Data exchange between remote departments of one organization always requires time and sometimes complex technical manipulations. Today, such inconveniences are quite easy to eliminate, which means you can increase the productivity of the enterprise as a whole by combining its branches and remote offices into a single infrastructure. This can be done realistically by combining offices into a common corporate network.

The Bit and Byte company offers setup of a single VPN network to all organizations with representative offices, including in other cities. After all, most often the specifics of their activities are such that branches have to exchange information every day and look into each other’s databases. Common software for all local networks is the most practical and rational way to organize the rapid exchange of information and the ability to remotely manage an enterprise.

What will you get by combining offices into a single network?

The service of combining offices into a single network involves the creation of a full-fledged network between two or more divisions (branches, offices) of one enterprise, which is created for the rapid exchange of protected information based on VPN protocols. In the current conditions of business development, such corporate networks are especially relevant, as they provide an opportunity to improve the management of an enterprise and its territorial branches.

By uniting all branches of your enterprise into a single network, you will be able to:

1. manage a network of offices remote from each other via the Internet, gaining access to the equipment of each branch;
2. create a central database and use it, which is very convenient for managing a network of offices;
3. provide access to all departments to the internal resources of the enterprise without the risk of information losses.

Consolidating offices by creating a single network is a service that does not cost a lot of money. It can be configured at the main server level by purchasing additional VPN access points. Before merging office networks, you will be asked to check and process all information. This will make it possible to classify all data from branches to protect them from hacking.

Consolidation of offices into a single network is beneficial

Today, more and more enterprises are resorting to combining office networks, and not only because it is convenient and safe. The purpose and objective of such an association is also the benefit received from such a service:

• costs are noticeably reduced, because the need to maintain each office disappears, and the resources of the central server become available to each branch;
• when obtaining a software license, the benefits are also noticeable;
• all offices use each other’s information resources, regardless of where a particular branch is located;
• there is no need for a large staff of technical specialists, because the vast majority of problems are solved remotely;
• you will be able to conduct video conferences, seminars and meetings with all departments at the same time, and this is a significant time saving.

In addition, document flow between branches is as secure as possible, thanks to special data processing.

How to combine office networks

Although the topic is hackneyed, nevertheless, often many people experience difficulties - be it a novice system administrator or simply an advanced user who was forced by his superiors to perform the functions of an Enikey specialist. It’s paradoxical, but despite the abundance of information on VPNs, finding a clear option is a real problem. Moreover, one even gets the impression that one wrote it, while others brazenly copied the text. As a result, search results are literally cluttered with an abundance of unnecessary information, from which something worthwhile can rarely be extracted. Therefore, I decided to chew on all the nuances in my own way (maybe it will be useful to someone).

So what is a VPN? VPN (VirtualPrivateNetwork- virtual private network) is a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (including the Internet). Depending on the protocols and purposes used, VPN can provide connections three types: node-node, node-network And network-network. As they say, no comments.

Stereotypical VPN scheme

VPN allows you to easily combine a remote host with the local network of a company or another host, as well as combine networks into one. The benefit is quite obvious - we can easily access the enterprise network from the VPN client. In addition, VPN also protects your data through encryption.

I don’t pretend to describe to you all the principles of VPN operation, since there is a lot of specialized literature, and to be honest, I don’t know a lot of things myself. However, if your task is “Do it!”, you urgently need to get involved in the topic.

Let's look at a problem from my personal practice, when I needed to connect two offices via VPN - a head office and a branch office. The situation was further complicated by the fact that there was a video server at the head office, which was supposed to receive video from the branch’s IP camera. Here's the task in brief.

There are many solutions. It all depends on what you have on hand. In general, a VPN is easy to build using a hardware solution based on various Zyxel routers. Ideally, it may also happen that the Internet is distributed to both offices by one provider and then you will not have any problems at all (you just need to contact the provider). If the company is rich, then it can afford CISCO. But usually everything is solved using software.

And here the choice is great - Open VPN, WinRoute (note that it is paid), operating system tools, programs like Hamanchi (to be honest, in rare cases it can help out, but I don’t recommend relying on it - the free version has a limit of 5 hosts and another significant disadvantage is that your entire connection depends on the Hamanchi host, which is not always good). In my case, it would be ideal to use OpenVPN - free program, which can easily create a reliable VPN connection. But, as always, we will follow the path of least resistance.

In my branch, the Internet is distributed by a gateway based on client Windows. I agree, not the best best solution, but for three client computers it will be enough. I need to make a VPN server from this gateway. Since you are reading this article, you are probably sure that you are new to VPN. Therefore, for you I give the simplest example, which, in principle, suits me.

The Windows NT family already has rudimentary server capabilities built into it. Setting up a VPN server on one of the machines is not difficult. As a server, I will give examples of Windows 7 screenshots, but general principles will be the same as for old XP.

Please note that to connect two networks, you need to they had different range! For example, at the head office the range could be 192.168.0.x, and at the branch – 192.168.20.x (or any gray IP range). This is very important, so be careful. Now, you can start setting up.

Go to the VPN server in Control Panel -> Network and Sharing Center and shared access->change adapter parameters.

Now press the Alt key to bring up the menu. There, in the File item, you need to select “New incoming connection”.

Check the boxes for users who can log in via VPN. I highly recommend Adding a new user, giving it a friendly name and assigning a password.

After you have done this, you need to select in the next window how users will connect. Check the box “Via the Internet”. Now you just need to assign a range of virtual network addresses. Moreover, you can choose how many computers can participate in data exchange. In the next window, select TCP/IP version 4 protocol, click “Properties”:

You will see what I have in the screenshot. If you want the client to gain access to the local network on which the server is located, simply check the “Allow callers access to the local network” checkbox. In the “Assigning IP addresses” section, I recommend specifying addresses manually according to the principle that I described above. In my example, I gave the range only twenty-five addresses, although I could have simply specified two or 255.

After that, click on the “Allow access” button.

The system will automatically create a VPN server, which will lonely wait for someone to join it.

Now all that's left to do is set up a VPN client. On the client machine, also go to the Network and Sharing Center and select Setting up a new connection or network. Now you will need to select the item "Connecting to the workplace"

Click on “Use my Internet connection” and now you will be thrown out a window where you will need to enter the address of our Internet gateway at the branch. For me it looks like 95.2.x.x

Now you can call the connection, enter the username and password that you entered on the server and try to connect. If everything is correct, you will be connected. In my case, I can already ping any branch computer and request a camera. Now its mono is easy to connect to a video server. You may have something else.

Alternatively, when connecting, an 800 error may pop up, indicating that something is wrong with the connection. This is either a client or server firewall issue. I can’t tell you specifically - everything is determined experimentally.

This is how we simply created a VPN between two offices. Players can be united in the same way. However, do not forget that this will still not be a full-fledged server and it is better to use more advanced tools, which I will talk about in the following parts.

In particular, in Part 2 we will look at setting up OPenVPN for Windows and Linux.

How to create a single private network for all mobile employees and remote branches

What is a VPN?

Let's assume that we have two offices in different parts of the city, or in different cities or countries, and each of them is connected to the Internet. For work, say, 1C as a single corporate system we need to integrate them into a single local network. (Despite the fact that we offer solutions for 1C in the form of distributed databases. Sometimes it’s easier to create a single network and connect directly to 1C server as if the server is located in your premises)

You can, of course, buy a personal line between two cities, but this decision it will most likely be super expensive.
The solution using a virtual private network (VPN - Virtual Private Network) invites us to organize this dedicated line by creating an encrypted tunnel over the Internet. The main advantage of a VPN over dedicated communication lines is saving the company money while the channel is completely closed.
From a consumer point of view, VPN is a technology that allows you to organize remote secure access through open Internet channels to servers, databases, and any resources of your corporate network. Let's say an accountant in city A can easily print an invoice on the printer of a secretary in city B to whom the client came. Remote employees connecting via VPN from their laptops will also be able to work on the network as if they were on the physical network of their offices.

Very often, clients encounter *brakes* cash registers When using Remote Desktop, you come to the need to install a VPN. This will allow you to get rid of sending data for the cash register back and forth to the server via virtual COM over the Internet and will allow the installation of a thin client at any point that communicates with the cash register directly, sending only the necessary information to the server over a closed channel. And broadcasting the RDP interface directly to the Internet exposes your company to very great risks.

Connection methods

Methods of organizing a VPN are most appropriate to highlight the following 2 main methods:

• (Client - Network ) Remote access of individual employees to the organization’s corporate network via a modem or public network.
• (Network - Network) Uniting two or more offices into a single secure virtual network via the Internet

Most manuals, especially for Windows, describe the connection according to the first scheme. At the same time, you need to understand that this connection is not a tunnel, but only allows you to connect to a VPN network. To organize these tunnels, we only need 1 white IP and not according to the number of remote offices, as many mistakenly believe.

The figure shows both options for connecting to main office A.

A channel has been established between offices A and B to ensure the integration of the offices into a single network. This ensures the transparency of both offices for any devices located in one of them, which solves many problems. For example, organizing a single number capacity within one PBX with IP phones.

All services of office A are available to mobile clients, and if office B is located in a single virtual network, its services are also available.

In this case, the method of connecting mobile clients is usually implemented by the PPTP protocol (Point-to-Point Tunneling Protocol) Point-to-point tunneling protocol, and the second IPsec or OpenVPN

PPTP

(Point-to-Point Tunneling Protocol bumagin-lohg) is a point-to-point tunnel protocol, the brainchild of Microsoft, and is an extension of PPP (Point-to-Point Protocol), therefore, using its authentication, compression and encryption mechanisms. The PPTP protocol is built into the remote Windows access XP. With the standard choice of this protocol, Microsoft suggests using the MPPE (Microsoft Point-to-Point Encryption) encryption method. You can transfer data without encryption to open form. Data encapsulation using the PPTP protocol occurs by adding a GRE (Generic Routing Encapsulation) header and an IP header to the data processed by the PPP protocol.

Due to significant security concerns, there is no reason to choose PPTP over other protocols other than the device's incompatibility with other VPN protocols. If your device supports L2TP/IPsec or OpenVPN, then it is better to choose one of these protocols.

It should be noted that almost all devices, including mobile ones, have a client built into the OS (Windows, iOS, Android) that allows you to instantly set up a connection.

L2TP

(Layer Two Tunneling Protocol) is a more advanced protocol, born from the combination of the PPTP (from Microsoft) and L2F (from Cisco) protocols, incorporating all the best from these two protocols. Provides a more secure connection than the first option; encryption occurs using the IPSec protocol (IP-security). L2TP is also built into the Windows XP remote access client; moreover, when automatically determining the connection type, the client first tries to connect to the server using this protocol, which is more preferable in terms of security.

At the same time, the IPsec protocol has such a problem as the coordination of the necessary parameters. Given that many manufacturers set their parameters by default without the possibility of configuration, hardware using this protocol will be incompatible.

OpenVPN

An advanced open VPN solution created by OpenVPN technologies, which is now the de facto standard in VPN technologies. The solution uses SSL/TLS encryption protocols. OpenVPN uses the OpenSSL library to provide encryption. OpenSSL supports large number various cryptographic algorithms such as 3DES, AES, RC5, Blowfish. As in the case of IPSec, CheapVPN includes an extremely high level of encryption - AES algorithm with a 256-bit key length.
OpenVPN is the only solution that allows you to bypass those providers who cut or charge fees for opening additional protocols other than WEB. This makes it possible to organize channels that, in principle, impossible to track And we have such solutions

Now you have some idea of ​​what a VPN is and how it works. If you are a manager, think about it, maybe this is exactly what you were looking for

An example of setting up an OpenVPN server on the pfSense platform

Creating a server

• Interface: WAN(server network interface connected to the Internet)
• Protocol: UDP
• Local Port: 1194
• Description: pfSenseOVPN(any convenient name)
• Tunnel Network: 10.0.1.0/24
• Redirect Gateway: Turn on(Disable this option if you do not want all of the client's Internet traffic to be redirected through the VPN server.)
• Local Network: Leave it blank(If you want the local network behind the pfSense server to be accessible to remote VPN clients, specify here address space this network. Let's say 192.168.1.0/24)
• Concurrent Connections: 2 (If you purchased an additional OpenVPN Remote Access Server license, enter the number corresponding to the number of licenses purchased)
• Inter-Client Communications: Turn on(If you don't want VPN clients to see each other, disable this option)
• DNS Server 1 (2, etc.): specify the DNS servers of the pfSense host.(you can find out their addresses in the section System > General Setup > DNS Servers)

Next, we create clients and to simplify the configuration procedures for client programs, pfSense provides an additional tool - “OpenVPN Client Export Utility”. This tool automatically prepares installation packages and files for clients, avoiding manual settings OpenVPN client.

VPN connections between offices cover such business security requirements as:

• Possibility of centralized access to information from offices, as well as from the main office
• Unified corporate information system
• Enterprise databases with a single point of entry
• Corporate e-mail with a single entry point
• Confidentiality of information transferred between offices

If you have any difficulties setting up or have not yet decided on VPN technology, call us!

Let's assume that we have 2 offices in different parts of the city, or in different cities or countries, and each of them is connected to the Internet via a fairly good channel. We need to connect them into a single local network. In this case, none of the users will have to guess where this or that computer or printer is located on the local network, use printers, shared folders and all the advantages of a physical network. Remote employees connected via OpenVPN will also be able to work on the network as if their computers were on the physical network of one of the offices.

We will set it up in operating system Debian Squeeze, but the instructions are fully applicable to any Debian-based distribution, and with minor changes in the commands for installing and configuring the bridge and OpenVPN will be applicable to any Linux or FreeBSD distribution.

Let's assume that the Debian or Ubuntu distribution is installed according to one of the instructions:

Let's install and configure a VPN network based on OpenVPN using a bridge tap0

We create a network bridge between the physical network eth1 and virtual interface tap0

Install necessary programs by agreeing to the package manager's request:

We configure the server network based on the fact that we have 2 network cards: network eth0 eth1 br0

Editing the configuration file /etc/network/interfaces:

Auto lo iface lo inet loopback # internet provider auto eth0 iface eth0 inet static address 192.168.50.2 netmask 255.255.255.0 gateway 192.168.50.1 # local network auto eth1 iface eth1 inet static address 10.10.10.1 netmask 255.255.255.0

Auto lo iface lo inet loopback # We register a bridge, we include the tap0 VPN interface and the eth1 network card in it auto br0 iface br0 inet static # We add the openvpn interface to the tap0 bridge bridge_ports eth1 tap0 address 10.10.10.1 netmask 255.255.255.0 # Internet auto eth0 iface eth0 inet static address 192.168.50.2 netmask 255.255.255.0 gateway 192.168.50.1

After this, when you run the ifconfig command, a bridge should appear br0 with IP 10.10.10.1, interface eth0 with IP address 192.168.50.2 and interface eth1 without an IP address, since it is in a bridge br0

Setting up OPENVPN:
We copy the scripts to configure our openvpn server with the command:

Cp -Rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa

Making changes to the file /etc/openvpn/easy-rsa/vars to define global variables and enter less data when creating keys:

Vi /etc/openvpn/easy-rsa/vars

Export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL=" "

Export KEY_COUNTRY="UA" export KEY_PROVINCE="11" export KEY_CITY="Kiev" export KEY_ORG="NameFirm" export KEY_EMAIL=" "

Go to the folder with scripts for creating certificates and keys with the command:

Cd /etc/openvpn/easy-rsa/

We initialize PKI (Public Key Infrastructure) with the commands:

. ./vars ./clean-all

Attention. When executing the command ./clean-all All existing certificates and keys of both the server and clients will be deleted, so do not run it on a production server, or run it after saving the folder /etc/openvpn/ to the archive with the command:

Tar cf - /etc/openvpn/ | gzip -c -9 > /home/openvpn_backup.tgz

We generate a Certificate Authority (CA) certificate and key with the command:

./build-ca

Most parameters will be picked up from the vars file. Only the Name parameter must be specified explicitly:

Name:vpn

In general, you can fill out all the fields each time as you need.

We generate Diffie-Hellman parameters with the command:

./build-dh

We generate a certificate and a server secret key, do not enter anything when prompted for a password, and when prompted Sign the certificate?: enter y and press Enter by running the command:

./build-key-server server

All parameters are accepted by default. Upon request Common Name enter server

Common Name (eg, your name or your server's hostname) :server

For questions Sign the certificate? And 1 out of 1 certificate requests certified, commit? We answer positively:

Sign the certificate? :y 1 out of 1 certificate requests certified, commit? y

All that remains is to create certificates and keys for clients. First we initialize the parameters:

Cd /etc/openvpn/easy-rsa/ . ./vars

Creating keys for the user server1. For example, we add as many users as needed:

./build-key server1 ./build-key client1 ./build-key client2

Based on the fact that we have a network 10.10.10.0/24 we immediately allocate a pool of addresses for computers in office 1 - 10.10.10.40-149 , for office 2 we allocate a pool of addresses 10.10.10.150-254 and allocate a pool of addresses for remote employees 10.10.10.21-39.
Create a folder /etc/openvpn/ccd/ where we indicate which client with which IP using the command:

Mkdir -p /etc/openvpn/ccd/

We assign each client its own IP on the network using the commands::

Echo "ifconfig-push 10.10.10.150 255.255.255.0" > /etc/openvpn/ccd/server1 echo "ifconfig-push 10.10.10.21 255.255.255.0" > /etc/openvpn/ccd/client1 echo "ifconfig-push 10.10.10.22 255.255.255.0" > /etc/openvpn/ccd/client2

Create a server configuration file:

Vi /etc/openvpn/server.conf ################################## port 1195 proto udp dev tap0 ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key # This file should be kept secret dh easy-rsa/keys/dh1024.pem mode server tls- server daemon ifconfig 10.10.10.1 255.255.255.0 client-config-dir /etc/openvpn/ccd keepalive 10 20 client-to-client comp-lzo persist-key persist-tun verb 3 log-append /var/log/openvpn.log #script-security 2 # uncomment when working on OpenVPN version 2.4 up /etc/openvpn/up.sh ############################ ######

Vi /etc/default/openvpn

OPTARGS=""

OPTARGS="--script-security 2"

Creating a script /etc/openvpn/up.sh launched when the OpenVPN server starts:

Vi /etc/openvpn/up.sh #!/bin/sh brctl addif br0 tap0 brctl addif br0 eth1 ifconfig tap0 0.0.0.0

We give rights to execute the script /etc/openvpn/up.sh command:

Chmod +x /etc/openvpn/up.sh

After this, reboot the OpenVPN server with the command:

Execute the command ifconfig, the interface should appear tap0 without an IP address.

We are collecting an archive with keys for distribution to remote employees and sending to office 2

We create folders with user names using the commands:

Mkdir -p /etc/openvpn/users/server1 mkdir -p /etc/openvpn/users/client1 mkdir -p /etc/openvpn/users/client2

Create a folder with archived keys with the command:

Mkdir -p /etc/openvpn/users_tgz

We collect keys and certificates from user folders using the commands:

Cp /etc/openvpn/server/easy-rsa/keys/server1.key /etc/openvpn/users/server1/ cp /etc/openvpn/server/easy-rsa/keys/server1.crt /etc/openvpn/users/ server1/ cp /etc/openvpn/server/easy-rsa/keys/ca.crt /etc/openvpn/users/server1/ cp /etc/openvpn/server/easy-rsa/keys/client1.key /etc/openvpn/ users/client1/ cp /etc/openvpn/server/easy-rsa/keys/client1.crt /etc/openvpn/users/client1/ cp /etc/openvpn/server/easy-rsa/keys/ca.crt /etc/ openvpn/users/client1/ cp /etc/openvpn/server/easy-rsa/keys/client2.key /etc/openvpn/users/client2/ cp /etc/openvpn/server/easy-rsa/keys/client2.crt / etc/openvpn/users/client2/ cp /etc/openvpn/server/easy-rsa/keys/ca.crt /etc/openvpn/users/client2/

We create configuration files based on the fact that server1 is the remote office server 2, and client1 And client2 These are remote employees connecting to a VPN network from outside from Windows.

Instead of IP-SERVER-VPN we set the external IP address of the OpenVPN server.

Create an OpenVPN configuration file for server1:

Echo " remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert server1.crt key server1.key comp-lzo verb 4 mute 20 verb 3 log-append / var/log/openvpn.log up /etc/openvpn/up.sh " > /etc/openvpn/users/server1/server1.conf

Archiving keys for server1 command:

Tar cf - /etc/openvpn/users/server1 | gzip -c -9 > /etc/openvpn/users_tgz/server1.tgz

client1:

Echo " remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 4 mute 20 verb 3 " > /etc /openvpn/users/client1/client1.ovpn

Archive the keys for client1 with the command:

Tar cf - /etc/openvpn/users/client1 | gzip -c -9 > /etc/openvpn/users_tgz/client1.tgz

Create a configuration file for client2 command:

Echo " remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client2.crt key client2.key comp-lzo verb 4 mute 20 verb 3 " > /etc /openvpn/users/client1/client2.ovpn

Archiving keys for client2 command:

Tar cf - /etc/openvpn/users/client2 | gzip -c -9 > /etc/openvpn/users_tgz/client2.tgz

Setting up a VPN server for office 2

In the instructions above, we installed and configured the VPN server on Debian GNU/Linux using OpenVPN, we created keys with certificates for the remote server of office 2 and remote employees. Now we need to connect office 1 with office 2 into a single local network via VPN.

Let's assume that in office 2 we have installed and configured a Linux server (gateway), which distributes the Internet channel for office 2 employees. This server has 2 network cards: eth0 - Internet provider and eth1- local network, it will be included in the bridge and will have a pool of addresses 10.10.10.100-254

We need to install the software with the command:

Aptitude install bridge-utils openvpn

Setting up the server network

We configure the network based on the fact that we have 2 network cards eth0- receives the Internet from the provider and through it office 1 accesses the Internet, as well as the network eth1- included in the local network switch of office 1, it will be included in the bridge with the interface br0

Edit the configuration file /etc/network/interfaces:

Vi /etc/network/interfaces

Auto lo iface lo inet loopback # internet provider auto eth0 iface eth0 inet static address 192.168.60.2 netmask 255.255.255.0 gateway 192.168.60.1 # local network auto eth0 iface eth0 inet static address 192.168.1.1 netmask 255.255.255.0

Auto lo iface lo inet loopback # We register a bridge, we include the tap0 VPN interface and the eth1 network card in it auto br0 iface br0 inet static # We add the openvpn interface to the tap0 bridge bridge_ports eth1 tap0 address 10.10.10.150 netmask 255.255.255.0 # Internet auto eth0 iface eth0 inet static address 192.168.60.2 netmask 255.255.255.0 gateway 192.168.60.1

Save the changes and reboot the network with the command:

/etc/init.d/networking restart

After this, when executing the command ifconfig a bridge should appear br0 with IP 10.10.10.150 , interface eth0 with IP address 192.168.60.2 and interface eth1 without an IP address, since it is in a bridge br0

For office 2 computers, we issue IP addresses to computers without going beyond 10.10.10.150-254 , Where 10.10.10.150 - this is the IP address of the office 2 server.

We upload the collected OpenVPN key archive from the office VPN server 1 to the office server 2 with the command:

Ssh -P22 /etc/openvpn/users_tgz/server1.tgz :/root/

Or, if server1 of office 2 does not have a permanent or dynamic IP, we will merge the keys from the VPN server of office 2 with the command:

Ssh -P22 :/etc/openvpn/users_tgz/server1.tgz /root/

When prompted for a password, enter the user password root , after entering the correct password, the archive with the keys is downloaded to the folder /root/server1.tgz

Unpack the contents of the archive ( only key files without folders) /root/server1.tgz to a folder /etc/openvpn/

Allow OpenVPN to run scripts:

Vi /etc/default/openvpn

OPTARGS=""

OPTARGS="--script-security 2"

Creating a script /etc/openvpn/up.sh launched when the VPN client connects to the VPN server:

Vi /etc/openvpn/up.sh #!/bin/sh brctl addif br0 tap0 brctl addif br0 eth1 ifconfig tap0 0.0.0.0 chmod +x /etc/openvpn/up.sh

Reboot the OpenVPN server with the command:

/etc/init.d/openvpn restart

When executing the command ifconfig the interface should appear tap0 without an IP address.

Now you can ping the computers of another office from both offices, use shared folders, printers, resources of another office, and also organize gaming battles between office 1 and office 2 :)

To check the interfaces connected to the bridge, run the command:

BRCTl show

System response:

Bridge name bridge id STP enabled interfaces br0 7000.003ds4sDsf6 no eth1 tap0

We see our local network card eth1 and OpenVPN virtual interface tap0

The task is completed, two remote offices are connected into one local network.

If you found this article useful, please share it with your friends by clicking on your icon. social network at the bottom of this article. Please comment on this instruction, did you like it or was it useful? You can also subscribe to receive notifications of new articles to your email on the page

Now let’s take a short break and rest for half a minute, lifting our mood for more productive work, watch the video and smile:

The main goal of combining local office networks is to provide transparent access to geographically distributed information resources organizations. Consolidating office networks allows you to solve the following most common problems:

• use a single number capacity of an office PBX;
• ensure user authorization to access resources (shared folders, intranet site, email, etc.) regardless of their current location;
• provide secure access for the organization's employees to resources located in different offices (for example, ensure that employees work with a 1C enterprise server installed in one of the offices);
• work on a remote computer using terminal access (remote desktop control);
• increase the efficiency and efficiency of the service technical support due to the ability to remotely manage computers, servers and other equipment, as well as the effective use of built-in Windows tools to provide assistance - Remote assistant.

Methods for implementing the integration of office networks

In order to unite local networks of offices and remote branches, virtual private network technology is used - VPN (Virtual Private Network). This technology is intended for cryptographic protection of data transmitted over computer networks. A virtual private network is a collection of network connections between several VPN gateways that encrypt network traffic. VPN gateways are also called cryptographic gateways or crypto-gateways.

There are two methods for building a single secure corporate network of an organization:

1. using equipment and the corresponding range of services of an Internet provider;
2. using our own equipment located in the head office and branches.

VPN and services are provided by the Internet provider

This solution is applicable if the head office and branches are connected to the Internet through the same Internet provider. If the company's branches are scattered across cities, and even in different countries, there is hardly a provider who can provide you with the required level of service, and even at an affordable price.

If your offices are located within the same city, check with your Internet provider to see if they can combine the local networks of your offices into a single network. Perhaps this solution will be optimal for you in terms of cost.

Consolidation of networks of offices and branches on your own

The method of combining two networks using VPN technology is called “Peer-to-Peer VPN” or “site-to-site VPN” in English-language literature. A "transparent encryption" mode is established between the two networks. The IPSec protocol is most often used to encrypt and transmit traffic in IP networks.

To organize VPN connections (VPN tunnels) between the central office and branches of small companies, we recommend using hardware Internet gateways (firewalls) with built-in VPN support. An example of such gateways could be ZyXEL ZyWALL, Netgear Firewall, Check Point Safe@Office, etc. This class of products is designed for use in small companies with average number personnel from 5 to 100 people. These devices are easy to configure, highly reliable and have sufficient performance.

At the head office of an organization, software integrated network security solutions are often installed, such as Microsoft Internet Security and Acceleration Server 2006 (Microsoft ISA 2006), CheckPoint Express, CheckPoint VPN-1 Edge and others. To manage these protections, highly qualified personnel are required, which, as a rule, is either available at the head office or borrowed from an outsourcing company.

Regardless of the equipment used, the general scheme for building a Peer-to-Peer VPN for securely combining local networks of remote offices into a single network is as follows:

It should also be noted that there are specialized hardware crypto gateways, such as Cisco VPN Concentrator, "Continent-K", etc. Their scope is the networks of medium and large companies, where it is necessary to ensure high performance when encrypting network traffic, as well as special possibilities. For example, provide data encryption in accordance with GOST ("Continent-K").

What you need to pay attention to when choosing equipment

When choosing equipment for organizing a virtual private network (VPN), you need to pay attention to the following properties:

1. number of simultaneously supported VPN tunnels;
2. performance;
3. the ability to filter network traffic inside a VPN tunnel (this function is not implemented in all Internet gateways);
4. support for QoS quality management (very useful when transmitting voice traffic between networks);
5. compatibility with existing equipment and applied technologies.

Hardware solutions

Advantages of solutions built on inexpensive hardware Internet gateways

• Low cost;
• High reliability (no need for backup, nothing goes wrong when the power is turned off);
• Ease of administration;
• Low power consumption;
• Takes up little space, can be installed anywhere;
• depending on the chosen platform for building a VPN, it is possible to install additional services on the VPN gateway: anti-virus scanning of Internet traffic, detection of attacks and intrusions, etc., which significantly increases the overall level of network security and reduces the overall cost of a comprehensive network protection solution .

Flaws

• The solution is not scalable; increased productivity is achieved by completely replacing the equipment;
• Less flexible in settings;
• Integration with Microsoft Active Directory (or LDAP) is generally not supported.

Software solutions

Benefits of software solutions

• Flexibility;
• Scalability, i.e. the ability to increase productivity as needed;
• Tight integration with Microsoft Active Directory (Microsoft ISA 2006, CheckPoint)

Flaws

• High price;
• Complexity of administration.

Where to start

Before you start choosing equipment and software(hereinafter - software) to implement a project to combine local office networks into a single network via VPN, you must have the following information:

1. Define topology:
   • Meshed (fully connected) - each site can automatically organize an encrypted connection with any other site;
   • Star (star) - branches can organize secure connections with the central site;
   • Hub and Spoke (connection through a hub) - branches can connect to each other through the hub of the central site;
   • Remote Access - users and groups can organize secure connections to one or more sites;
   • Combinations of the above methods (for example, a Star with Meshed Center topology, in which remote branches can exchange information with all members of the central VPN, which has a mesh topology).
2. Number of branches (how many simultaneous VPN connections must be supported by the head office equipment);
3. Number of users in the central office and in each branch;
4. What equipment and/or software is used in each branch (data is necessary to take into account the possibilities for using existing equipment and/or software);
5. Data on connecting branches to the Internet: IP address assignment - dynamic or static, communication channel speed;
6. What approach to management information security(network perimeter protection, anti-virus security) will be applied: centralized management of the head office and branches by one security administrator (system administrator), or each branch has its own system administrator.

To minimize network intrusion threats central office, it is necessary to pay due attention to protecting the networks of the organization's branches. Using a VPN does not guarantee reliable protection against intrusion unless the branch networks are also reliably protected. If an attacker can gain unauthorized access to the branch network, he will also be able to gain access to information system head office, since the head office and branch networks are combined into a single network via VPN.