Menu
▾
▴
Re: [Openvpn-users] Layer 2 tunnel (VPN)
|
From: David S. <ope...@to...> - 2014-11-21 11:38:39
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 21/11/14 11:06, J.W...@mi... wrote:
> And finally, the situation you draw, looks like your connection and
> a server at your HQ are a single-point-of-failure.
That's a really good point too!
If the branch offices needs to communicate between each other as well,
with my proposed suggestion you can as well add VPN tunnels in
parallel between each branch office. For example something like this:
<branch-lan-1: 192.168.10.0/24>
| +--------------------+
\----+ eth0: 192.168.10.1 |
| |
| [branch-1-gw] |
| | (HQ-VPN-1: 10.8.10.0/24)
| tun0: 10.8.10.2 +------------\
| tun1: 10.9.2.2 | | +-----------------+
+----+---------------+ | | [HQ-GW] |
| (HQ-VPN-2: ) | | |
| (10.8.20.0/24) \----+ tun0: 10.8.10.1 |
<branch-lan-2: > | /--------+ tun1: 10.8.20.1 |
<192.168.20.0/24> |*1 | /-----+ tun2: 10.8.30.1 |
| +----+---------------+ | | | |
| | tun1:10.9.2.1 | | | | |
| | | | | | |
| | [branch-2-gw] | | | | eth0:192.168.0.1|
| | | | | +----+------------+
| | tun0: 10.8.20.2 +--------/ | |
\-----------+ eth0: 192.168.20.1 | | |
| tun2:10.9.3.2 | | v
+----+---------------+ | <HQ-lan: >
| | < 192.168.0.1/24>
| |
| |
| |
|*2 |
+----+---------------+ |
| tun1:10.9.3.1 | |
| | |
| [branch-3-gw] | |
| | |
| tun0: 10.8.30.2 +-----------/
/------+ eth0: 192.168.30.1 | (HQ-VPN-3: 10.8.30.0/24)
| | |
| +--------------------+
|
<branch-lan-3: 192.168.30.0/24>
*1: branch-vpn-1-2: 10.9.2.0/24
client on branch-1-gw
server on branch-2-gw
*2: branch-vpn-2-3: 10.9.3.0/24
client on branch-2-gw
server on branch-3-gw
This is the core principle. You can also consider to one more
tunnels, between branch-lan-1 and branch-lan3 for an absolute
redundancy (that is, creating a branch-vpn-3-1). By also adding
routing metrics, the performance between branch-1 and branch-3 can
also be improved by adding this extra VPN tunnel.
However, the routing of such a net will not be too easy. And you will
need policy routing here ('ip rule' and 'ip route ... table ...'), to
ensure that traffic arriving on branch-vpn-1-2 also returns using the
same interface. Without having tested this, I'd presume you would
need such rules on all VPN servers/clients. Those far more
experienced in advanced routing setup can probably explain this far
better than I can.
The advantage of this setup is that you always have two routes
available to any of the other sites. So if one site fails/becomes
available it should be possible to get access to the rest of the sites
still being functional. And even if the one of the openvpn processes
on stops running on the HQ-GW box, the traffic can still flow through
to the HQ-lan via one of the other branch offices. And the same goes
for the branch offices as well.
But as I already said, this is an advanced setup which requires a very
good understanding of how network routing works and how to configure
it correctly. There are a lot of pitfalls and traps when setting up
such a network. But once you understand how routing works, setting it
up isn't illogical.
- --
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlRvJCwACgkQDC186MBRfrr2NgCfdoHeePXhzfKppUs9a3GJZR72
/c0AmgMGlCOUOY2tqLJqEZi3LKBMlNP5
=rJSf
-----END PGP SIGNATURE-----
|