Site To Site VPN

G8racingfool said:
When you say "two offices in main street", how far away are they from one another (physically)? .
Click to expand...

That's a good point, and a good option...I didn't connect the dots when I skimmed that. We've done a few "campus area networks" with Ubiquiti point to point bridges.....it's basically like running an ethernet cable from building to building. They're on the LAN...and on a good fast 300-450 meg connection.
 
G8racingfool said:
When you say "two offices in main street", how far away are they from one another (physically)? If they're just a stones throw away from each other have you considered going point-to-point wireless? Not saying it's the best option but it is an option and it also eliminates the vpn overhead, you no longer rely on the internet connection and, if desired, everyone can stay on the same lan which can take care of name resolution issues. The biggest downside would be the possibility of interference so a thorough site-survey would be in order but it's just something to think about.


Also, FTR, I've got a client who I set up a VPN for while using TP-Link equipment. It's "okay" equipment but it's nothing that made me jump with joy. Still, as an inexpensive option it's alright.
Click to expand...
We thought about wireless. The two offices are maybe 400 metres apart. They would need a mast to get above obstacles to achieve line-of-sight. The second premises is rented. Putting a mast on the shop roof would be expensive. If they were across the road from each other I'd probably look at a wifi beam, but they're on the same side of the road. Not that I have any experience with wifi beams. Maybe that would work anyway...

What does "okay" really mean? It's not reliable or it's lacking options or something else?
 
YeOldeStonecat said:
We can talk about VPN equipment all day long, and everyones fan-boy router brands that do VPN tunnels.

...BUT...is a VPN connection between these 2x sites....the best approach to fill the clients needs?

Let's assume the OP gets a pair of routers that goes VPN tunnels well. Does the client have static IP accounts at both ends? While "yes" you can get some VPN setups that support dynamic DNS aliases and all that amateur stuff...it's really much better to do it with static IPs.

Next...how to handle name resolution through a VPN tunnel. There are a few different ways to setup name resolution...if there's an internal domain..naturally using internal DNS is the correct approach. Most optimal is have a domain controller at each site. Less optimal....Site A has the domain controller, and workstations at Site B use the IP address of the DC as their DNS server...nothing else. And then you run into the issue when the VPN goes down...nobody can browse the internet...so people do the half-arse fix of having the local ISPs DNS servers as their secondary DNS. But that usually breaks the proper active directory login of the workstation since it tries to use primary DNS first, but since it's through a skinny VPN tunnel it doesn't resolve fast enough so it turns to secondary DNS..and you end up with issues down the road.

Or do the "poor mans WINS" setup of lmhosts files.

And then performance issues..."a chain is only as strong as its weakest link"...upload of a DSL connection...subtract 15-30% bandwidth for VPN overhead...and there's your upload/download speed of copying files back 'n forth. Can be painful for users.

So......since the OP mentioned "file sharing"...why not take a web based cloud file sync approach? Does the client have Office 365? If so...consider Sharepoint. Or if not...consider 3rd party apps like...eFolder, or DattoDrive. And with sync clients...gone is the slowness of perceived file copy speed.

An advantage is..another basic level of backup is done by this service..so bonus points!
I recommend strongly considering this approach..versus a VPN.
Click to expand...
You've just mentioned 10 things I would never have thought of. I've played with domains enough to know that would be the wrong solution for this customer. That would be adding a level of complexity that we'd all like to avoid.

They use Dropbox at the moment but they're not happy with that approach. Doesn't Dropbox integrate with the Windows file system? Like, say Google Drive? I would have thought that kind of thing would appear to the end user much like a shared drive. I don't know much about Office 365 but I think it's worth studying to see if that's a better solution.
 
glennd said:
We thought about wireless. The two offices are maybe 400 metres apart. They would need a mast to get above obstacles to achieve line-of-sight. The second premises is rented. Putting a mast on the shop roof would be expensive. If they were across the road from each other I'd probably look at a wifi beam, but they're on the same side of the road. Not that I have any experience with wifi beams. Maybe that would work anyway...

What does "okay" really mean? It's not reliable or it's lacking options or something else?
Click to expand...

1300 feet isn't bad even if it isn't pure LoS but the fact that they're only renting one of the buildings might be a deal breaker there if you can't get an antenna mounted on the outside of that building. Still, Ubiquity and Engenius both make systems that are pretty damn powerful and don't cost a huge amount so might be something to keep logged away for future use if nothing else.

Also, what I mean by "okay" is that the unit works great... when it works. The hardware itself is fine but the TP-Link firmware is buggy. And, in my experience, seemingly every time they fixed one bug in a firmware update they introduced another one. One of the bugs I had to deal with actually caused the VPN server to crash randomly, meaning for a period of about 4 months I was getting calls from the client saying they couldn't connect and I'd have to remote in and restart the VPN service again. About made me want to chuck the thing out a window until it got fixed.

They use Dropbox at the moment but they're not happy with that approach. Doesn't Dropbox integrate with the Windows file system? Like, say Google Drive? I would have thought that kind of thing would appear to the end user much like a shared drive. I don't know much about Office 365 but I think it's worth studying to see if that's a better solution.
Click to expand...

Yea, it integrates about like Google Drive. Office has a couple things like OneDrive and SharePoint. OneDrive being another Google Drive-like option that's a bit more tightly integrated with Win10, and Sharepoint which is more of a collaborative option (which sounds like what you'd be looking for).

If all they're doing is sharing documents occasionally then Dropbox/OneDrive/Google Drive/Box/etc would probably be their best bet. Is there any pain-point they have with Dropbox that's causing them issues?
 
Most cloud file sync products, such as DropBox, OneDrive, DattoDrive, etc...they can have a local sync program which usually integrates into the users LIbraries (next to Docs/Pics/Downloads/etc)...so yeah it's handy and right there, and makes things quick 'n easy.
OR..you can just use it via the web browser interface.

But yeah if they're already using DropBox...what don't they like about it?
 
G8racingfool said:
1300 feet isn't bad even if it isn't pure LoS but the fact that they're only renting one of the buildings might be a deal breaker there if you can't get an antenna mounted on the outside of that building. Still, Ubiquity and Engenius both make systems that are pretty damn powerful and don't cost a huge amount so might be something to keep logged away for future use if nothing else.

Also, what I mean by "okay" is that the unit works great... when it works. The hardware itself is fine but the TP-Link firmware is buggy. And, in my experience, seemingly every time they fixed one bug in a firmware update they introduced another one. One of the bugs I had to deal with actually caused the VPN server to crash randomly, meaning for a period of about 4 months I was getting calls from the client saying they couldn't connect and I'd have to remote in and restart the VPN service again. About made me want to chuck the thing out a window until it got fixed.



Yea, it integrates about like Google Drive. Office has a couple things like OneDrive and SharePoint. OneDrive being another Google Drive-like option that's a bit more tightly integrated with Win10, and Sharepoint which is more of a collaborative option (which sounds like what you'd be looking for).

If all they're doing is sharing documents occasionally then Dropbox/OneDrive/Google Drive/Box/etc would probably be their best bet. Is there any pain-point they have with Dropbox that's causing them issues?
Click to expand...
Having said that, I should probably scout both premises. In this town there's a reasonable chance there's already a mast there or close by. I remember seeing some Ubiquity gear that would be perfect, can't remember what exactly, some kind of narrow beam wifi thingy designed to get between two distant points. I think they quoted 14km line-of-sight! I really want to set that up on a farm and impress the hell out of them :)

We don't need no steenking buggy firmware. I've had great success with their domestic stuff. Every crappy telstra modem I replace with a TP-Link and I've never had a call back.

I think I must be thinking in terms of Sharepoint because they want to "share" documents in a controlled way. They're already talking in terms of a common network share but I just know that will end badly. They mentioned the pain points with Dropbox but I can't remember what...
 
YeOldeStonecat said:
Most cloud file sync products, such as DropBox, OneDrive, DattoDrive, etc...they can have a local sync program which usually integrates into the users LIbraries (next to Docs/Pics/Downloads/etc)...so yeah it's handy and right there, and makes things quick 'n easy.
OR..you can just use it via the web browser interface.

But yeah if they're already using DropBox...what don't they like about it?
Click to expand...
I tend to think of these file sync technologies as being targeted to individuals as a way of having your files on many devices rather than to teams who want to collaborate on documents. My experience in team environments is with things like Source Safe and the like where everyone can read the documents but only one person has "control" of a document at any one time. This is what Sharepoint is all about as I understand it. I know there's a certain lack of discipline/education within the organisation which is hard to overcome and better control of document access will help with that.

And since you said the "D" word, I'm going off the whole vpn thing and leaning towards a wifi beam, if that's feasible, or Office 365 which will solve the multiple office, off-site, shared documents, toe-stomping, network shares issues.
 
Thinking wifi beam (is that the correct term?) and how it would be implemented. I'm yet to ascertain whether this can actually be done but I'm working it through the slow moving vehicle that is my brain.

Would it be, say, Office A's wifi is beamed into Office B and presented via an AP as an alternative wifi network in addition to the wifi/modem/router already present in that office. Or feed that wifi beam into their switch, removing their adsl wifi/modem/router, so that Office A's wifi beam is now the only network available for Office B and Office A's adsl is the only connection to the internet for both offices?
 
glennd said:
I tend to think of these file sync technologies as being targeted to individuals as a way of having your files on many devices rather than to teams who want to collaborate on documents. My experience in team environments is with things like Source Safe and the like where everyone can read the documents but only one person has "control" of a document at any one time. This is what Sharepoint is all about as I understand it. I know there's a certain lack of discipline/education within the organisation which is hard to overcome and better control of document access will help with that..
Click to expand...

DattoDrive is much more business like than DropBox. It's meant to be a centralized file repository, for many different users, can organize similar to active directory..users/groups.
 
glennd said:
Thinking wifi beam (is that the correct term?) and how it would be implemented. I'm yet to ascertain whether this can actually be done but I'm working it through the slow moving vehicle that is my brain.

Would it be, say, Office A's wifi is beamed into Office B and presented via an AP as an alternative wifi network in addition to the wifi/modem/router already present in that office. Or feed that wifi beam into their switch, removing their adsl wifi/modem/router, so that Office A's wifi beam is now the only network available for Office B and Office A's adsl is the only connection to the internet for both offices?
Click to expand...

The correct term here would be a wireless bridge. Here's how to think of it:

You would typically need two wireless antennas/APs, one at each site. These APs are configured to communicate with only each other. This is done one of two ways:

(a) through WDS by putting the MAC address of the other AP into each one's config. This method makes the wireless connection/antennas completely invisible to the outside world and the backhaul issues WDS has won't affect things here due to there only being 2 antennas involved.

or

(b) through AP/client mode which works much like a router/laptop would. One antenna acts as an access point with a hidden SSID, encryption and, if desired, a MAC filter to prevent anything that isn't the other AP from joining the network. The other antenna acts as the client. This method is dead simple to set up but there will be a "hidden network" visible to anyone sniffing the wireless waves.

Both antennas then connect into each locations respective LAN. So your network would typically look like this (forgive the rudimentary text diagram):


SITE A <<<|SWITCH|____(cat5)____|ANTENNA A|---------------------------------wireless---------------------------------|ANTENNA B|____(cat5)____|SWITCH|>>>SITE B

That's a basic way of how to do it, you can think of the bridge just like a long cat5 cable. You can manage internet access at each location with VLANs or, if they want to drop internet at a location you can also just pipe in through the antenna connection like you mentioned, though you may run into bandwidth issues internet-side by doing so unless they have a pretty solid connection.
 
glennd said:
Thinking wifi beam (is that the correct term?) and how it would be implemented. I'm yet to ascertain whether this can actually be done but I'm working it through the slow moving vehicle that is my brain.

Would it be, say, Office A's wifi is beamed into Office B and presented via an AP as an alternative wifi network in addition to the wifi/modem/router already present in that office. Or feed that wifi beam into their switch, removing their adsl wifi/modem/router, so that Office A's wifi beam is now the only network available for Office B and Office A's adsl is the only connection to the internet for both offices?
Click to expand...

Here's a simplistic way to envision it. In this case you'd setup a wireless "PtP"....(point to point). Basically it's an invisible ...very long..ethernet cable.
Say you had 2x buildings...building A, and building B..sort of across the street, down the block from each other. An internet connection is in building A. You wanted to connect building B, to building A...using a thousand foot ethernet cable. How would you do that in a simplistic way? You'd plug one end of the ethernet cable into the switch at building A, and you'd have a switch at building B...you'd plug it into that. Computers in building B would pickup DHCP from the router in building A..just like were in a room in building A.

The wireless point to point (bridge) is pretty much the same thing. You just have 2x wireless bridges instead of a thousand foot ethernet cable. The only difference...is you need to pre-configure them (like GF outlined above)...assign them each a static IP address (preferable..for security purposes, outside the IP range of the network they're serving). Once they're configured to work as a pair...you just treat the pair of them like that thousand food ethernet cable..and use them to uplink the switches in each building.

That's one way to use them.
Another way...you can have the ISP handoff in one building, and have the router in the other building. Normally you uplink the ISPs modem to the WAN port of your router with a short ethernet cable. In the 6 mile Ubiquiti airFiber PtP over the water I setup for a client of mine......I have the Comcast modem on mainland, an airFiber 5U hanging off the back of that...and then over on the WAN port of the Untangle firewall at the school on the island...the other airFiber 5U. So I basically have a 6.2 mile ethernet cable hanging across 2x towers over 6 miles of ocean with that setup.
 
I'll just chime in to add another voice saying that for 400M you should definitely be looking at direct options, and may even be able to pay for a chunk of it by ending the data service to one location. File sharing over a VPN connection is never pleasant, and I'm used to cable modem speeds not ADSL anymore. I can't imagine trying to do anything good over ADSL upload speeds.
 
glennd said:
thanks. reading that just brought up the question of "does vpn require static ip?"
Click to expand...

Technically no. But you have to have a very reliable DDNS setup. Personally I have that running but I no longer recommend that for any Internet facing service. There is a lot of blocking based on IP's that fall into the public IP DHCP range irregardless of the ISP.
 
YeOldeStonecat said:
DattoDrive is much more business like than DropBox. It's meant to be a centralized file repository, for many different users, can organize similar to active directory..users/groups.
Click to expand...
i'm struggling to find any meaningful information on Datto Drive. Their web site is all very shiny graphics and sign here but short on "here's how it works for the end user" especially in terms of team collaboration.
 
YeOldeStonecat said:
Here's a simplistic way to envision it. In this case you'd setup a wireless "PtP"....(point to point). Basically it's an invisible ...very long..ethernet cable.
Say you had 2x buildings...building A, and building B..sort of across the street, down the block from each other. An internet connection is in building A. You wanted to connect building B, to building A...using a thousand foot ethernet cable. How would you do that in a simplistic way? You'd plug one end of the ethernet cable into the switch at building A, and you'd have a switch at building B...you'd plug it into that. Computers in building B would pickup DHCP from the router in building A..just like were in a room in building A.

The wireless point to point (bridge) is pretty much the same thing. You just have 2x wireless bridges instead of a thousand foot ethernet cable. The only difference...is you need to pre-configure them (like GF outlined above)...assign them each a static IP address (preferable..for security purposes, outside the IP range of the network they're serving). Once they're configured to work as a pair...you just treat the pair of them like that thousand food ethernet cable..and use them to uplink the switches in each building.

That's one way to use them.
Another way...you can have the ISP handoff in one building, and have the router in the other building. Normally you uplink the ISPs modem to the WAN port of your router with a short ethernet cable. In the 6 mile Ubiquiti airFiber PtP over the water I setup for a client of mine......I have the Comcast modem on mainland, an airFiber 5U hanging off the back of that...and then over on the WAN port of the Untangle firewall at the school on the island...the other airFiber 5U. So I basically have a 6.2 mile ethernet cable hanging across 2x towers over 6 miles of ocean with that setup.
Click to expand...
I think I was more after an opinion on which way to go rather than a tutorial on wifi bridging. My bad, poor wording.

I'm meeting with the customer boss this coming week and we'll put everything out there and see what sticks...
 
Last edited:
fencepost said:
I'll just chime in to add another voice saying that for 400M you should definitely be looking at direct options, and may even be able to pay for a chunk of it by ending the data service to one location. File sharing over a VPN connection is never pleasant, and I'm used to cable modem speeds not ADSL anymore. I can't imagine trying to do anything good over ADSL upload speeds.
Click to expand...
No neither can I. And in this town what they call it and what they deliver are not the same thing. Have you actually installed a bridge over that distance with buildings in between? What kind of performance can I expect? I expect a narrow beam wifi would have trouble. Shutting down the adsl in the second office is what I had in mind assuming we can get similar performance over the wifi bridge... Maybe collaboration software....

I think I'm going into brain lock...
 
OpenVPN on Untangle doesn't require a static IP, but you do need the server side to have a DNS name that works and it creates tickets no matter what you do. When messing about with VPNs, it's best to go static.

The only option I haven't seen explored here yet is an ISP provided direct link. Cox has a MetroE connection which is an MPLS like thing that can be delivered via either fiber or coax. It's pretty magic, and I have them spanning Arizona removing the need for VPN entirely. No Internet or Voice at the branches anymore, they just have a nice stable 10mbit link to a 50mbit fiber port at the main office and everything just works.
 
You must log in or register to reply here.

Similar threads

Big Jim
site to site vpn with draytek routers
Replies
6
Views
553
YeOldeStonecat
YeOldeStonecat
tek9
[SOLVED] IPsec VPN and FreePBX provisioning
Replies
4
Views
752
tek9
tek9
HCHTech
Hot-Desking setup
Replies
0
Views
592
HCHTech
HCHTech
Blue House Computer Help
One Drive personal - Shared folder - no option to "Add to my OneDrive"
Replies
10
Views
653
britechguy
britechguy
timeshifter
USG with site to site VPN drop calls after 30 seconds
2
Replies
37
Views
4K
timeshifter
timeshifter
Back
Top