Contact a specialistGoryainov DenisTechnical Director+79851256588 Ask a question
Combining two or more local networks
Networking Tasks:
1. to establish fast, safe and reliable information exchange between several remote offices and branches;
2.Connect mobile employees to the local network, ensuring security connections ;
3. to create a single telephone channel for the branches to save and control costs, ease of switching;
4. create a centralized Internet channel and traffic distribution between branches;
5. take control of the "center" remote offices.
If you need to solve these problems, the service from ZSC will allow your company to connect all remote branches and employees into a single network.
Local Area Networking
When companies need to unite several branches and offices, today it is no longer enough for a contractor to simply set up a centralized local network and establish information exchange.
The client needs complex solution With:
- a single telephone channel;
- managed internet traffic;
- the possibility of automated control and remote technical support branch office computers and servers;
- free access for remote employees to corporate information.
In this case, it must be ensured high degree security of all these information flows.
Today a service for the client local area networks required "under key»- the contractor must carry out each stage of the work independently, with the minimum participation of the customer. As a result, the client needs to provide centralized system branch management with all the necessary IT components and control and support tools. We are not talking about a simple VPN - we are talking about a virtual unification of remote offices to the "physical" level.
At the same time, we must not forget that the project combining two or more local networks must be economical, otherwise all its positive results will be unprofitable.
If you need to accomplish such a merger of branches and remote offices or implement any of its components (unified telephone network, balanced Internet traffic), we are open for cooperation. With vast experience and high qualifications in the market digital technologies, we are ready to offer you the most effective and economical option, focused on the specific needs of your business.
Network Combine Devices
The specialists of our company ZSC work with equipment of any manufacturer. If you have your own routers, we will configure them to connect local networks of remote offices.
Mikrotik networking
In our practice, we use professional equipment from Mikrotik(more economical and popular solution) and Cisco (more expensive and functional solution).
Using the example of Mikrotik equipment, we will analyze the technologies for combining local networks. Despite the relatively low market value compared to analogs, the Mikrotik software platform allows you to configure flexible, secure and functional information exchange channels. The equipment of this manufacturer has proven itself perfectly on our numerous projects and in offices clients. In addition, Mikrotik allows serious budget savings.
Mikrotik routers support up to seven protocols for the secure sending of information, which is encrypted as separate packets with the assignment of a second IP header. This header includes the IP address of the recipient and the IP address of the sender. When trying to intercept information, the fraudster sees only this information, while it is impossible to determine the source computer and the destination computer. In the event of information leakage, it will take too long to decipher the code, and it is not yet a fact that it will work out. Other options for the secure transfer of information are also used.
Security protocols:
more details
PPTP(tunnel point-to-point protocol) - used to build dedicated networks on top of open ones. It features high performance, a variety of encryption options and the ability to use various software platforms.
L2TP- unlike PPTP, it has higher fault tolerance and more reliable security. It is used both for building closed networks inside open ones and for accessing corporate network from remote devices, as well as for the use of various connection schemes.
IP2IP- encrypts information in packets and assigns it a separate IP for reliable transmission to the addressee. It is used to build tunnels between routers via the Internet.
PPPOE- works by analogy with PPTP, but is a simpler and less resource-intensive solution.
IPSec- one of the most reliable options for building a closed tunnel. In addition, the information is encrypted, for reading it is necessary to use individual keys. This provides a high, two-layer security for data transmission.
VLAN- provides the creation of logical high-speed secure tunnels, which in terms of security are close to the "physical" transmission of information, for example, inside the office through cables.
EoIP- organizes the transparent integration of remote offices and branches on top of the created virtual channels. Allows you to flexibly configure Internet traffic, individual security policies, balancing and settings for remote branches. To use EoIP, a sufficiently wide bandwidth is required, since the protocol takes up to 15% of the traffic for control purposes.
The combination of different security protocols allows you to build flexible, secure and reliable communication channels and meet specific business needs. If you need maximum security, the IPSec protocol is suitable, and if you need a simpler channel for transferring encrypted information - PPTP, L2TP, or IP2IP. For the organization of transparent and controlled logistics of information between branches and offices, VLAN and EoIP can become the choice.
The cost of combining two or more local networks
Provide a unified price list with unambiguous prices for combining two or more local networks that would apply to all projects is not possible. In the final calculation, a lot depends on the tasks, business needs, the amount of work, the number of Ethernet outlets, the length of the cable, and much more.
However, there are several basic indicators that apply to certain types of work:
Type of work | Units | Price, rub.)* |
Installation of a cable channel | m. | 120 |
Cable installationUTP ( cat 5 e) taking into account the group laying | m. | 44,48 |
Installation of corrugations taking into account fastening | m. | |
Mounting the socketRJ-45 | PC. | 200 |
Cable marking taking into account the marked materials | PC. | |
Installation of CCTV cameras,Wi- Fipoints, etc. | PC. | 1500 |
Testing the line for the presence of a contact ("ringing") | PC. | |
Structured system design work | sq. m. | |
Installation of network equipment | PC. | 400 |
Actual on 16.02.2017 (excluding VAT)
Our specialists and designers are able to create project of combining two or more local networks of any complexity and scale, for the specific needs of the business, to coordinate it with the customer and implement it on a turnkey basis.
Connecting computer networks - how we work:
- we get the initial data, settings and security policies that work within your company;
- we integrate them with the settings of the router, we configure the equipment according to the requirements you need;
- we send the configured router to the remote branch (office) and connect it;
- we carry out commissioning ;
- we provide you with a turnkey solution - combining two or more local networks.
For you - everything is elementary simple! And on our side we have vast experience, high qualifications and dozens of completed projects. And all this allows us to work quickly, efficiently and with serious budget savings, not at the expense of quality.
And if you are our client of a complex subscription service for Premium, then this service is provided for you free of charge (only equipment is paid for)!
Let's take a closer look at the individual components of a comprehensive solution "Combining two or more local networks".
Telephony between remote offices
Task : to create a single telephone network with "short" subscriber numbers in remote branches, to ensure cost savings on calls and control over the use telephone lines, connect mobile employees to the telephone network, introduce a single number.
When we connected with a common network Ethernet central and remote offices, we have thus formed a single information space. Any data can be transferred inside this space: files, video content, voice content and other information. The most massive segment of information that is transmitted within the company is server data; in second place in popularity - voice and video content.
A single local network allows you to configure equipment in such a way that employees, who may be separated by thousands of kilometers, are in the same office.
Stationary employees
To build a single telephone network between the branches and the "center" it is necessary own digital office PBX, which is installed in the central office. And in the branches, IP phones are connected, for which IP addresses are configured as if it were a network of one office. The PBX and the remote phone identify each other, after which we assign a "short" number for the remote office. Everything happens as if we just added a new employee at the headquarters.
As a result, your employees begin to work in a single space, no matter how far they are from each other. When an incoming call arrives at the PBX, the telephone exchange “thinks” that you are in the same network and forwards the call, and it is distributed in another city or even country. At the same time, a high level of data transmission is ensured - communication is carried out through secure encrypted tunnels.
Mobile employees
Mobile employees can also be connected to the company's unified telephone network. To do this, they need to use telephones that support tunneling. An encrypted tunnel is configured inside the smartphone, which "rises" when the phone is connected to Wi-Fi networks and is authorized through the prescribed settings from the central PBX in your office.
As a result, your mobile employee is part of the corporate telephone network, may have a "short" number for fast switching and use favorable rates for making and receiving calls that are configured on your central office.
Advantages of unified telephony between branches:
- flexible configuration of internal call routing;
- the ability to use multiple operators and tariffs;
- the ability to use a single telephone number with subsequent forwarding to branch numbers;
- significant savings in telephony costs;
- centralization and control over incoming and outgoing calls.
Among these and many other advantages of a telephone network between remote branches, there are two main ones that have made this service so popular today: first- use of multichannel numbers; and, second- savings on telephony costs.
Due to the multichannel nature, calls are comfortably distributed between remote offices. It is enough to simply set up the voice menu so that the client can call a single number and connect to a specific region, city, office or subdivision.
Cost savings are ensured by logical routing between several operators that are connected to a single PBX in the central office... That is, it is enough to correctly configure a telephone exchange in the head office once, connecting several operators to it, in order to reduce the cost of telephony for the entire branch network of offices. For example, all calls within Russia are made through one IP-telephony operator. Analogue calls in Moscow go through unlimited city lines, and long distance calls through a third SIP telephony operator. And so - for everyone a separate kind communications: incoming / outgoing, calls within Russia, within the region, city, long-distance and international calls, from landline and mobile phones.
Our clients, in complex configurations, have from 2 to 5 telecom operators, which ensures the most optimal spending of funds. They need to monitor the correct operation of only one central equipment in order to actually serve dozens of offices and not spend tens of thousands of rubles on the illiterate waste of telephone traffic.
More details about this service can be found in the "Office PBX" section. Find out here exactly how much a company can save by using a central office.
Internet networking
Task : Provide stable, uninterrupted internet traffic at a remote office or branch
When a company has a small branch in another city, its effective work is associated with a constant and stable Internet connection and all business processes stop as soon as the connection is cut off, it is imperative reserve internet channels.
Using modern equipment from MikroTik and Cisco, we are able to make sure that the customer's business processes do not stop and remote branches constantly receive a stable Internet.
Balancing Internet channels of remote offices - what is it?
To accomplish this task, we set up the channels of the primary and backup ISPs. At the same time, the reserve can be either a terrestrial additional channel or a more economical channel. mobile operators(Beeline, MTS, Megafon, Yota, Tele2).
In case of failure of the main, as a rule, more powerful one, the channel is automatically switched to the backup channel. With such a switch, the equipment is re-authorized, and a tunnel is raised in the backup channel for secure encrypted data transmission. You must first authorize the equipment in such a way that it is possible to balance between two Internet channels, depending on their availability.
For the end user, no changes will occur - he will simply continue to use the Internet, which will be temporarily supplied via a backup channel. And our automated system monitoring accepts this data, specialists see the information and send a request to the provider of the main channel to fix the problem.
We urge our clients not to save on the backup channel, since the cost of using it (up to 1,000 rubles, depending on the region) will be significantly lower than possible business losses due to interruptions in the only Internet channel.
There are also more complex schemes for balancing the Internet channels of remote offices. For example, Cisco has developed and implemented GRE tunnels. They are familiar tunnels, but the GRE header is overlaid on top of the standard IP packet. Such tunnels allow you to perform domain authorization within the network.
The balancing option for the Internet channel depends on the specific needs of the customer.
Local networks between remote offices can be used for other connection options, for example, for video conferencing ensuring uniform security policy and much more.
We, for our part, are able to ensure such a consolidation of the client's branch network so that his IT infrastructure works without interruptions, so that his business processes do not stop - we are ready to provide for you unprecedented resiliency all components.
Although the topic is hackneyed, nevertheless, many often experience difficulties - whether it is a novice system administrator or just an advanced user, who was forced by his bosses to perform the functions of an engineer. Paradoxically, despite the abundance of information on VPN, finding an intelligible option is a whole problem. Moreover, one even gets the impression that one wrote - while others brazenly copied the text. As a result, search results are literally cluttered with an abundance of unnecessary information, from which worthwhile information can rarely be isolated. Therefore, I decided in my own way to chew all the nuances (maybe someone will come in handy).
So what is a VPN? VPN (VirtualPrivateNetwork- virtual private network) is a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (including the Internet). Depending on the protocols used and the purpose, VPN can provide connections of three types: node-node, node-network and net-net. As they say, no comment.
VPN stereotyped scheme
VPN allows you to easily combine a remote host with a local network of a company or another host, as well as combine networks into one. The benefit is quite obvious - we can easily access the enterprise network from the VPN client. In addition, a VPN also protects your data with encryption.
I do not pretend to describe to you all the principles of VPN operation, as there is a mass of special literature, and to be honest, I myself do not know a lot of things. Nevertheless, if your task is "Do it!", You need to urgently get involved in the topic.
Let's look at a problem from my personal practice, when it was necessary to connect two offices via VPN - the head office and the branch office. The situation was further complicated by the fact that the head office had a video server that was supposed to receive video from the IP camera of the branch. Here is a brief task for you.
There are many solutions. It all depends on what you have at hand. In general, a VPN is easy to build using a hardware solution based on various Zyxel routers. Ideally, it may happen that the Internet is distributed to both offices by one provider and then you will not have any problems at all (you just need to contact the prov). If the company is rich, then it can afford CISCO. But usually everything is solved by software.
And here the choice is great - Open VPN, WinRoute (note that it is paid), operating system tools, programs like Hamanchi (to be honest, in rare cases it can help out, but I do not recommend relying on it - free version has a limit of 5 hosts and another significant disadvantage is that your entire connection depends on the Hamanchi host, which is not always good). In my case, it would be ideal to use OpenVPN - free program that can easily create a reliable VPN connection. But we, as always, will follow the path of least resistance.
At my branch, the Internet is distributed by a gateway based on client Windows. I agree, not the most the best solution, but for the top three client computers, that's enough. I need to make a VPN server from this gateway. As you are reading this article, you are confident that you are new to VPN. Therefore, for you, I give the simplest example, which, in principle, suits me.
The Windows NT family already has rudimentary server capabilities embedded. Setting up a VPN server on one of the machines will not be difficult. As a server, I will give examples of screenshots of Windows 7, but general principles will be the same as for old XP.
Please note that to connect two networks, you need to they had a different range! For example, in the head office, the range might be 192.168.0.x, and in the branch office, it might be 192.168.20.x (or any gray ip range). This is very important, so be careful. Now, you can start setting up.
Go to the VPN server in Control Panel -> Network and Sharing Center -> Change adapter settings.
Now press the Alt key to bring up the menu. There, in the File item, you need to select "New incoming connection".
Check the boxes for users who can log in via VPN. I highly recommend adding a new user, giving them a friendly name, and assigning a password.
After you have done this, you need to select in the next window how users will connect. Check the box "Via the Internet". Now you just need to assign a range of addresses to the virtual network. Moreover, you can choose how many computers can participate in the data exchange. In the next window, select the TCP / IP version 4 protocol and click "Properties":
You will have what I have in the screenshot. If you want the client to get access to the local network where the server is located, just check the box "Allow callers to access the local network". In the section "Assigning IP addresses", I recommend specifying the addresses manually according to the principle I described above. In my example, I gave the range only twenty-five addresses, although I could just specify two and 255.
After that, click on the "Allow access" button.
The system will automatically create a VPN server that will be lonely waiting for someone to join it.
Now the only thing left is to configure the VPN client. On the client machine, also go to the Network and Sharing Center and select Setting up a new connection or network... Now you will need to select the item "Connecting to the workplace"
Click on "Use my Internet connection and now you will be thrown into the window where you will need to enter the address of our Internet gateway at the branch. I have it in the form 95.2.x.x
Now you can call the connection, enter the username and password that you entered on the server and try to connect. If everything is correct, then you will connect. In my case, I can already send a ping to any branch office computer and request a camera. Now its mono is easy to hook to the video server. You may have something else.
Alternatively, when connecting, error 800 may pop up, signaling that something is wrong with the connection. This is either a client or server firewall issue. Specifically, I cannot tell you - everything is determined experimentally.
That's how unpretentious we created a VPN between two offices. Players can be combined in the same way. However, do not forget that this will still not be a full-fledged server and it is better to use more advanced tools, which I will talk about in the next parts.
In particular, in Part 2, we will look at configuring OPenVPN for Windows and Linux.
The main goal of combining local networks of offices is to provide transparent access to geographically distributed information resources of the organization. Consolidation of office networks allows you to solve the following, the most common tasks:
- use a single numbering capacity of the office PBX;
- provide authorization for users to access resources (shared folders, intranet site, Email etc.) regardless of their current location;
- to provide secure access for employees of the organization to resources located in different offices (for example, to ensure that employees work with the 1C-enterprise server installed in one of the offices);
- work on a remote computer using terminal access (remote desktop control);
- improve the efficiency and responsiveness of the technical support service due to the ability to remotely manage computers, servers and other equipment, as well as effective use Windows built-in assistance - Remote Assistant.
Methods for implementing the integration of office networks
In order to unite local networks of offices and remote branches, they use the technology of virtual private networks - VPN (Virtual Private Network). This technology is intended for cryptographic protection of data transmitted over computer networks. A VPN is a collection of network connections between multiple VPN gateways that encrypts network traffic. VPN gateways are also called cryptographic gateways or crypto gateways.
There are two methods of building a single secure corporate network of an organization:
- using the equipment and the corresponding set of services of the Internet provider;
- using our own equipment located in the head office and branches.
VPN and services are provided by the internet provider
This solution is applicable if the head office and branches are connected to the Internet through the same ISP. If the branches of the company are scattered throughout the cities, and even in different countries, there is hardly a provider who can provide you required level service, and even for reasonable money.
If your offices are located within the same city, check with your Internet provider if they can provide the interconnection of the local networks of your offices into a single network. Perhaps this solution will be optimal for you in terms of cost.
Consolidation of networks of offices and branches on their own
The method of combining two networks using VPN technology is called "Peer-to-Peer VPN" or "site-to-site VPN" in the English-language literature. A "transparent encryption" mode is established between the two networks. For encryption and transmission of traffic in IP networks, the IPSec protocol is most often used.
To organize VPN connections (VPN tunnels) between the central office and branch offices of small companies, we recommend using hardware Internet gateways (firewalls) with built-in VPN support. An example of such gateways can be ZyXEL ZyWALL, Netgear Firewall, Check Point [email protected], etc. This class of products is designed for use in small companies with an average headcount of 5 to 100 people. These devices are easy to configure, have high reliability and sufficient performance.
At their headquarters, organizations often install software-based integrated network protection solutions such as Microsoft Internet Security and Acceleration Server 2006 (Microsoft ISA 2006), CheckPoint Express, CheckPoint VPN-1 Edge, and others. To manage these protections, highly qualified personnel are required, which, as a rule, are either available at the head office or borrowed from the outsourcing company.
Regardless of the equipment used, the general scheme for constructing a Peer-to-Peer VPN for securely combining local networks of remote offices into a single network is as follows:
It should also be noted that there are specialized hardware crypto-gateways, such as Cisco VPN Concentrator, Continent-K, etc. Their field of application is medium and large companies where you need to provide high performance encryption of network traffic, as well as accessibility. For example, provide data encryption in accordance with GOST ("Continent-K").
What you need to pay attention to when choosing equipment
When choosing equipment for organizing a virtual private network (VPN), you need to pay attention to the following properties:
- the number of simultaneously supported vpn tunnels;
- performance;
- the ability to filter network traffic inside a vpn tunnel (this function is not implemented in all Internet gateways);
- QoS quality management support (very useful when transmitting voice traffic between networks);
- compatibility with existing equipment and applied technologies.
Hardware solutions
Benefits of solutions built on low-cost hardware Internet gateways
- Low cost;
- High reliability (no need for backup, nothing breaks down when the power is turned off);
- Ease of administration;
- Low power consumption;
- Takes up little space, can be installed anywhere;
- depending on the chosen platform for building a VPN, it is possible to install additional services on the vpn gateway: anti-virus scanning of Internet traffic, detection of attacks and intrusions, etc., which significantly increases the overall level of network security and reduces the total cost of a comprehensive network protection solution ...
Flaws
- The solution is not scalable, the increase in performance is achieved by a complete replacement of equipment;
- Less flexible in settings;
- Integration with Microsoft Active Directory (or LDAP) is generally not supported.
Software solutions
Benefits of software solutions
- Flexibility;
- Scalability, i.e. the ability to increase productivity as needed;
- Tight integration with Microsoft Active Directory (Microsoft ISA 2006, CheckPoint)
Flaws
- High price;
- Complexity of administration.
Where to begin
Before purchasing a selection of hardware and software (hereinafter referred to as software) for the implementation of a project to integrate local networks of offices into a single network via VPN, you must have the following information:
- Define topology:
- Meshed - each site can automatically establish an encrypted connection with any other site;
- Star - Affiliates can establish secure connections to the central site;
- Hub and Spoke - Branches can connect to each other through a hub at a central site.
- Remote Access ( remote access) - users and groups can organize secure connections to one or more sites;
- Combinations of the above methods (for example, a Star with Meshed Center topology, in which remote branches can communicate with all members of a central VPN that has a fully meshed topology).
- Number of branches (how many concurrent VPN connections the head office equipment should support);
- The number of users in the central office and in each branch;
- What equipment and / or software is used in each branch (data is necessary to take into account the possibilities for using existing equipment and / or software);
- Data on connecting branches to the Internet: IP address assignment - dynamic or static, communication channel speed;
- What is the approach to management information security(network perimeter protection, anti-virus security) will be applied: centralized management of the head office and branches by one security administrator (system administrator), or each branch has its own system administrator.
To minimize threats of penetration into the network of the central office, it is necessary to pay due attention to the protection of the networks of the branches of the organization. Using a VPN does not guarantee reliable protection against intrusion unless branch networks are also well protected. If an attacker can gain unauthorized access to the branch network, then he can also gain access to information system of the head office, since the networks of the head office and the branch are combined into a single network via VPN.
In many organizations with several branches, it becomes necessary to combine local networks of offices into a single corporate network. Connecting networks will increase the efficiency of the business and reduce the costs associated with the remoteness of offices. Consolidation of networks remote offices of the company allows you to solve the following tasks:
- Work of employees of all offices in a single database (for example, 1C)
- Providing access for remote employees to shared corporate resources of the company via the Internet (remote access to the network)
- Fast and convenient data exchange between employees of remote offices
Connecting networks carried out through public networks Internet, in view of this, the issue of the security of the interconnection of networks and the confidentiality of the transmitted information arises. VPN (Virtual Private Networks) technology is used to securely and securely connect the two networks over public communication channels.
VPN setup (Virtual Private Networks)
VPN setup(Virtual private networks) between the offices of the company (interconnection of networks) provide encryption of the transmitted data. Depending on the needs of the customer and the existing IT infrastructure, a VPN network can be created on the basis of a software or hardware complex. A fairly common way to create a VPN network is to configure a VPN based on a software package that, in addition to implementing a VPN network, can serve as a firewall and filter network traffic.
Remote access to a computer
Suppose we have 2 offices in different parts of the city, or in different cities or countries and each of them is connected to the Internet through a fairly good channel. We need to link them into a single local network. In this case, none of the users will guess where this or that computer or printer is located on the local network, use printers, shared folders and all the advantages of a physical network. Remote employees connecting via OpenVPN will also be able to work in the network, as if their computers are on the physical network of one of the offices.
We will configure in operating system Debian Squeeze, but the instructions are fully applicable to any Debian based distribution, and with small changes in the bridging and OpenVPN install and configuration commands will apply to any Linux or FreeBSD distribution.
Suppose Debian or Ubuntu distribution is installed by one of the instructions :,
Install and configure a VPN network based on OpenVPN using a bridge tap0
Create a network bridge between the physical network eth1 and virtual interface tap0
Install the necessary programs by agreeing to the request of the package manager:
We configure the server network based on the fact that we have 2 network cards: network eth0 eth1 br0
Editing the configuration file / etc / network / interfaces:
Auto lo iface lo inet loopback # internet provider auto eth0 iface eth0 inet static address 192.168.50.2 netmask 255.255.255.0 gateway 192.168.50.1 # local network auto eth1 iface eth1 inet static address 10.10.10.1 netmask 255.255.255.0
Auto lo iface lo inet loopback # Register the bridge, turn on the VPN interface tap0 and the network card eth1 auto br0 iface br0 inet static # Add the openvpn interface to the bridge tap0 bridge_ports eth1 tap0 address 10.10.10.1 netmask 255.255.255.0 # Internet auto eth0 iface eth0 inet static address 192.168.50.2 netmask 255.255.255.0 gateway 192.168.50.1
After that, when executing the ifconfig command, a bridge should appear br0 with IP 10.10.10.1, interface eth0 with IP address 192.168.50.2 and interface eth1 without an IP address, since it is in the bridge br0
Configuring OPENVPN:
Copy the scripts for configuring our openvpn server with the command:
Cp -Rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ / etc / openvpn / easy-rsa
Making changes to the file / etc / openvpn / easy-rsa / vars to define global variables and enter less data when creating keys:
Vi / etc / openvpn / easy-rsa / vars
Export KEY_COUNTRY = "US" export KEY_PROVINCE = "CA" export KEY_CITY = "SanFrancisco" export KEY_ORG = "Fort-Funston" export KEY_EMAIL = ""
Export KEY_COUNTRY = "UA" export KEY_PROVINCE = "11" export KEY_CITY = "Kiev" export KEY_ORG = "NameFirm" export KEY_EMAIL = ""
Go to the folder with scripts for creating certificates and keys with the command:
Cd / etc / openvpn / easy-rsa /
We initialize PKI (Public Key Infrastructure) with the commands:
... ./vars ./clean-all
Attention. When executing the command ./clean-all all existing certificates and keys of both the server and clients will be deleted, therefore do not run on the production server, or do it after saving the folder / etc / openvpn / to the archive with the command:
Tar cf - / etc / openvpn / | gzip -c -9> /home/openvpn_backup.tgz
We generate a Certificate Authority (CA) certificate and key with the command:
./build-ca
Most of the parameters will be picked up from the vars file. Only the Name parameter must be specified explicitly:
Name: vpn
In general, you can fill in all the fields as you need each time.
We generate the Diffie-Hellman parameters with the command:
./build-dh
We generate a certificate and a private key of the server, do not enter anything when asked to enter a password, and when asked Sign the certificate?: we introduce y and press Enter by running the command:
./build-key-server server
All parameters are accepted by default. On request Common Name introduce server
Common Name (eg, your name or your server "s hostname): server
Questions Sign the certificate? and 1 out of 1 certificate requests certified, commit? we answer in the affirmative:
Sign the certificate? : y 1 out of 1 certificate requests certified, commit? y
It remains to create certificates and keys for clients. First, we initialize the parameters:
Cd / etc / openvpn / easy-rsa /. ./vars
Create keys for the user server1... For example, add as many users as needed:
./build-key server1 ./build-key client1 ./build-key client2
Based on the fact that we have a network 10.10.10.0/24
we immediately allocate a pool of addresses for office 1 computers - 10.10.10.40-149
, for office 2 we allocate a pool of addresses 10.10.10.150-254
and allocate a pool of addresses for remote employees 10.10.10.21-39.
Create a folder / etc / openvpn / ccd / where we indicate to which client which ip with the command:
Mkdir -p / etc / openvpn / ccd /
We assign each client its own IP in the network with the commands:
Echo "ifconfig-push 10.10.10.150 255.255.255.0"> / etc / openvpn / ccd / server1 echo "ifconfig-push 10.10.10.21 255.255.255.0"> / etc / openvpn / ccd / client1 echo "ifconfig-push 10.10.10.22 255.255.255.0 "> / etc / openvpn / ccd / client2
Create a server configuration file:
Vi /etc/openvpn/server.conf ################################# port 1195 proto udp dev tap0 ca easy-rsa / keys / ca.crt cert easy-rsa / keys / server.crt key easy-rsa / keys / server.key # This file should be kept secret dh easy-rsa / keys / dh1024.pem mode server tls- server daemon ifconfig 10.10.10.1 255.255.255.0 client-config-dir / etc / openvpn / ccd keepalive 10 20 client-to-client comp-lzo persist-key persist-tun verb 3 log-append /var/log/openvpn.log # script-security 2 # uncomment when working on OpenVPN version from 2.4 up /etc/openvpn/up.sh ########################### ######
Vi / etc / default / openvpn
OPTARGS = ""
OPTARGS = "- script-security 2"
Create a script /etc/openvpn/up.sh which starts when the OpenVPN server starts up:
Vi /etc/openvpn/up.sh #! / Bin / sh brctl addif br0 tap0 brctl addif br0 eth1 ifconfig tap0 0.0.0.0
We give the rights to execute the script /etc/openvpn/up.sh with the command:
Chmod + x /etc/openvpn/up.sh
After that, restart the OpenVPN server with the command:
We execute the command ifconfig, the interface should appear tap0 without an IP address.
We collect an archive with keys for distribution to remote employees and sending to office 2
Create folders with usernames with the commands:
Mkdir -p / etc / openvpn / users / server1 mkdir -p / etc / openvpn / users / client1 mkdir -p / etc / openvpn / users / client2
Create a folder with archived keys with the command:
Mkdir -p / etc / openvpn / users_tgz
We collect keys and certificates from user folders with the commands:
Cp /etc/openvpn/server/easy-rsa/keys/server1.key / etc / openvpn / users / server1 / cp /etc/openvpn/server/easy-rsa/keys/server1.crt / etc / openvpn / users / server1 / cp /etc/openvpn/server/easy-rsa/keys/ca.crt / etc / openvpn / users / server1 / cp /etc/openvpn/server/easy-rsa/keys/client1.key / etc / openvpn / users / client1 / cp /etc/openvpn/server/easy-rsa/keys/client1.crt / etc / openvpn / users / client1 / cp /etc/openvpn/server/easy-rsa/keys/ca.crt / etc / openvpn / users / client1 / cp /etc/openvpn/server/easy-rsa/keys/client2.key / etc / openvpn / users / client2 / cp /etc/openvpn/server/easy-rsa/keys/client2.crt / etc / openvpn / users / client2 / cp /etc/openvpn/server/easy-rsa/keys/ca.crt / etc / openvpn / users / client2 /
We create configuration files on the basis that server1 is a remote office server 2, and client1 and client2 these are remote employees connecting to the VPN network from outside from Windows.
Instead of IP-SERVER-VPN, put the external IP address of the OpenVPN server.
Create an OpenVPN configuration file for server1:
Echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert server1.crt key server1.key comp-lzo verb 4 mute 20 verb 3 log-append / var / log / openvpn.log up /etc/openvpn/up.sh "> /etc/openvpn/users/server1/server1.conf
Archiving keys for server1 with the command:
Tar cf - / etc / openvpn / users / server1 | gzip -c -9> /etc/openvpn/users_tgz/server1.tgz
client1:
Echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 4 mute 20 verb 3"> / etc /openvpn/users/client1/client1.ovpn
We archive the keys for client1 with the command:
Tar cf - / etc / openvpn / users / client1 | gzip -c -9> /etc/openvpn/users_tgz/client1.tgz
We create a configuration file for client2 with the command:
Echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client2.crt key client2.key comp-lzo verb 4 mute 20 verb 3"> / etc /openvpn/users/client1/client2.ovpn
Archiving keys for client2 with the command:
Tar cf - / etc / openvpn / users / client2 | gzip -c -9> /etc/openvpn/users_tgz/client2.tgz
Configuring VPN server office 2
In the instructions above, we installed and configured the VPN server on Debian GNU / Linux using OpenVPN, we created keys with certificates for the remote office 2 server and remote employees. Now we need to connect office 1 with office 2 into a single local network via VPN.
Suppose that in office 2 we have a Linux server (gateway) installed and configured, which is engaged in the distribution of the Internet channel for office 2 employees. This server has 2 network cards: eth0 is the ISP and eth1- local network, it will be included in the bridge, and will have a pool of addresses 10.10.10.100-254
We need to install the software with the command:
Aptitude install bridge-utils openvpn
Configuring the server network
We configure the network based on the fact that we have 2 network cards. eth0- receives the Internet from the provider and through it office 1 goes to the Internet, as well as the network eth1- included in the switch of the local network of office 1, it will be included in the bridge with the interface br0
Editing the configuration file / etc / network / interfaces:
Vi / etc / network / interfaces
Auto lo iface lo inet loopback # internet provider auto eth0 iface eth0 inet static address 192.168.60.2 netmask 255.255.255.0 gateway 192.168.60.1 # local network auto eth0 iface eth0 inet static address 192.168.1.1 netmask 255.255.255.0
Auto lo iface lo inet loopback # Register the bridge, turn on the VPN interface tap0 and the network card eth1 auto br0 iface br0 inet static # Add the openvpn interface to the bridge tap0 bridge_ports eth1 tap0 address 10.10.10.150 netmask 255.255.255.0 # Internet auto eth0 iface eth0 inet static address 192.168.60.2 netmask 255.255.255.0 gateway 192.168.60.1
We save the changes and reboot the network with the command:
/etc/init.d/networking restart
After that, when executing the command ifconfig a bridge should appear br0 with IP 10.10.10.150 , interface eth0 with IP address 192.168.60.2 and interface eth1 without an IP address, since it is in the bridge br0
For office 2 computers, we issue IP addresses to computers without going beyond 10.10.10.150-254 , where 10.10.10.150 is the IP address of the office server 2.
We upload the collected archive of OpenVPN keys from the VPN server of office 1 to the server of office 2 with the command:
Ssh -P22 /etc/openvpn/users_tgz/server1.tgz: / root /
Or, if server1 of office 2 does not have a permanent or dynamic IP, we will merge the keys from the VPN server of office 2 with the command:
Ssh -P22: /etc/openvpn/users_tgz/server1.tgz / root /
To request a password - enter the user's password root , after entering the correct password, the archive with the keys is downloaded to the folder /root/server1.tgz
Unpack the contents of the archive ( only key files without folders) /root/server1.tgz to folder / etc / openvpn /
Allow OpenVPN to run scripts:
Vi / etc / default / openvpn
OPTARGS = ""
OPTARGS = "- script-security 2"
Create a script /etc/openvpn/up.sh which starts when the VPN client connects to the VPN server:
Vi /etc/openvpn/up.sh #! / Bin / sh brctl addif br0 tap0 brctl addif br0 eth1 ifconfig tap0 0.0.0.0 chmod + x /etc/openvpn/up.sh
Restart the OpenVPN server with the command:
/etc/init.d/openvpn restart
When executing the command ifconfig the interface should appear tap0 without an IP address.
Now you can ping computers of another office from both offices, use shared folders, printers, resources of another office, and also arrange game battles from office 1 to office 2 :)
To check the interfaces connected to the bridge, run the command:
Brctl show
System response:
Bridge name bridge id STP enabled interfaces br0 7000.003ds4sDsf6 no eth1 tap0
We see our local network card eth1 and the OpenVPN virtual interface tap0
The task is completed, two remote offices are connected to one local network.
If the article was useful to you, share with your friends by clicking on your icon social network at the bottom of this article. Please comment on this manual, did you like it, did it benefit you? You can also subscribe to receive notifications about the release of new articles to your mail on the page
Now let's take a short break and take a break for half a minute, raising our spirits for more productive work, watch the video and smile:
