multi-site private overlay networking (not? vpn)
Hi, all -- I would have called this a vpn, but after reading the recent [excellent] thread on what is or isn't vpn and what it can or can't do for one, maybe that's not the right term ... I have multiple sites A.comcast.net 192.168.a.0/24 B.att.net 192.168.b.0/24 C.localisp.net 192.168.c.0/24 ... that I would like to integrate into my own WAN and be able to see devices (machines, printers, etcetc) using the Internet as my transport medium. [NB that I don't have a proper router at most of these sites; I only have what the ISP gives me.] Better yet, when I'm on the road with a laptop I'd love to be able to connect into that and be part (just like remote office work). I was thinking that a host at each location, exposed through the firewall, would act as the local gateway and I could just route traffic across ... um, well ... that's where I run out :-) Is there any consumer-level software that will let me overlay a private network across multiple sites and encrypt the traffic between sites? And does each device in a site have two addresses (192.168.?.? and 172.16.?.?) or do I set each router's internal DHCP range to the larger network? Where do go to I learn about this stuff? :-) TIA again :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
On 2021-06-27 3:06 p.m., David T-G wrote:
Hi, all --
I would have called this a vpn, but after reading the recent [excellent] thread on what is or isn't vpn and what it can or can't do for one, maybe that's not the right term ...
I have multiple sites
A.comcast.net 192.168.a.0/24 B.att.net 192.168.b.0/24 C.localisp.net 192.168.c.0/24 ...
that I would like to integrate into my own WAN and be able to see devices (machines, printers, etcetc) using the Internet as my transport medium. [NB that I don't have a proper router at most of these sites; I only have what the ISP gives me.] Better yet, when I'm on the road with a laptop I'd love to be able to connect into that and be part (just like remote office work). I was thinking that a host at each location, exposed through the firewall, would act as the local gateway and I could just route traffic across ... um, well ... that's where I run out :-)
Is there any consumer-level software that will let me overlay a private network across multiple sites and encrypt the traffic between sites? And does each device in a site have two addresses (192.168.?.? and 172.16.?.?) or do I set each router's internal DHCP range to the larger network?
Where do go to I learn about this stuff? :-)
TIA again
:-D
I think you are still talking about a VPN. You can have multiple site VPNs, either with a common "hub" or just individual links between sites. With only 3 sites, that may be the way to go. You then have to set up the appropriate routing among sites. That is a bit beyond what consumer grade router can do but is trivial for proper routers from Cisco etc. You may want to look into pfsense, which is built on FreeBSD. You can buy Netgate routers or install it on an old computer. I run it on a Qotom mini PC, with i5 CPU, 4 GB RAM, 64 GB SSD and 4 Gb NICs. Pfsense supports IPSec, OpenVPN and Wireguard VPNs. Hopefully, you're also considering IPv6. Both Comcast and AT&T provide it. I've been running IPv6 for over 11 years. Instead of having to share a single IP address with NAT, as on IPv4, IPv6 provides an incredibly huge number of addresses. I get a /56 prefix from my ISP, which contains 2^72 addresses. A single /64 prefix, as would be used on a LAN provides 18.4 billion, billion addresses. I currently have /64s for my main LAN, guest WiFi, test LAN, VPN and a LAN on a Cisco router. That leaves me with only 251 spare /64s. ;-) BTW, a single /64 has the entire IPv4 address space squared!
David T-G wrote:
Is there any consumer-level software that will let me overlay a private network across multiple sites and encrypt the traffic between sites?
openvpn. I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
And does each device in a site have two addresses (192.168.?.? and 172.16.?.?) or do I set each router's internal DHCP range to the larger network?
On my setup, each device has two addresses, but I think it ought to be possible for you to keep everything on 192.168.x.x. -- Per Jessen, Zürich (25.6°C)
On 28/06/2021 12.55, Per Jessen wrote:
David T-G wrote:
Is there any consumer-level software that will let me overlay a private network across multiple sites and encrypt the traffic between sites?
openvpn.
I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
I suppose that if the server is on location A, and you actually need to do most things on B, the transmission from A to B is done using the A site interned connection (and B). Can in those cases be done using one server per site, to optimize most of the traffic? Is there an "openvpn for dummies book"? Just curious. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
Carlos E. R. wrote:
On 28/06/2021 12.55, Per Jessen wrote:
David T-G wrote:
Is there any consumer-level software that will let me overlay a private network across multiple sites and encrypt the traffic between sites?
openvpn.
I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
I suppose that if the server is on location A, and you actually need to do most things on B, the transmission from A to B is done using the A site interned connection (and B). Can in those cases be done using one server per site, to optimize most of the traffic?
Sure, you can run a server on each site, but that just means you need multiple clients too. I think it becomes unnecessarily complex.
Is there an "openvpn for dummies book"? Just curious.
Quite possibly, but maybe more like a leaflet. There isn't much to openvpn itself. ISTR the howto is all you need. -- Per Jessen, Zürich (26.6°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland.
On 2021-06-28 7:59 a.m., Per Jessen wrote:
I suppose that if the server is on location A, and you actually need to do most things on B, the transmission from A to B is done using the A site interned connection (and B). Can in those cases be done using one server per site, to optimize most of the traffic? Sure, you can run a server on each site, but that just means you need multiple clients too. I think it becomes unnecessarily complex.
That of course depends on the number of sites. With only 3, 3 peer connections might be all that's necessary. If all traffic has to go through one site, then that will slow things down. Of course, for several sites, that would be the way to go, as the number of peer connections quickly rises. (n² - n)/2
On 28/06/2021 13.59, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 12.55, Per Jessen wrote:
David T-G wrote:
Is there any consumer-level software that will let me overlay a private network across multiple sites and encrypt the traffic between sites?
openvpn.
I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
I suppose that if the server is on location A, and you actually need to do most things on B, the transmission from A to B is done using the A site interned connection (and B). Can in those cases be done using one server per site, to optimize most of the traffic?
Sure, you can run a server on each site, but that just means you need multiple clients too. I think it becomes unnecessarily complex.
Huh, no, I mean multiple servers, but connect to only one each time. Each server has connection to all the sites.
Is there an "openvpn for dummies book"? Just curious.
Quite possibly, but maybe more like a leaflet. There isn't much to openvpn itself. ISTR the howto is all you need.
Oh. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
Carlos E. R. wrote:
On 28/06/2021 13.59, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 12.55, Per Jessen wrote:
David T-G wrote:
Is there any consumer-level software that will let me overlay a private network across multiple sites and encrypt the traffic between sites?
openvpn.
I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
I suppose that if the server is on location A, and you actually need to do most things on B, the transmission from A to B is done using the A site interned connection (and B). Can in those cases be done using one server per site, to optimize most of the traffic?
Sure, you can run a server on each site, but that just means you need multiple clients too. I think it becomes unnecessarily complex.
Huh, no, I mean multiple servers, but connect to only one each time. Each server has connection to all the sites.
I'm not sure quite what you have in mind - there may be other options, but both my vpns use a star topology, one central server to which all clients connect. If one client needs to talk to another client, it goes via the server. -- Per Jessen, Zürich (27.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland.
On 28/06/2021 14.59, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 13.59, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 12.55, Per Jessen wrote:
David T-G wrote:
Is there any consumer-level software that will let me overlay a private network across multiple sites and encrypt the traffic between sites?
openvpn.
I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
I suppose that if the server is on location A, and you actually need to do most things on B, the transmission from A to B is done using the A site interned connection (and B). Can in those cases be done using one server per site, to optimize most of the traffic?
Sure, you can run a server on each site, but that just means you need multiple clients too. I think it becomes unnecessarily complex.
Huh, no, I mean multiple servers, but connect to only one each time. Each server has connection to all the sites.
I'm not sure quite what you have in mind - there may be other options, but both my vpns use a star topology, one central server to which all clients connect. If one client needs to talk to another client, it goes via the server.
In the example above, if you are going to do most things on site A, connect to the server at A, but you still have connectivity to B and C. If you are going to do most things on site B, connect to the server at B, but you still have connectivity to A and C. The purpose is to reduce latency and the traffic intersites. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
Carlos E. R. wrote:
On 28/06/2021 14.59, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 13.59, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 12.55, Per Jessen wrote:
David T-G wrote:
> Is there any consumer-level software that will let me overlay a > private network across multiple sites and encrypt the traffic > between sites?
openvpn.
I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
I suppose that if the server is on location A, and you actually need to do most things on B, the transmission from A to B is done using the A site interned connection (and B). Can in those cases be done using one server per site, to optimize most of the traffic?
Sure, you can run a server on each site, but that just means you need multiple clients too. I think it becomes unnecessarily complex.
Huh, no, I mean multiple servers, but connect to only one each time. Each server has connection to all the sites.
I'm not sure quite what you have in mind - there may be other options, but both my vpns use a star topology, one central server to which all clients connect. If one client needs to talk to another client, it goes via the server.
In the example above, if you are going to do most things on site A, connect to the server at A, but you still have connectivity to B and C.
If you are going to do most things on site B, connect to the server at B, but you still have connectivity to A and C.
The purpose is to reduce latency and the traffic intersites.
Unnecessarily complex, imho. Each site will now run an openvpn server and two clients. 3 x 3 processes in total. It will also be a chaotic nightmare of a network setup. Just my opinion. -- Per Jessen, Zürich (17.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.
On 28/06/2021 20.44, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 14.59, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 13.59, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 12.55, Per Jessen wrote: > David T-G wrote: > >> Is there any consumer-level software that will let me overlay a >> private network across multiple sites and encrypt the traffic >> between sites? > > openvpn. > > I would suggest you need one public IP-address for your openvpn > server, to which the other networks and your laptop connect.
I suppose that if the server is on location A, and you actually need to do most things on B, the transmission from A to B is done using the A site interned connection (and B). Can in those cases be done using one server per site, to optimize most of the traffic?
Sure, you can run a server on each site, but that just means you need multiple clients too. I think it becomes unnecessarily complex.
Huh, no, I mean multiple servers, but connect to only one each time. Each server has connection to all the sites.
I'm not sure quite what you have in mind - there may be other options, but both my vpns use a star topology, one central server to which all clients connect. If one client needs to talk to another client, it goes via the server.
In the example above, if you are going to do most things on site A, connect to the server at A, but you still have connectivity to B and C.
If you are going to do most things on site B, connect to the server at B, but you still have connectivity to A and C.
The purpose is to reduce latency and the traffic intersites.
Unnecessarily complex, imho. Each site will now run an openvpn server and two clients. 3 x 3 processes in total. It will also be a chaotic nightmare of a network setup. Just my opinion.
No, three servers and one client. You still don't get the idea. I don't know how to explain it. I'll try again. One day I'm going to use mostly resources on site A, and a few on B and C. Another day I'm going to use mostly resources on site B, and a few on A and C. Day one: site A Site B Site C | | | openvpn-------openvpn------------openvpn server server server | | Client Day two: site A Site B Site C | | | openvpn-------openvpn------------openvpn server server server | | Client -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
Carlos E. R. wrote:
On 28/06/2021 20.44, Per Jessen wrote:
Unnecessarily complex, imho. Each site will now run an openvpn server and two clients. 3 x 3 processes in total. It will also be a chaotic nightmare of a network setup. Just my opinion.
No, three servers and one client. You still don't get the idea. I don't know how to explain it. I'll try again.
I think maybe you are ignoring or forgetting David's original "spec" - "Three sites .... that I would like to integrate into my own WAN and be able to see devices (machines, printers, etcetc)." In addition, David wanted to also connect his laptop when on the road.
One day I'm going to use mostly resources on site A, and a few on B and C. Another day I'm going to use mostly resources on site B, and a few on A and C.
Day one:
site A Site B Site C | | | openvpn-------openvpn------------openvpn server server server | | Client
In the above, assuming the horizontal dashes between sites indicate a connection, how do you imagine those connections are made? I see three server configs (A, B, C), and at least two client configs (A->B, C->B) plus three client configs on your laptop. In addition, it requires configuration of the per-site router/modem for the port forwarding. -- Per Jessen, Zürich (17.5°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
On 29/06/2021 08.34, Per Jessen wrote:
Carlos E. R. wrote:
On 28/06/2021 20.44, Per Jessen wrote:
Unnecessarily complex, imho. Each site will now run an openvpn server and two clients. 3 x 3 processes in total. It will also be a chaotic nightmare of a network setup. Just my opinion.
No, three servers and one client. You still don't get the idea. I don't know how to explain it. I'll try again.
I think maybe you are ignoring or forgetting David's original "spec" -
"Three sites .... that I would like to integrate into my own WAN and be able to see devices (machines, printers, etcetc)." In addition, David wanted to also connect his laptop when on the road.
No, I did not forget. The laptop is the client in my drawing.
One day I'm going to use mostly resources on site A, and a few on B and C. Another day I'm going to use mostly resources on site B, and a few on A and C.
Day one:
site A Site B Site C | | | openvpn-------openvpn------------openvpn server server server | | Client
In the above, assuming the horizontal dashes between sites indicate a connection, how do you imagine those connections are made?
Internet. He has to connect the sites somehow. They can not be connected at the LAN level, different sites.
I see three server configs (A, B, C), and at least two client configs (A->B, C->B) plus three client configs on your laptop. In addition, it requires configuration of the per-site router/modem for the port forwarding.
Then openvpn is not as easy as you people are touting :-D -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
Carlos E. R. wrote:
I think maybe you are ignoring or forgetting David's original "spec" -
"Three sites .... that I would like to integrate into my own WAN and be able to see devices (machines, printers, etcetc)." In addition, David wanted to also connect his laptop when on the road.
No, I did not forget. The laptop is the client in my drawing.
Yes, but how does the integration of the three sites happen?
In the above, assuming the horizontal dashes between sites indicate a connection, how do you imagine those connections are made?
Internet. He has to connect the sites somehow. They can not be connected at the LAN level, different sites.
That is where the vpn comes into the picture. Otherwise how will Daniel have one WAN covering three sites?
I see three server configs (A, B, C), and at least two client configs (A->B, C->B) plus three client configs on your laptop. In addition, it requires configuration of the per-site router/modem for the port forwarding.
Then openvpn is not as easy as you people are touting :-D
No, not when you deliberately make it complex .... Here is what I would do - on site A, run openvpn as a server, on site A, set up the router to forward port 1194 forwarded to the machine running openvpn. On site B and C, run openvpn as a client, connecting to A. To avoid any routing issues, I would leave 192.168.x.x alone and use e.g. 172.16.42.0/24. So each machine on the network will have two addresses. For site A, use ip 172.16.42.1 For site B, use ip 172.16.42.10 and 172.16.42.11 (client config) For site C, use ip 172.16.42.12 and 172.16.42.13 (client config) For a laptop, use ip 172.16.42.14 and 172.16.42.15 (client config)
From the server config, site B, C and the laptop will all get a static route for 172.16.42.0/24 via A. Done.
Assuming the external address at site A is dynamically allocated, a dynamic DNS setup would no doubt be very helpful. Here is one of my clients: 7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.111.40.28 peer 10.111.40.29/32 scope global tun0 valid_lft forever preferred_lft forever # ip route show dev tun0 10.177.40.0/22 via 10.177.40.29 10.177.40.29 proto kernel scope link src 10.177.40.28 -- Per Jessen, Zürich (22.2°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.
On 29/06/2021 11.55, Per Jessen wrote:
Carlos E. R. wrote:
I think maybe you are ignoring or forgetting David's original "spec" -
"Three sites .... that I would like to integrate into my own WAN and be able to see devices (machines, printers, etcetc)." In addition, David wanted to also connect his laptop when on the road.
No, I did not forget. The laptop is the client in my drawing.
Yes, but how does the integration of the three sites happen?
In the above, assuming the horizontal dashes between sites indicate a connection, how do you imagine those connections are made?
Internet. He has to connect the sites somehow. They can not be connected at the LAN level, different sites.
That is where the vpn comes into the picture. Otherwise how will Daniel have one WAN covering three sites?
Yes, of course, it is in my drawing.
I see three server configs (A, B, C), and at least two client configs (A->B, C->B) plus three client configs on your laptop. In addition, it requires configuration of the per-site router/modem for the port forwarding.
Then openvpn is not as easy as you people are touting :-D
No, not when you deliberately make it complex ....
Here is what I would do -
on site A, run openvpn as a server, on site A, set up the router to forward port 1194 forwarded to the machine running openvpn. On site B and C, run openvpn as a client, connecting to A.
To avoid any routing issues, I would leave 192.168.x.x alone and use e.g. 172.16.42.0/24. So each machine on the network will have two addresses.
For site A, use ip 172.16.42.1 For site B, use ip 172.16.42.10 and 172.16.42.11 (client config) For site C, use ip 172.16.42.12 and 172.16.42.13 (client config) For a laptop, use ip 172.16.42.14 and 172.16.42.15 (client config)
From the server config, site B, C and the laptop will all get a static route for 172.16.42.0/24 via A. Done.
Assuming the external address at site A is dynamically allocated, a dynamic DNS setup would no doubt be very helpful.
Here is one of my clients:
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.111.40.28 peer 10.111.40.29/32 scope global tun0 valid_lft forever preferred_lft forever
# ip route show dev tun0 10.177.40.0/22 via 10.177.40.29 10.177.40.29 proto kernel scope link src 10.177.40.28
Ok :-) Thanks. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
Am Montag, 28. Juni 2021, 13:28:47 CEST schrieb Carlos E. R.:
Is there an "openvpn for dummies book"? Just curious.
:-) shameless response...: Yes, I wrote one.. At/for Packt Publishing, long time ago. Still applicable. :-) -- Best Regards - Mit freundlichen Grüßen, Markus Feilner, Feilner IT - 20 years of open services - ------------------------- Agile Recursive Documentation: – Document it or it didn't happen! – ------------------------- Digitale Souveränität, Nachhaltigkeit, Dokumentation Linux, Security, Strategy, Politics, Journalism, Networking. https://www.feilner-it.net, 93059 Regensburg Wöhrdstr. 10, +49 170 302 7092 (+Signal) Blog: https://markusfeilner.de PGP: 40A3C306F96133067C11CFD9A958A906268C9F0A http://www.feilner-it.net/files/MFpub.asc Xing: http://www.xing.com/profile/Markus_Feilner LinkedIn: https://www.linkedin.com/in/markusfeilner @mfeilner: Matrix, Jabber, Skype, Twitter, Diaspora, ...
On 2021-06-28 6:55 a.m., Per Jessen wrote:
openvpn. I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
If it's a busy network, IPSec might be a better choice. My understanding is it can use multiple CPUs, but OpenVPN doesn't.
Am Montag, 28. Juni 2021, 14:30:35 CEST schrieb James Knott:
On 2021-06-28 6:55 a.m., Per Jessen wrote:
openvpn. I would suggest you need one public IP-address for your openvpn server, to which the other networks and your laptop connect.
If it's a busy network, IPSec might be a better choice. My understanding is it can use multiple CPUs, but OpenVPN doesn't.
That should only show in really high-end scenarios... afair. I have only heard of, not seen cases where that was the reason to choose the complexity and many issues that ipsec brings with it. I'd rather recommend wireguard than ipsec ... long time ago we did a performance test on ipsec/openvpn, for Linux Technical Review, but I don't have a PDF around anymore... -- Best Regards - Mit freundlichen Grüßen, Markus Feilner, Feilner IT - 20 years of open services - ------------------------- Agile Recursive Documentation: – Document it or it didn't happen! – ------------------------- Digitale Souveränität, Nachhaltigkeit, Dokumentation Linux, Security, Strategy, Politics, Journalism, Networking. https://www.feilner-it.net, 93059 Regensburg Wöhrdstr. 10, +49 170 302 7092 (+Signal) Blog: https://markusfeilner.de PGP: 40A3C306F96133067C11CFD9A958A906268C9F0A http://www.feilner-it.net/files/MFpub.asc Xing: http://www.xing.com/profile/Markus_Feilner LinkedIn: https://www.linkedin.com/in/markusfeilner @mfeilner: Matrix, Jabber, Skype, Twitter, Diaspora, ...
David T-G wrote:
Hi, all --
I would have called this a vpn, but after reading the recent [excellent] thread on what is or isn't vpn and what it can or can't do for one, maybe that's not the right term ...
I have multiple sites
A.comcast.net 192.168.a.0/24 B.att.net 192.168.b.0/24 C.localisp.net 192.168.c.0/24 ...
I use tinc for that. It defines a separate network that interconnects the machines, which are standing up to 6000km apart. You do need at least one 'visible' node though through that all machines can connect.
participants (6)
-
Carlos E. R. -
David T-G -
James Knott -
Markus Feilner -
Per Jessen -
Peter Suetterlin