Networking advice for tying multiple VPNs together

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Networking advice for tying multiple VPNs together

kenkeniff

628 posts

Ultimate Geek

#128791 23-Aug-2013 12:29

Problem:
I have a number of remote workers with mobile devices (laptops, tablets, mobiles etc) which all support VPN connections (PPTP at least) but don't all necessarily support specific proxy or gateway settings.

These remote workers could be anywhere in the world at any time however they all need to be connected to one another's devices as if on a local network (i.e. via a VPN).

Furthermore the business has three main offices in US, UK and AU.

Each worker must be able to access the internet via US, UK and AU regardless of what country they are physically in.

Solution?:
Setup VPN server in US.
Setup VPN server in UK.
Setup VPN server in AU.
*(VPN servers will be setup on Amazon AWS)

Link 3 VPN's together so devices on different VPN's can talk to one another. Somehow??

Remote worker selects the VPN appropriate to them on their mobile device based on which country they want to access the internet via.

Example / Use Case:
Remote worker is currently in India but wants to connect to the company network and the internet via an AU connection.

Remote worker selects the AU VPN on their device.

Question:
Will this work / is there a better way?
What VPN software do you recommend (pref free/open source)

Thanks

Zeon

3918 posts

Uber Geek

Trusted

#883336 23-Aug-2013 12:36

What is the size of the company?

I would suggest the easiest way would be to create IPSEC tunnels between all your main offices in a mesh (each to each other). Then have users VPN into their nearest office to enter the company network. This is surprisingly easy on PFsense and I run a similar setup for 2 networked sites in Auckland and 1 in Los Angeles. For the clients you are probably best to use OpenVPN or IPSEC (PPTP is NOT I repeat NOT secure). Planning how you want to do both your IPv4 and IPv6 addressing is critical as you will want to advertise routes correctly to OpenVPN.

So lets say you had one remote worker connected to the Indian office and another to the AU office the route would go:
Remote worker->OpenVPN->india office->india to Au IPSEC->Au office->openVPN->remote worker.

Speedtest 2019-10-14

Inphinity

2780 posts

Uber Geek

#883345 23-Aug-2013 12:47

Please don't use PPTP. I'd probably go with Zeon's suggestion, or alternately a VPN appliance from Cisco or similar at each site as an endpoint.

kenkeniff

628 posts

Ultimate Geek

#883351 23-Aug-2013 12:50

Don't worry, most of our devices support IPSec also and current setup is actually OpenVPN direct to USA though.

Just thinking about how I could incorporate these suggestions.

MadEngineer

4298 posts

Uber Geek

Trusted

#883576 23-Aug-2013 20:02

What is it that they need access to on another's device?

You're not on Atlantis anymore, Duncan Idaho.

LettyLocke

1 post

Wannabe Geek

#883734 24-Aug-2013 01:57

I bought a home nas server and it is performing very well in my case. Got it from a local online dealer at very affordable price. My problem is whenever I attach the NAS to my main server, my VPN's stop working. Is it normal? Or do I need multiple VPN's to connect simultaneously? This is getting into a real problem day by day. Any solutions are welcomed. Site from where I bought NAS : http://www.wiseguys.co.nz

kiwirock

685 posts

Ultimate Geek

#883747 24-Aug-2013 03:59

LettyLocke: I bought a home nas server and it is performing very well in my case. Got it from a local online dealer at very affordable price. My problem is whenever I attach the NAS to my main server, my VPN's stop working. Is it normal? Or do I need multiple VPN's to connect simultaneously? This is getting into a real problem day by day. Any solutions are welcomed. Site from where I bought NAS : http://www.wiseguys.co.nz

Hi Sara and welcome to Geekzone. I'm a bit of a night owl, been swining night shifts.

I would recommend starting a new thread/topic regarding your issues, just so the orginal posters queries don't go off topic. It could be that your NAS has the same IP as another device on your network has and is causing problems or within the same IP range as a VPN client.

It may have a DHCP server that is conflicting with one such as in your Internet router etc... and causing some issues. Or if you have multiple ethernet cards in your main server, it could be when you plug your NAS in that another gateway IP address is being added on connection and confusing something somewhere. You'd need to provide much more info on your setup. But for another thread perhaps.

To the original poster, yes I'd go for IPSec too. I still use the somewhat hackable PPTP but then I don't send sensitive information between VPN's.

I have cheap $100 Mikrotik routers that support OpenVPN and IPSec, but obviously not enough grunt/encryption chipset to handle the encryption for greater than 5-6Mbps throughput. You just need a router that can be both a VPN server, and a VPN client.

Even Windows servers can do this. In my example though, I have a Mikrotik at home as a VPN server (well call it on LAN 1). It has a few VPN user accounts that get dished out a dynamic IP on my home LAN when they connect.

I also have another account, that specifically hands out a static IP to the VPN user (we're going to assume this is another router connecting for another LAN), and when that account connects the LAN 1 VPN router automatically adds a specific route in to the main routing table for the another (we'll call it LAN 2) IP range/subnet that uses the static IP as the gateway to the other network.

The LAN 2 VPN client/router is another Mikrotik router in my case, or it could just as easily be a Windows PC acting as a gateway that connects to my main Mikrotik on LAN 1. You can enable IP forwarding in Windows, connect to your VPN server, then add a persistent route for the other main LAN's subnet and Bob's your uncle. You would then choose to send either all traffic through the VPN to the Internet router on LAN 1 or not - just the traffic meant for the other LAN's IP range.