-1

I own a company with three branches in different locations. I developed a portal application using php and mysql which run on Xampp latest version. I have a server computer in my main office where I installed my portal application. Now I want to serve this application to only my three branches. These three branches get access to internet. So using internet, how can my three branches access the portal site which I am serving from my main office using internet and IP address? Is this possible to setup in Windows OS? SO without spending much money for hosting and domain, I thought this suffice my needs. Please advise and share. Thanks.

bma pachuau
  • 3
  • 4
  • There are a couple of ways to do this, but first we would need to know if your branch offices and your main office are connected by a VPN tunnel or dedicated line? – Chris Mann Aug 05 '16 at 19:36
  • @ChrisMann FYI, please do not post comments as answers. – EEAA Aug 05 '16 at 19:37
  • I am not thinking of hosting and domain. I just want to host the portal for just my three branches. I don't have VPN knowledge but someone said it could be an option. All I have is broadband internet connection for my three branches and my main office and my site and the xampp. – bma pachuau Aug 05 '16 at 19:42
  • Can you spend $10 on a domain name? SSL you can get for free (startssl or letsencrypt). – rustyx Aug 05 '16 at 19:45
  • For a really small business, I would install [tinc vpn](http://tinc-vpn.org/) on each server and my employees laptops, then have them connect to a couple servers or VM's dedicated as VPN gateways. I would not expose an intranet site to the internet. If your business is good, it might grow and before you know it, you've set a precedence. There are companies that expose these things on the internet, but they have teams of data-science folks who's job it is to write secure code and good monitoring. This is a complicated topic. TL;DR, install a light-weight VPN daemon and grow your business! – Aaron Aug 05 '16 at 21:25
  • @Aaron, I setup tinc vpn using the [example](http://tinc-vpn.org/examples/windows-install/) provided by the site, and it works. But I have no idea on how I can access my web application from the other computers? Do I need to install tinc vpn on each computer and assign different IPs? Please help. – bma pachuau Aug 06 '16 at 06:44
  • You can either have tinc installed on the systems you wish to access and avoid any port forwarding or hosts acting as routers, or you can enable port forwarding on a couple of hosts in your network and add routes, allowing you to reach your web farm. This topic has more depth than can fit in a comment. There are quite a few questions / answers on serverfault around setting up OpenVPN, Tinc, Freeswan, etc. however. – Aaron Aug 08 '16 at 14:42

1 Answers1

1

I have two ways I can think of that will work

In either case, you should secure the web application with SSL and passwords or client certificates or a combination of both or some other combination. You don't necessarily need to buy a domain name or purchase SSL certificates. If your three offices have static IP addresses, you can further restrict access based on that (for either way).

Port forwarding

  • Forward a port to your web application from your firewall
  • Connect to the application directly from within the source network or use NAT reflection
  • Connect via port forwarding to the application from the other sites (e.g. https://example.com/app or https://example.com:8088/app).

VPN

  • Connect all three sites via a VPN solution (such as OpenVPN), making the main office subnet available to the other offices
  • Connect to the web application as if it were a local server from any of the three sites via the regular internal IP/hostname

The VPN solution is nice because it will probably have more uses in the future.

Ryan Babchishin
  • 6,260
  • 2
  • 17
  • 37
  • I setup tinc vpn using the [example](http://tinc-vpn.org/examples/windows-install/) provided by the site, and it works. But I have no idea on how I can access my web application from the other computers? Do I need to install tinc vpn on each computer and assign different IPs? Please help. – bma pachuau Aug 06 '16 at 07:04
  • @bmapachuau If it works, then you should be able to connect to head office computers (at least via their IP addresses) when connected to the VPN. So connect to the web application via it's IP address e.g. `https://192.168.1.100`. If you need more help, I suggest you start a new question asking for help getting your VPN working and provide more details. – Ryan Babchishin Aug 06 '16 at 13:43
  • @bmapachuau tinc vpn wasn't recommended by me. I certainly hope you don't need to install it on every computer. I was thinking site to site VPN between your firewalls. – Ryan Babchishin Aug 06 '16 at 14:01
  • Why don't you recommend tinc vpn? – bma pachuau Aug 06 '16 at 18:19
  • @bmapachuau I've never used it nor heard of it until Aaron mentioned it. I don't have a problem with it, I just didn't recommend it. Technically on Serverfault we're not really supposed to recommend products or services, but I can recommend implementing a site to site VPN between your offices with whatever technology you choose. – Ryan Babchishin Aug 06 '16 at 18:27
  • Can you show some examples or link where I can start digging. I really need this thing work for me. Thanks. – bma pachuau Aug 06 '16 at 18:29
  • @bmapachuau Personally I currently use and have used PfSense with OpenVPN quite a bit for this purpose. But there are also many Linux based firewall distributions that support VPN technologies. I'm sure there's a way to do it with a Windows firewall/server that's built right in, I just don't have any experience with it. Look into OpenVPN or IPSec (OpenSwan, StrongSwan and friends) for a start. Some of those little embedded routers support VPNs, especially stuff from Cisco. Search google and Serverfault, there's lots of discussion about all this stuff. – Ryan Babchishin Aug 06 '16 at 22:10
  • The reason I suggested tinc is the user-space dynamic mesh / dynamic routing for high availability. Only the hosts that actually act as routers would need port forwarding. I also used OpenVPN but switched to Tinc due to the simplicity and high availability aspect. There are some use cases (server to server that need near wire speed) that FreeSwan still makes more sense. – Aaron Aug 08 '16 at 14:40