Many of us would like to interconnect LANs over DSL links, unfortunately the difficulties of managing all the complexity of the solution (DSL, Firewall, NAT, DNS, PKI, routing, ...) has stopped more than one of us.
We do not intend to replace the very valuable documentation available on the Net, but more to drive you through a few practical use cases. The proposed solution uses OpenVPN which runs on most OS available on the market and with regular low cost DSL or cable network connections.
Our study does not cover all the possible use cases but presents the advantage of actually working between a few sites of fridu.org members located in different countries.
VPN based on SSL (as OpenVPN) can present, like any network topology, security weaknesses. At fridu.org we prefer PKI structure in lieu of shared secret. We assume that keys and certificat can be distributed in a reasonably safe manner. The proposed method has been optimised to limit the cost to zero Euros while keeping the security level to a decent level.
To implement a VPN between sites you will need to plan the required connectivity. We will look at the following use cases :
- Mobile roaming users who needs to connect to an office LAN. In that model we assume that the remote user will connect from a Hotel or a Wifi public HotSpot with his Laptop. The solution must offer a maximum transparency to any application. Ideally the remote PC should look as if it was connected directly on the main office LAN.
- Interconnection of a main office with remote branches. In that model we will favour to keep some autonomy for each site in case of DSL link breakdown and protection between both sites.
To implement either of these models you will need two sites which are both connected via internet. On the server side, the use of a static IP address is preferred but not required, a dynamic DNS would do, assuming that your IP address remains stable (up to one IP address change a day is likely the lowest acceptable limit). Several providers offers Dynamic free DNS (DynDNS , NoIP, ZoneEdit). The client side does not impose any constrains on the IP addressing scheme.
At fridu.org our configuration on the server and client sides runs an OpenVPN under Linux. The solution should also work under other OS supported by OpenVPN but we did not test such configuration and you will need to adapt the configuration files.
You will find more in our Networks section or in fridu.org Wiki OpenVPN pages
