VPN from main office to each remote offices

[linocisco]

Dear all

Greetings as a new member.
Please let me explain my set requirement.
Our main office has two ISP connections. One is faster with bigger VSAT dish and the other is local ISP(slow one, small VSAT dish). Those lines are separate currently. The slower ISP line(www.ipstar.com) is standalone. Not connected to office LAN. In each remote offices, they are with small VSAT dish(slow connection).
My idea is to share faster internet from bigger dish in main office to each office sites. Currently, from main office's second ISP link(local ISP dish), we can ping to other remote sites with the range of ping time(1500ms to 3000 ms). It is like pinging locally without crossing internet. Based on this situation, I want to setup VPN (one site to many sites like star topology VPN).


with regards
Linocisco

[christian]

We discussed already a bit of this with Linocisco over IRC:
his point here is to understand whenever one single public IP (in main office) could handle multiple VPN link to  each branch office.
I can help without some testing and investigation (my feeling is that at least one public IP per VPN tunnel will be required but I'm not so sure).

Anyone here having already deployed VPN using "hub & spoke" design 

One point to be clarified here: internet access from branch office will not be faster as slow link from branch office to main office will remain. However, thank to somewhat faster ISP link in main office, if HTTP proxy is used and set up to rely on HTTP proxy in main office, then cache mechanism may improve user experience.

[jonne_jvl]

Ehh, what? Of course you can connect multiple vpn tunnels to main office.

Problems would occur if you want multiple vpn connections to each office. (2 tunnels to main office from each office)
As you say because of the single public ip and also because of multiple routes.


But in his setup he would only have tunnels between the slower isp links, right?

[christian]

From each branch office, you will have only one VPN client but on main office side, how will this single interface handle multiple connections?...

Well, writing this now, and taking some time to think about it  it looks obvious 
I'm confused realizing it didn't came clear to my mind earlier 

[ichat]

as long as you just use one tunnel per ip,  its pretty obvious indead. 

[christian]

On the other hand, if all branch offices share one single slow access to main office relaying to internet, there is a significant risk to have bottleneck here  even if then relay is made to faster internet connection...

[linocisco]

Hi all

THanks for your all inputs and response.
To have clear picture, I also attached xls file with diagram.
Actually I want to share main office 10.45.x.x network to all remote offices by connecting main office's IPstar connection to existing office LAN with better ISP.


regards
Linocisco

[christian]

I was going to make another drawing but it appears that more than one would be required in order to show everything.
So I'll try some written explanation first:

- in each branch office, you will need one Zentyal server between you LAN and your WAN access (i.e. satelite to IPSTAR)
- in main office, you will need one Zentyal server between LAN and IPSTAR network, this LAN being also connected to HQ which provides internet access (if I understand well)

High level view:
- set-up VPN tunnels (Zentyal to Zentyal) from each branch office to main office.
- for all premises, be sure you have defined Zentyal as HTTP proxy server
- on Zentyal in main office, be sure Zentyal server is pointing to HTTP proxy in HQ (assuming I'm correct with my previous assumption.

when user from any office will access internet, it will first reach Zentyal HTTP proxy.
- in main office, it will be redirected to central proxy (somewhere in Europe  )
- in branch office, it will be redirected first (via VPN tunnel) to Zentyal server in main office that will redirect to HQ

does this makes sense?

[robb]

I used to have such a situation where 10 branch offices were connected to 1 main office. The ISP covered the VPN service to connect every branch office to the main office.
The main office was the only gateway to the Internet.
On the mainoffice there were 2 connections: 1 with internet and 1 as main access connection for all branch offices.

Ofc each office had its own ip subnet.
We used cisco hardware to setup the VPN connections, but Zentyal should have no problem to do the same.

However we used SDSL and ADSL connections, it shouldn't matter to have VSAT connections instead. (biggest difference is probably latency)

[linocisco]

Dear all

Kindly find my setup tell me if I need to add more server or if it is feasible.
Which kind of server role or service I should deploy on each zentyal.

regards
Linocisco

[christian]

Indeed latency is different. Proxy cache should improve user experience here.

Having discussed with Linocisco (IRC), it appears that main office already uses proxy (along with DHCP and WPAD) appliance providing access to internet via HQ site.
Thus my previous proposal, although not wrong, has to be slightly modified:
- Zentyal in main office does not need any HTTP proxy but will act as VPN server.
- users in main office will directly use this appliance as proxy (not change for them)
- one change in branch offices (compared to my previous proposal): Zentyal proxy points to proxy appliance in main office.

So to summarize (and making some additional assumptions, correct me if I'm wrong):

assumptions:
- there is no need for account management
- main usage is HTTP

Design:
- one Zentyal server per office (either main or branch)
- Zentyal server in branch office runs VPN and HTTP proxy (I would also advise to run DNs and DHCP. There are some dependencies that will come along... CA, FW). This server is defined as default route on LAN (not 100% required) This server is also configured to point to proxy appliance in main office. browsers are configured to use Zentyal as local proxy
- Zentyal server in main office runs only VPN (again with its dependencies). No DHCP nor DNS here !

This should work like this. However, i would suggest to ensure that current configuration in branch offices is not made so that DHCP brings different config from HTTP proxy standpoint. This to avoid any conflict.

edit: Zentyal in branch office defined as default route is not mandatory

[linocisco]

Dear all

your answers are fully appreciated. To avoid mess up/speed up drawing diagram, I omitted detail network diagram in each remote offices.

Each remote office has Linksys wifi router that accepts WAN connection from Ipstar indoor Unit and also offer DHCP service and NAT for all LAN and WLAN clients. All are workgroup. No LDAP or no email server. If I can successfully setup functioning Zentyal like christian suggested, I will remove wifi router and make it access point only to avoid duplicate DHCP source.

regards
Lincisco.