The roaming use case represents the need of a remote user who needs to connect to a main LAN in a transparent manner. Ideally, the remote and main LAN users will see no difference between roaming and locally connected users. The IP addressing plan will be the same, non IP protocol (e.g. printer and share discovery, Novell directory, ...) and IP multicast will work.
Application examples
- Access to your home LAN from your office or a hotel
- Send and receive private mails
- Phone free using your internal voice system (e.g. Asterisk)
- Support your home users through a VNC session
- Check what your kids do on internet
- Access to the office LAN from a GSM data connexion (3G or GPRS), a Wifi public Hot spot , a Hotel
- Send and receive professional mails
- Join phone conference for free via the office VoIP
- Access the company intranet and protected sites
- Backup your local data
- Get support from IT via VNC
- Access database application, order management, customer management, ...
- Access to the home LAN for a student.
- Phone Home for Free and home locals number at reduced rate via the home PBX (e.g. Asterisk)
- Backup critical data on the home server (course works, exams, CV, ...)
- Send and receive mails on the home account
- Get support from Dad via VNC
The preferred fridu.org solution for roaming is the interconnection by an Ethernet Bridge. In that model the remote PC is virtually connected on the LAN for the duration of the VPN session. As the connection is done at Ethernet level (one level bellow IP) there is no need to build routing table.
The beauty of OpenVPN is the provision of a full LAN bridge interconnection over a NAT and/or a HTTP proxy. This is a fine solution to enable a real-working Ethernet roaming.
A side effect of an Ethernet bridge is the lack of easy protection. The firewall on the remote PC will be configured to stop any traffic incoming traffic during the VPN Session. The risk then lies in the lesser control of access to the remote PC and the direct visiblity of every station connected on the LAN.
On the server side, as you run Linux, you can use Ethernet Bridge firewall table (ebtable) to limit interaction from the remote users. If you feel that the risk taken by interconnecting at Ethernet level does not worth the added flexibility (zero routing config) then you can configure OpenVPN to connect at IP level.
The detailled configurations are given in our Wiki. You are welcomed to add your experience there.
