Site To Site VPN

glennd

glennd

Well-Known Member
Reaction score
2,527
Location
South West Victoria Australia
I've been asked to spec out a site to site vpn for a customer. This is outside my area of expertise.

They have two small offices in main street and want to have network access between the two so they can access network shares. I presume site to site vpn is what I want? Each office has it's own adsl connection via crappy telstra modem/routers and a little 19inch rack on the wall with a patch bay and switch. We need to retain and enhance the wifi in both offices by whatever means. Both modems need to be replaced, after that I'm not sure.

By small I mean up to 5 people in the main office and probably 2 or 3 in the second office and probably only occasional traffic between the two. It's more a convenience thing I guess.

Any suggestions on where to start looking?
 
What sort of budget are you/they looking at.
Most consumer routers (even those crappy Telstra Thomson Gateways) come with a built in VPN that's fairly easy to set up if they want the cheap route.
 
Barcelona said:
What sort of budget are you/they looking at.
Most consumer routers (even those crappy Telstra Thomson Gateways) come with a built in VPN that's fairly easy to set up if they want the cheap route.
Click to expand...
No budget yet. Trying to get a feel for what technology is required. I think we're in "business class" somewhere. I didn't know that about the Thomsons. Might have a look. In any case, at least one is failing so I'm working on the assumption that we'll replace both.
 
  • Like
Reactions: GTP
My personal favourite for smaller offices are DrayTek routers, in particular the Vigor 2860. They're rock-solid reliable, have multiple WAN inputs, inc Ethernet, ADSL/VDSL (no external modem required) and even built-in 3G/4G on the 2860LN models. VPN features are good too for both site-to-site (LAN to LAN) and SSL.
glennd said:
Hrm, i wonder if they have a rack version.
Click to expand...
Not exactly a rack version, but I've used this mounting kit a few times:
http://www.draytek.co.uk/products/accessories/rackmount
 
glennd said:
Hrm, i wonder if they have a rack version.

so am I right in thinking that a router such as this would still require a modem to make the adsl connection?
Click to expand...
Yes, you could use the old Telstra Gateways, but if one's failing might be better with the Drayteks that @Moltuae suggested.
They are business class and do it all. Pricey in AUS though!
 
Barcelona said:
Yes, you could use the old Telstra Gateways, but if one's failing might be better with the Drayteks that @Moltuae suggested.
They are business class and do it all. Pricey in AUS though!
Click to expand...
$400-$500. yeah that might be a tough sell. they look like they'll do the job. I saw a model that is nbn compatible which apparently is about to become an issue in our tiny town which I seriously never expected to ever happen.
 
  • Like
Reactions: GTP
Company expansion? Bragging rights? Lol

The good thing about TP-Link is they actually support Telstra Bigpond, which makes setup easier.
I've installed dozens of TP-Link "consumer" Modem/Routers (Oh, I can hear the howls now!) and never had an issue with any of them.
The Archer range are excellent.
I haven't done anything with their "business class" stuff but judging by the consumer stuff it should be fine.
 
glennd said:
$400-$500. yeah that might be a tough sell. they look like they'll do the job. I saw a model that is nbn compatible which apparently is about to become an issue in our tiny town which I seriously never expected to ever happen.
Click to expand...
You'll only get FTTC, not actual FTTH. So whatever you go with will be ok. Everything is "NBN Ready" these days so if Big Mal has an epiphany and decides go all batshit crazy and give everyone FTTH you'll still be ok!
 
Barcelona said:
Company expansion? Bragging rights? Lol

The good thing about TP-Link is they actually support Telstra Bigpond, which makes setup easier.
I've installed dozens of TP-Link "consumer" Modem/Routers (Oh, I can hear the howls now!) and never had an issue with any of them.
The Archer range are excellent.
I haven't done anything with their "business class" stuff but judging by the consumer stuff it should be fine.
Click to expand...
what is their "business class" stuff? is that the Archer stuff. (I immediately think of that show on the telly at the moment).
 
"The TL-ER6120 supports multiple VPN protocols including IPsec, PPTP and L2TP in Client/Server mode and can handle pass-through traffic as well. It also features a built-in hardware-based VPN engine allowing the router to support and manage up to 100 LAN-to-LAN/Client-to-LAN IPsec VPN connections. Advanced VPN features include: DES/3DES/AES128/AES192/AES256 encryption, MD5/SHA1 authentication, Manual/IKE key management, and Main/Aggressive negotiation modes."

Is this the kind of thing I should be looking for?

Also, I saw a discussion about some vpn protocols being redundant or unsecure and you should make sure any new vpn device uses this new protocol or words to effect. Now I can't find that.

If this is a router and I have to plug it into an ADSL modem/router, how do I avoid the so-called "double NATing"?




upload_2017-6-1_21-53-5.jpeg
 
We can talk about VPN equipment all day long, and everyones fan-boy router brands that do VPN tunnels.

...BUT...is a VPN connection between these 2x sites....the best approach to fill the clients needs?

Let's assume the OP gets a pair of routers that goes VPN tunnels well. Does the client have static IP accounts at both ends? While "yes" you can get some VPN setups that support dynamic DNS aliases and all that amateur stuff...it's really much better to do it with static IPs.

Next...how to handle name resolution through a VPN tunnel. There are a few different ways to setup name resolution...if there's an internal domain..naturally using internal DNS is the correct approach. Most optimal is have a domain controller at each site. Less optimal....Site A has the domain controller, and workstations at Site B use the IP address of the DC as their DNS server...nothing else. And then you run into the issue when the VPN goes down...nobody can browse the internet...so people do the half-arse fix of having the local ISPs DNS servers as their secondary DNS. But that usually breaks the proper active directory login of the workstation since it tries to use primary DNS first, but since it's through a skinny VPN tunnel it doesn't resolve fast enough so it turns to secondary DNS..and you end up with issues down the road.

Or do the "poor mans WINS" setup of lmhosts files.

And then performance issues..."a chain is only as strong as its weakest link"...upload of a DSL connection...subtract 15-30% bandwidth for VPN overhead...and there's your upload/download speed of copying files back 'n forth. Can be painful for users.

So......since the OP mentioned "file sharing"...why not take a web based cloud file sync approach? Does the client have Office 365? If so...consider Sharepoint. Or if not...consider 3rd party apps like...eFolder, or DattoDrive. And with sync clients...gone is the slowness of perceived file copy speed.

An advantage is..another basic level of backup is done by this service..so bonus points!
I recommend strongly considering this approach..versus a VPN.
 
glennd said:
I've been asked to spec out a site to site vpn for a customer. This is outside my area of expertise.

They have two small offices in main street and want to have network access between the two so they can access network shares. I presume site to site vpn is what I want? Each office has it's own adsl connection via crappy telstra modem/routers and a little 19inch rack on the wall with a patch bay and switch. We need to retain and enhance the wifi in both offices by whatever means. Both modems need to be replaced, after that I'm not sure.

By small I mean up to 5 people in the main office and probably 2 or 3 in the second office and probably only occasional traffic between the two. It's more a convenience thing I guess.

Any suggestions on where to start looking?
Click to expand...

When you say "two offices in main street", how far away are they from one another (physically)? If they're just a stones throw away from each other have you considered going point-to-point wireless? Not saying it's the best option but it is an option and it also eliminates the vpn overhead, you no longer rely on the internet connection and, if desired, everyone can stay on the same lan which can take care of name resolution issues. The biggest downside would be the possibility of interference so a thorough site-survey would be in order but it's just something to think about.


Also, FTR, I've got a client who I set up a VPN for while using TP-Link equipment. It's "okay" equipment but it's nothing that made me jump with joy. Still, as an inexpensive option it's alright.
 
You must log in or register to reply here.

Similar threads

Big Jim
site to site vpn with draytek routers
Replies
6
Views
553
YeOldeStonecat
YeOldeStonecat
tek9
[SOLVED] IPsec VPN and FreePBX provisioning
Replies
4
Views
752
tek9
tek9
HCHTech
Hot-Desking setup
Replies
0
Views
592
HCHTech
HCHTech
Blue House Computer Help
One Drive personal - Shared folder - no option to "Add to my OneDrive"
Replies
10
Views
653
britechguy
britechguy
timeshifter
USG with site to site VPN drop calls after 30 seconds
2
Replies
37
Views
4K
timeshifter
timeshifter
Back
Top