Discussion:
[Efw-user] Endian to Endian Gw2Gw VPN with OpenVPN
Matthew W. Ross
2010-03-25 23:19:31 UTC
Permalink
Hello list,

I am attempting to setup a VPN connection between two different school campuses. Here's a simple diagram of what I want to accomplish:

10.0.0.0/8 (School Campus LAN)
|
Main Endian Firewall
|
{The Inernet}
|
Offsite Endian Firewall
|
192.168.33.0/24 (Remote Classroom LAN)

Now, I'm new at this. Some of these questions might seem basic:

1. Do I want the remote site to connect to the main, or the main to connect to the remote? Does it make a difference?

2. I think I have the remote connecting, but I can't ping anything on the remote LAN from the school campus. My guess is Routing isn't happening, or the remote Endian's firewall is blocking traffic.

3. I currently have static WAN IPs for both the main campus and for the remote classroom. Could I use a DHCP address on the remote classroom if needed?

4. Which Authentication method is recommended? Is it common practice to use a PSK for Gw2Gw VPNs? Should I setup a user dedicated for the connecting remote classroom? I suppose I would need an additional one for another remote site?

5. I can see the server connected via the list of connected users, and I see that the connection was given an IP from within the speciffied VPN pool of IPs. In this case, It has the IP address of 10.199.0.2... Is that correct for a Gw2Gw vpn?

Thanks for any and all help.


--Matt Ross
Ephrata School District
Vassilis V.
2010-03-26 00:01:20 UTC
Permalink
Hello Matt,

I have used the OpenVPN options of Endian for a while, on 2.2 only
Post by Matthew W. Ross
10.0.0.0/8 (School Campus LAN)
|
Main Endian Firewall
|
{The Inernet}
|
Offsite Endian Firewall
|
192.168.33.0/24 (Remote Classroom LAN)
1. Do I want the remote site to connect to the main, or the main to connect to the remote? Does it make a difference?
It doesnt really matter. You want one location to act as a server,
another as the client. Typically you would choose the location with the
best up/download speed. In case you have 3 or more locations you want to
connect, you can even assign fallback servers. So the LocationA will try
to connect to LocationB, on fail will try to connect to LocationC. This
way you can quickly have a client becoming the server.
Post by Matthew W. Ross
2. I think I have the remote connecting, but I can't ping anything on the remote LAN from the school campus. My guess is Routing isn't happening, or the remote Endian's firewall is blocking traffic.
Check answer to 5.
Post by Matthew W. Ross
3. I currently have static WAN IPs for both the main campus and for the remote classroom. Could I use a DHCP address on the remote classroom if needed?
Connecting to a location with a static IP is always better since you
dont need to use dyndns or such. I dont have static IP addresses and
work with dyndns. There is some delay on disconnect/reconnect but its
reliability is good(not perfect). In your example of having the Main
location on static being the OpenVPN server it doesn't matter what IP
the OpenVPN clients have.
Post by Matthew W. Ross
4. Which Authentication method is recommended? Is it common practice to use a PSK for Gw2Gw VPNs? Should I setup a user dedicated for the connecting remote classroom? I suppose I would need an additional one for another remote site?
The more the better I would say. Using Certificates is done easy, I
translated a forum post and send it to the mailing list some time ago.
You can readup on it to see how to setup certificates. You can of course
use certificates plus username/pass, its up to you.
Post by Matthew W. Ross
5. I can see the server connected via the list of connected users, and I see that the connection was given an IP from within the speciffied VPN pool of IPs. In this case, It has the IP address of 10.199.0.2... Is that correct for a Gw2Gw vpn?
Seeing that your Main Location uses 10.0.0.0/8 and you have given the
OpenVPN server a range of 10.199.0.X to give to the clients, I think
this is the reason for 2. and this question. I havent gotten it to work
with using a different IP range for the clients (probably some routing
configuration). What I have done and had no problem using it, was to
give the OpenVPN client an IP from within the green IP range.

I would also advise you to readup on the OpenVPN documentation on
bridged and routed mode to choose the correct one for your needs.


Hope this helps a bit!
compdoc
2010-03-25 23:52:35 UTC
Permalink
I once set up a customer with multiple remote locations
connecting to a main office in Denver. Users at the remotes
entered data into the central server, and the server sent
print jobs back to the remotes. All through openvpn.

Since the remotes were in far locations, including locations
in different states, I had to create a lab in my shop to
test what settings would work.

The lab was: 2 Endian servers with red zones connected by a
100baseT network switch, each with its own workstation
behind it. Like this:

Workstation 1

Endian 1

Switch

Endian 2

Workstation 2


The goal is to have workstation 1 and 2 be able to ping and
see each other as if they were on the same lan.

For me, using efw 2.2, the trick was to use two Gw2Gw
connections. One on each server, connecting to the other. In
other words, one going from the main firewall to the remote
firewall, and also one from the remote firewall going to the
main.

Your mileage may vary - best to test it for yourself....

Loading...