Help with setting up a site to site VPN using either Windows Server or routers

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Help with setting up a site to site VPN using either Windows Server or routers

lchiu7

6521 posts

Uber Geek
+1 received by user: 543

Trusted

#90736 28-Sep-2011 16:28

I have servers in one location that need to access servers in another location. The only connection between them is the Internet but it's 100Mbs and only has about 4 hops.

At the moment to access the remote server we run a local proxy server with one NIC on the local LAN and the other NIC connected to a business router/firewall.

A user on the local LAN can use something like tunnelier to SFTP to the remote server (both are Windows Server 2008) and then tunnel RDP through SFTP. That works pretty well so we can access the remote server and perform file transfer.

However we would like the remote server if possible to join the local Domain. The first thought was to use a site to site VPN using Windows Server on both machines to enable this. That would presumbly be a L2PT VPN.

But our hosting provider has suggested we use a IPSEC VPN with the connections being done at the router level. That makes sense since it means we don't have to mess with Server configurations but I am wondering how it would work.

For protocols that are well defined like http, https, sftp, it is easier enough to tell the source application (browser, sftp program) to use the proxy server. But something like RDP where you cannot tell it to use the proxy server would the Internet settings in Windows be enough to provide access to the remote server across the VPN?

And finally if you wanted to do Windows file sharing so that you could browse shares on the remote server, it's not clear how to do that.

Any pointers would be appreciated.

By the way if there is a Microsoft network engineer reading this and lives in Wellington and would be keen on some short term consulting work to help me, drop me a PM.

Thanks

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

freitasm

BDFL - Memuneh
80661 posts

Uber Geek
+1 received by user: 41083

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#526849 28-Sep-2011 16:46

If you would consider a software only solution, check LogMeIn Hamachi (www.logmein.com).

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

lchiu7

6521 posts

Uber Geek
+1 received by user: 543

Trusted

#528077 1-Oct-2011 20:09

Actually ideally I want the remote server to connect to my AD so that would not work. This appears to be a non trivial networking setup so any experts able to assist (and I will pay) PM me.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

rphenix

990 posts

Ultimate Geek
+1 received by user: 127

ID Verified

Lifetime subscriber

#529229 4-Oct-2011 22:37

Send me a pm I'll help you set this up you can use ipsec or another good option is openvpn

Regs

4066 posts

Uber Geek
+1 received by user: 206

Trusted

Snowflake

#529247 4-Oct-2011 22:57

a pair of sonicwall firewall devices (or pick from many brands) is the easiest way to do it. set and forget, all protocols available (unless you want to filter some) and the encryption to whatever level you want is done on the unit.

some units also do compression (wan optimization) thus maximising the use of your bandwidth.
add url filtering, antivirus and mail/spam filtering and other services means you can use them for even more...

you could also do all this with a pair of microsoft ISA/TMG servers, or using routing & ras on windows servers through existing firewalls.

if you have no in-house expertise, then perhaps contract a local IT firm to supply+install the sonicwall (or similar) devices. they can be set up for remote management too.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lchiu7

6521 posts

Uber Geek
+1 received by user: 543

Trusted

#529770 5-Oct-2011 20:19

I have no control over the remote destination since its a hosting data centre but i could put a VPN capable firewall at my end and the host organisation says they have VPN capable kit at their borders.

But I also

like the idea of using RRAS since I don't have to buy any new kit to make it work. Of course I am going to need some expertise to make it all happen.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

rphenix

990 posts

Ultimate Geek
+1 received by user: 127

ID Verified

Lifetime subscriber

#529781 5-Oct-2011 20:35

lchiu7: I have no control over the remote destination since its a hosting data centre but i could put a VPN capable firewall at my end and the host organisation says they have VPN capable kit at their borders.

on the remote end where you cant put a router etc.. then I recommend on that server installing openvpn (it doesnt require any ports to be opened, only to make outbound connections to the internet which most servers would be allowed to do).

On your end, install openvpn, and open the single udp port for openvpn on your router, that way your remote server can be the openvpn client, your side is the openvpn server, and any disconnects etc.. the openvpn client will seamlessly reconnect. Software is free :)

Lego

Shop now for Lego sets and other gifts (affiliate link).

lchiu7

6521 posts

Uber Geek
+1 received by user: 543

Trusted

#529800 5-Oct-2011 21:19

rphenix:
lchiu7: I have no control over the remote destination since its a hosting data centre but i could put a VPN capable firewall at my end and the host organisation says they have VPN capable kit at their borders.

on the remote end where you cant put a router etc.. then I recommend on that server installing openvpn (it doesnt require any ports to be opened, only to make outbound connections to the internet which most servers would be allowed to do).

On your end, install openvpn, and open the single udp port for openvpn on your router, that way your remote server can be the openvpn client, your side is the openvpn server, and any disconnects etc.. the openvpn client will seamlessly reconnect. Software is free :)

Ok let me see if I have this straight.

The remote side is in a data centre but I am sure I can ask them to forward port 80 traffic to it and have it send traffic out.

On my side I install OpenVPN and also arrange that the ports to be used are open which I can do on my router. Then I can get the two instances of OpenVPN to talk to each other? I am being vague here since I haven't yet read up on it.

Then the goal is for each server to see the other server as if they were in the same domain. That way the remote server can join the local domain in our location and our local server running SQL Server Reporting Services can access the SQL Server database in the remote location.

Is that a feasible scenario?

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.