[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  null at imkaefig dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Connect 2 networks over VPN
 Date:  Fri, 29 Oct 2004 10:52:07 -0700
Chris,


> > Me and my friend got two private LANs with some Gentoo boxes. We'd like
> > to connect this two networks over a VPN connection. So that the machines
> > from both networks are virtually on the same subnet (10.0.0.x).

Having a VPN connection doesn't necessarily mean that both of the
connecting LANs have to have the exact same subnet.  It just means
that the LANs feel as if they are "virtually" connected (1 hop away)
when they could be geographically separate.


> > The situation is this:
> > LAN A (mine) connected to a 2 mbit/s cable lane
> > - 192.168.1.1: m0n0
> > - 8x gentoo boxes
> > LAN B (my friend's) connected to a 1,2 mbit/s adsl lane
> > - 192.168.1.1: gentoo router
> > - 4x gentoo boxes

With standard VPN (IPSec/PPTP), this setup could not work.  You can't
have both subnets be exactly the same, or else either one of the
following occurs:  You can't route over the VPN tunnel because traffic
is destined for the local subnet, or you can't connect the tunnel at
all because there's major routing problems.  Vincent mentions that you
can do something like this with OpenVPN TAP, but I'm not familiar
enough with that to comment.


> > We don't want that every request which is sent goes to the other gateway
> > like this is with PPTP VPN. The gateway should be on both sides
> > 192.168.1.1.

OK, after reading this a couple of times, my understanding is that you
do not want all traffic heading over the VPN tunnel, which is the way
PPTP works it.  Now, once again, I'm not sure how flexible OpenVPN is,
but to accomplish this type of setup, you would want IPSec.  This
would allow all IP traffic destined to be routed to the remote subnet
(the two LANs must be on different subnets) to be routed over the VPN
tunnel, while all other traffic is forwarded to the next hop (ISP).


> > It'd be good if the routers could make one connection to the other
> > router, so that not every client on both LANs needs to open a VPN
> > connection.

IPSec only makes one connection and all traffic that needs to be
forwarded across the tunnel (based on the Layer 3 Address only) will
be.


> > We also want to access the VPN from school. At that place there is a
> > firewall which blocks all traffic except TCP80/443. So we want a VPN
> > server listening on port 443 at LAN A, cause there is more upstream.

Since PPTP default is 1723 and IPSec uses GRE (not even TCP), your
best bet in this case is OpenVPN.  In that case you need to be able to
actually install stuff on the computer at school.


> > Now is this concept good?

To my knowledge, it's probably not a good idea to have your two
separate LAN subnets have the same subnet.  I'm not sure how OpenVPN
TAP would deal with broadcasts, but I can only imagine how much it
would hurt bandwidth to have to forward common Layer2 and Layer3
broadcasts frames (like ARPing, NetBIOS discovery, etc) over a slow
link.


> > Which VPN method should we use? OpenVPN or IPSec?
> 
Vincent Fleuranceau <vincent at bikost dot com> wrote:
> I would set up OpenVPN server on m0n0wall (site A) and configure LAN B's
> gateway as an OpenVPN client. You'll be able to connect to A from a
> standalone OpenVPN client installed at school, too.
> 
> I don't really understand why/what you want to do with your networks,
> but to be short: if there is no need to be have all host on one
> (virtual) network segment, use TUP. In that case, you'll have to
> re-number one of your two LAN so that they use different IP addresses
> schemes (if not, routing will be *broken*). If you absolutely *need* to
> make both A and B subnets appear as one (virtual) network segment, use TAP.
> 
> Take a look at the available docs on the OpenVPN site and search for
> configuration examples (case studies).

I'm not familiar with OpenVPN setup, and since support in m0n0 is
beta, I haven't been brave enough to tweak with it in my environment
yet.  However, you might end up needing to use both IPSec and OpenVPN
depending if you still want to go with your setup where both LANs are
on the same subnet.


/sylikc