Site to Site OpenVPN on SLES 11

Hi all,

I need some help.
Please, sorry for my English since it is not my native language.
I promise to write a very detailed tutorial about this after successful implementation in 2 weeks and post it here.
Also I very ask you do not point me to another link or tutorial unless it regarding my question exactly. I’ve already read 2 books (Beginning to OpenVPN and OpenVPN Cookbook) yet still have to clarify some points.
We have a virtual LAN from ISP with 14 subnets like 10.0.23.0/30 for each branch. The 1st IP is for gateway and the latter one is assigned to OpenVPN server. Every branch have 3 workstations plus OpenVPN server. Link on main site is 1024 Kbps, branches have 256 Kbps. On the main site we have several servers like Database, Web, Active Directory, DNS, DHCP, NTP etc. Figure 1. WAN
http://foto.mail.ru/bk/hika/_myphoto/57.html
So, we need to join all our sites together. Additionally, my boss doesn’t want to keep certificates on each PC, consequently I decided to organize site-to-site VPN, where no one server and workstations except OpenVPN know about VPN and they communicate each other directly.
Workstation PCs must obtain IP from DHCP server and login to Active Directory (windows 2003) domain. After login they are allowed connecting Web server.
I know there’s a method like Ethernet bridging. But authors of books advised to avoid using Ethernet bridging. I can’t imagine how to achieve my purpose without bridging.
So here is my questions:

  1. Is it good idea to use Ethernet bridging, if not what way should I follow?
  2. I don’t want my client sites communicates each other, only main site must be reachable from workstations. I suppose within bridging it is not possible?
  3. How to assign IP addresses for our workstations behind OpenVPN servers directly from our DHCP server (with proper gateway and DNS) so they can login into AD.
  4. Should I have DHCP relay on each OpenVPN server in routing mode to pass DHCP offers/requests to workstations from DHCP server?

On 10/10/2011 11:16 AM, hikauz wrote:
> I need some help.

-=WELCOME=- your english is great…

you are welcome to seek advice here, but BE ADVISED that these are the
openSUSE forums and many of the answers might be from folks who have
never run SLES (or maybe never even heard of it before) and
you are likely much better off if you seek assistance from the
Attachmate/SUSE forums (where the SUSE Linux Enterprise gurus hang out),
at: http://tinyurl.com/422mrnu

maybe someone here can help, so check back to see if anyone has the info
you need, but you should for sure check in with the SUSE/Attachmate
folks, your ID/Pass here works there also…


DD
openSUSE®, the “German Automobiles” of operating systems

  1. I’ve got no idea what do You mean by Ethernet bridging but from your description I believe You need site-to-site openVPN tunnels between each branch site and the main site so I believe that would be 14 openVPN site-to-site tunnels.
  2. In order to separate the networks You must set up routing correctly, which should be easy enough with openVPN. You can easily use OSPF with openVPN. You could also go for IPsec site-to-site tunnels instead of openVPN for finer granularity of control but then You need GRE tunnels in order to make OSPF work (I’ve got no idea what your exact requirements are)
  3. Modify Your current DHCP servers to give the proper IPs. I don’t really see the problem.
  4. I guess that depends on how the AD and DHCP servers are configured. I don’t think that’s necessary. It’s certainly not necessary with IPsec because the hosts at both ends of the tunnnel “think” they are on the same LAN.

I would highly recommends reading this manual for a better understanding of site-to-site VPNs. Both openVPN and IPsec are very well described here :
http://dl.dropbox.com/u/20761718/Vyatta_VPNRef_R6.1_v02.pdf

Best regards,
Greg

Thanks a Lot

You’re welcome. Please let us know when You finish the task and what was the final solution :slight_smile:

Best regards,
Greg