't even think about putting the domain controller for the branch office on the other side of the VPN. Your users will hate you if you do that. Seen that done before... yuck!

If you need higher performance, considering using Mikrotik routers with RouterOS. They are also very innexpensive and may be a bit quicker. Although there are some quite fast asus routers that work really well under OpenWRT.

It's hard to know what's best really because you haven't said anything about the existing equipment.

hookenz
  • 14,472
  • 23
  • 88
  • 143
  • Site-to-site VPN is the best option, and the only one that's transparent to end-users. They don't do anything, you're configuring the infrastructure. – mfinni Apr 01 '11 at 13:39
  • I've used Zeroshell on both ends (openvpn): super easy setup and great functionality! :) – Pitto Jun 01 '11 at 16:33
2

This is a rather broad question but I'd suggest replacing the edge routers at each site with something running IPCop ( http://www.ipcop.org ), pfSense ( http://www.pfsense.org ) or some other free gateway/firewall distribution.

This way you can build and manage the VPNs on the gateways and the inter-office connectivity will be transparent to the users.

James Yale
  • 5,182
  • 1
  • 17
  • 20
0

You don't mention what OS are on the clients / available on gateways / running on routers - this would have been helpful.

Previously I'd tried with IPSEC - but even without NAT, it proved difficult to get products from different vendors to speak to each other - admittedly that was a long time ago.

I've used openvpn - which is simple and works well - and also ppp over stunnel

symcbean
  • 21,009
  • 1
  • 31
  • 52
0

With tunnelling you can access applications at your local system from a remote system.

For more details regarding tunnelling, check this link.

http://techtrunch.com/commands/ssh-port-forwarding

Note: You can forward any PORTS with tunnelling. In the above link, the port which is forwarding is 22. If you forward the port 80 [http], you can access your local web application from remote machine.

Example: Suppose you want to use a web application at your main office from new branch office.

Assuming the web application is running at the port 80.

Forward the port 80 of Main office system

ssh root@a_remote_server -R 80:XX.XX.XX.XX:8080

Then login to server a_remote_server from a system at your new branch office.

ssh root@a_remote_server

Then type

localhost:8080 in a browser of machine in new branch office.

Suku
  • 2,036
  • 13
  • 15