1

I have the following scenario. A computer is connected to private network. I do NOT have access to modify anything on this private network. I am just supplied with a network cable.

The computer running on the network has an IP 172.20.20.15, and on the computer there is an application that exactly requires the given network settings so it can connect a back-end database somewhere behind the private network.

Now the idea is that I would like to move the computer to another location. I have internet access to both location.

I understand that I could put two routers that supports VPN server, on both end (Router A & Router B).

enter image description here

I found a VPN router WN-300ARM-VPN, but after having gone through their documentation I found out that I could connect something like 2 different networks, so it seems that does not suit me.

enter image description here

Making the story short, can you suggest me what type/make of equipment could I buy so I can extent the private network over the internet. The main thing is that I should keep the same IP settings.

Thank you all for your time, all suggestions are more than welcome.

Adnan
  • 167
  • 5
  • 2
    I can't make recommendations for any particular hardware/software platform, but you will probably need to look into layer 2 vpn solutions – becomingwisest Sep 19 '11 at 18:19
  • Are you really sure you want the same range on both sides? If your link is low speed, or is not very reliable you will almost certainly want the two networks to be able to operate separately. This will be more difficult to do with a single subnet. Even if you bridge the networks, and keep the same IP, you would have to have a different gateway address on each side, if you didn't want ALL traffic to cross the VPN and exit from main site. – Zoredache Sep 19 '11 at 18:21
  • BTW, [shopping recommendations](http://blog.stackoverflow.com/2010/11/qa-is-hard-lets-go-shopping/) are not on topic here really. – Zoredache Sep 19 '11 at 18:22
  • @Zoredache, I need the exact same IP settings including the gateway for the application to run. I am planning to move the computer from the old location. I am only interested in having a connection with the private network. – Adnan Sep 19 '11 at 18:24
  • the key concept is a vlan and I don't see that mentioned in your docs. – tony roth Sep 19 '11 at 18:54
  • I believe you have missed my point. If you bridge the two networks then your gateway address `172.20.20.1`, can only exist on one of the routers. The router that `172.20.20.1` is assigned to will be the router that all packets are delivered to for delivery to the Internet. If you leave it where it is, then all communication with the Internet will cross the VPN and exit to the Internet across the existing network. – Zoredache Sep 19 '11 at 19:11
  • Since your requirements are too strict, I cannot imagine anything more than connecting the local & remote machines via VPN and RDP to the machine in your original location to run the application (Of-course the old machine is not relocated, simply you are controlling it from a remote location..) Seems a bit challenging question. Let us see who can solve the puzzle :) – SparX Sep 19 '11 at 23:21

4 Answers4

5

OpenVPN in bridging mode can do exactly this. I have used it extensively in this mode for similar purposes. To the network, it is indistinguishable from a switch that happens to have two ports in separate locations.

There is no need for special hardware. Any machine running Linux that has 2 NICs can do this. There are also some router distros, such as Vyatta, that will support this. You might be able to use something like DD-WRT as well but I am not sure about that one.

This is how I do it with openSUSE as the distro. It might be a little easier with something like Vyatta, but I've done this a bunch of times and it works perfectly:

Pick one machine to be a server. Perform the following tasks on that machine:

  1. Set up easy-rsa for key management (It's stored under /usr/share/openvpn/easy-rsa/2.0/ in openSUSE, but I make a copy under /etc/openvpn instead of using it in that location):

    • cd <easy_rsa location>

    • Edit the vars file and set the KEY_* params

    • . vars

    • ./clean-all

    • ./build-dh

    • ./pkitool --initca

    • ./pkitool --server mybridge-server

    • ./pkitool mybridge-client

  2. Create a bridge interface by creating the file /etc/sysconfig/network/ifcfg-mybridge, where you can substitute whatever name you want for mybridge:

    BOOTPROTO='none'
BRIDGE='yes'
BRIDGE_FORWARDDELAY='0'
BRIDGE_PORTS='eth1'
BRIDGE_STP='off'
STARTMODE='auto'

2a. I am assuming that you will have eth1 as the "internal" interface here. You can actually set it up such that the server only uses a single NIC, which is actually what I would normally do in this situation, but I'm trying to keep it somewhat simple. If you want to try this, create the bridge as above, put eth0 in BRIDGE_PORTS instead and copy the IP information from the ifcfg-eth0 to ifcfg-mybridge. Then delete ifcfg-eth0, since your bridge will the primary interface

  1. Create an /etc/openvpn/mybridge-server.conf (assuming you made a copy of easy-rsa):

    port 1194
proto udp
dev mytun
dev-type tap
mode server
tls-server

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/mybridge-server.crt
key /etc/openvpn/easy-rsa/keys/mybridge-server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

keepalive 10 600
comp-lzo
fast-io
user nobody
group nogroup
persist-key
persist-tun

script-security 2
up mybridge-up.sh

status /var/run/openvpn/mybridge-server-status
verb 3

  2. Create the mybridge-up.sh file in /etc/openvpn to ensure that the openVPN interface is added to the bridge when it starts:

    #!/bin/bash
# Called with these args:
#   tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask [ init | restart ]
/sbin/ip link set $1 up
/sbin/brctl addif mybridge $1

  3. Ensure that openVPN starts on boot, and start/restart everything:

    • chkconfig --add openvpn

    • rcnetwork restart

    • rcopenvpn start

At this point, you will have a bridge interface called mybridge, containing the eth1 and mytun interfaces. Like any switch, Ethernet frames are passed through only if the destination mac is present on the other side

Now you can set up the client side:

  1. Create a bridge interface just like on the server by creating the file /etc/sysconfig/network/ifcfg-mybridge:

    BOOTPROTO='none'
BRIDGE='yes'
BRIDGE_FORWARDDELAY='0'
BRIDGE_PORTS='eth1'
BRIDGE_STP='off'
STARTMODE='auto'

  2. Copy the ca.crt, mybridge-client.crt, and mybridge-client.key files to the client machine. I will use /etc/openvpn/keys/ in my example

  3. Create an /etc/openvpn/mybridge-client.conf:

    proto udp
dev mytun
dev-type tap
client

remote hostname_or_ip_of_server 1194

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mybridge-client.crt
key /etc/openvpn/keys/mybridge-client.key

float
resolv-retry infinite
nobind
comp-lzo
fast-io
user nobody
group nogroup
persist-key
persist-tun

script-security 2
up mybridge-up.sh

verb 3

  4. Copy or create the mybridge-up.sh file from the server in /etc/openvpn

  5. Just like on the server, ensure that openVPN starts on boot, and start/restart everything:

    • chkconfig --add openvpn

    • rcnetwork restart

    • rcopenvpn start

After all of that, any machines on either side will be able to talk to each other as if they were on the same physical segment. You could even serve DHCP from one side if you wanted, or remotely perform configuration of devices that come out of the box with pre-configured static IP addresses.

James Oakley
  • 151
  • 2
3

You have two options:

  • Change the moved server's IP address. This is really the preferred option, and there's no reason that I can see in this topology to not do this, other than to avoid making configuration changes.
  • Extend the subnet/broadcast domain to the remote network via L2TP.
Shane Madden
  • 114,520
  • 13
  • 181
  • 251
0

You could go with some kind of reverse NAT on router A.

It would forward any request from the private network to 172.20.20.15 to the server's current IP (public).

I don't have any configuration example to show, but it would be easy to setup on a variety of enterprise-class networking. (ie no soho nor consumer grade).

petrus
  • 5,297
  • 26
  • 42
-3

I would suggest you a Cisco 800 Series Router. http://www.cisco.com/en/US/products/hw/routers/ps380/prod_models_comparison.html

i don't know how you connect to the ISP Internet Line (Ethernet, ADSL,SHDSL,...) so i cannot suggest you a particular 800 Series Router

mmm
  • 1
  • Why do you suggest this particular hardware instead of any other appliance from anther vendor? How exactly does it solve this problem? – Zoredache Sep 19 '11 at 19:04