Site to site vpn vs remote access vpn

Introduction

A site-to-site thiết đặt is where two (or more) different networks are connected together using one tochuchoinghi.net tunnel. In this connection Model, devices in one network can reach devices in the other network, và vice versa. The implementation of this is, for as far as Access Server is involved in this, relatively simple. The more difficult part comes when dealing with firewalls và security filtering options, & altering routing tables in routers and Internet gateways, as there are so many of them of various brands và models, that we cannot possibly document all of them. However, routers should all have one thing in common: the ability khổng lồ route traffic using static routes. With that capability comes the means lớn sover traffic from one network khổng lồ another, through a gateway system that provides connectivity lớn the other network. An tochuchoinghi.net Access Server with a Linux VPN gateway client forms such a gateway system, to khung a bridge between two networks. If your network equipment is then properly adjusted as well, then a site-to-site thiết lập that works transparently for all devices in the two networks can be achieved.

Bạn đang xem: Site to site vpn vs remote access vpn

On this page we ayên khổng lồ provide you with a guide that gives insight in how this works, to lớn give you an understanding of how things should be cài đặt to get things working.

Overview of an example site-to-site setup


*

In the diagram above, the headquarters of our example company are on the right, và there are computers & servers there. One of the servers has the tochuchoinghi.net Access Server sản phẩm installed. All of the computers & servers in that network are connected lớn a router (the little flat square box with a gear icon) that also provides access lớn the Internet. On the left is a subsidiary office that has a few computers và servers as well, all connected to their own router that also provides access to lớn the Internet.

One of the servers in the subsidiary office has an tochuchoinghi.net client program installed on a Linux operating system, which has an active tochuchoinghi.net tunnel connection to lớn the tochuchoinghi.net Access Server at the headquarters. In this example site-to-site cài đặt, complete access has been opened up between computers and servers in the headquarters & the subsidiary office. In other words, a user sitting at a computer in the subsidiary office can access the servers at the headquarters as if he were there, thanks to an tochuchoinghi.net tunnel connection between the two networks. This tochuchoinghi.net tunnel travels over the Internet and its contents are securely encrypted.

Step by step mô tả tìm kiếm of how traffic flows

We have sầu created a series of pictures that show how a request from a client computer in the subsidiary office reaches an application hệ thống at the headquarter office, & how a response gets sent baông chồng. Each step of the process is shown clearly with highlighted lines & relevant network information. Simply go through the images to see a step by step progression. It"s worth noting that this type of setup still allows other VPN clients lớn log on khổng lồ the tochuchoinghi.net Access Server và gain access lớn any of the devices in these 2 networks. Also, a site-to-site thiết đặt need not be limited lớn one subsidiary network, it can be multiple just as easily.

How lớn mix up tochuchoinghi.net Access Server for site-to-site

We are assuming that you already have sầu an tochuchoinghi.net Access Server installation working, & that it is installed in your private network behind a router with Internet access and has a private IPhường address, with port forwarding set up so that it can be reached from the outside, và with appropriate settings made so that it is actually reachable with an tochuchoinghi.net client program from the outside. In other words, that you have sầu an tochuchoinghi.net Access Server installation that works and lets tochuchoinghi.net clients connect. If you haven"t installed Access Server yet then please vị so first. See the Access Server installation options page for more information.

This section here describes which settings lớn configure in the tochuchoinghi.net Access Server to make a site-to-site thiết đặt possible. We are going to lớn assume we"re setting up the site-to-site thiết lập as shown in the pictures above, with the subnets used there. If your subnets are different, and they very likely are, you should adjust as needed to match your situation. Important note: it is required for site-to-site to lớn work that the subnets are different in the two networks.

Go lớn the Admin UI & go lớn VPN Settings. In the chiến thắng titled Should VPN clients have access khổng lồ private subnets set the selection khổng lồ Yes, using routing (advanced) and in the large text field just below it specify the subnet of the network where your tochuchoinghi.net Access Server is located. To compare it khổng lồ the example site-to-site thiết lập described in the picture series above, this would be 192.168.70.0/24. Make sure the checkbox khổng lồ allow access from the private subnets is left checked. Now save settings & update running servers.

Next go to lớn User Permissions và create a new user & password. If you use an external authentication system lượt thích PAM, RADIUS, or LDAPhường, make sure the account exists there. You will need to able khổng lồ actually log in and use this tài khoản, of course. On the new user account check the box for auto-login privileges. Then cliông chồng Show khổng lồ reveal more settings. Set the Configure VPN gateway option to lớn yes và in the large text field that then appears below it, enter the subnet of the remote network where the Linux tochuchoinghi.net client gateway system is going to be installed. In the example site-to-site thiết lập described in the picture series above sầu, this would be 10.0.60.0/24. Now save settings & update running servers.

As far as the tochuchoinghi.net Access Server program is concerned, this is what completes a site-to-site setup configuration on this end. There remain a number of things still khổng lồ configure. The router in the network where the Access Server is needs khổng lồ be made aware that there are additional subnets in existence, and that they can be reached by contacting the private IPhường address of the Access Server installation. In our example network, the tochuchoinghi.net Access Server has an IP. of 192.168.70.222. It also has a VPN client subnet of 172.16.0.0/20 & it will eventually have sầu a site-to-site connection running to lớn subnet 10.0.60.0/24. To make the router aware of these extra subnets look up the documentation of your router device, & look up how to add static routes. These are the static routes that need khổng lồ be added:

Network 172.16.0.0 with subnet mask 255.255.240.0 through gateway 192.168.70.222Network 10.0.60.0 with subnet mask 255.255.255.0 through gateway 192.168.70.222

You will note that we are specifying a subnet mask. Most routing equipment wants it specified in this manner instead of using CIDR format with the /24 & /20 và so on. There are tables that you can look up online that you can use khổng lồ easily convert one to lớn the other.

Xem thêm: Tải Kiểu Chữ Cho Điện Thoại Android, Ifont(Fonts For Android)

With the new static routes in place, whenever traffic now arrives at the router that has as a destination an IPhường address somewhere in 172.16.0.0/20 or 10.0.60.0/24, it will know that it should forward this to the tochuchoinghi.net Access Server at IPhường address 192.168.70.222. It will then forward it lớn where it needs to lớn go, as it knows how khổng lồ contact those two subnets.

How to mix up the tochuchoinghi.net Linux Gateway client

We prefer using a Linux operating system to lớn handle the role of a VPN client that also serves as gateway. We prefer Ubuntu LTS on a virtual machine or dedicated hardware. We simply have sầu the best experiences with it, and there are simple tools available on Linux that are free and easy khổng lồ install & use to diagnose any problems that may come up. Also Linux is không tính tiền lớn use & can run on very light-weight equipment. Even a Raspberry Pi3 or such can handle this task, & there are also embedded systems that can handle it. Equipment aside, if you have a Linux operating system with an tochuchoinghi.net client that can connect to the tochuchoinghi.net Access Server, & you can enable something called IP forwarding, then you should be able khổng lồ get an tochuchoinghi.net Linux Gateway client up & running fairly easily. You do not need the install the tochuchoinghi.net Access Server program itself on this Linux client system.

What you vày need is the tochuchoinghi.net open source client program for Linux. On Ubuntu you can install this with the commvà apt-get install tochuchoinghi.net. With the client program now installed, it is going lớn kiểm tra for any *.conf files in the /etc/tochuchoinghi.net/ directory và at system startup try khổng lồ connect them & keep them connected. What we need next is khổng lồ obtain the auto-login connection profile for the user account created for site-to-site connectivity, & save sầu it in the /etc/tochuchoinghi.net/ directory. To bởi vì that we need to get the file first:

Go khổng lồ the tochuchoinghi.net Access Server"s client UI using a web browser, click the connect dropdown thực đơn và switch it lớn login. Enter the user name và password of the user trương mục you created for site-to-site connectivity & cliông chồng go. You will be presented with a list of files available for this user account. Locate the auto-login protệp tin and download it. It will be called client.ovpn.

Transfer this client.ovpn file to lớn your Linux client system (with SCPhường or WinSCPhường or copying và pasting contents of the file in a text editor lượt thích nano) & place it in the /etc/tochuchoinghi.net/ directory. Rename the tệp tin to something like headquarters.conf. The filename is not particular important, but the extension must kết thúc with .conf for the tochuchoinghi.net daetháng khổng lồ piông xã it up. Now reboot the Linux client operating system. It should now automatically connect and you should be able to see this connection appear on the tochuchoinghi.net Access Server"s Current Users overview.

Next enable IP forwarding on the Linux client system. IPhường forwarding is the function in an operating system that allows it khổng lồ accept an incoming network packet on one network interface, & if the destination is on another network, to lớn forward it there. This is what you need when packets coming in from your network need khổng lồ go lớn the VPN tunnel, or vice versa. On Ubuntu you can bởi this fairly easily by opening /etc/sysctl.conf with a text editor like nano, and uncommenting the line #net.ipv4.ip_forward=1. Uncommenting means you remove sầu the # character. Then exit and save sầu the tệp tin. Now reboot the Linux client operating system.

As far as the tochuchoinghi.net Linux Client gateway system is concerned, this is what completes a site-to-site thiết đặt configuration on this over. There remains now only one thing left to configure. The router in the network where the Linux Gateway client is needs khổng lồ be made aware that there are additional subnets in existence, & that they can be reached by contacting the private IPhường address of the Linux Gateway client installation. In our example network, the tochuchoinghi.net Linux client gateway system has an IP of 10.0.60.55. It also is part of the VPN client subnet of 172.16.0.0/20 that exist on the Access Server và it will now have sầu a site-to-site connection running lớn subnet 192.168.70.0/24. To make the router aware of these extra subnets look up the documentation of your router device, & look up how lớn add static routes. Please note that you should add these static routes on the router in the subsidiary office network where the tochuchoinghi.net Linux Gateway client system is, not on the network where the Access Server is. These are the static routes that need to be added:

Network 172.16.0.0 with subnet mask 255.255.240.0 through gateway 10.0.60.55Network 192.168.70.0 with subnet mask 255.255.255.0 through gateway 10.0.60.55

As with the static routes on the other router, you will note that we are specifying a subnet mask. Most routing equipment wants it specified in this manner instead of using CIDR format with the /24 and /đôi mươi & so on. There are tables that you can look up online that you can use khổng lồ easily convert one khổng lồ the other.

With the new static routes in place, whenever traffic now arrives at the router that has as a destination an IPhường address somewhere in 172.16.0.0/20 or 192.168.70.0/24, it will know that it should forward this khổng lồ the tochuchoinghi.net Linux Gateway client at IP address 10.0.60.55. It will then forward it lớn where it needs to go, as it knows how to lớn tương tác those two subnets.

Troubleshooting

With the above setup steps followed, both the tochuchoinghi.net Access Server and the tochuchoinghi.net Linux Gateway client should be operating perfectly. There are however a great number of possible problems that can be encountered with surrounding equipment. For example there can be firewalls on the client & server computers that bloông xã traffic from "unknown" subnets. On cloud networks lượt thích Amazon AWS, security groups and source checking can be a factor in blocking traffic. Furthermore, static routes could have been mix up wrong so that they work from LAN to lớn WAN interface, so that it tries lớn sover the traffic lớn the Internet instead of staying purely on the LAN side of the router. Unfortunately there are too many possible issues that lie completely outside of the tochuchoinghi.net Access Server and its connected tochuchoinghi.net Linux Gateway client to lớn document them all. Instead, we therefore have tried to provide the means to diagnose the connection yourself.

We have a troubleshooting guide that will help in determining the point where traffic breaks down. That will then lead to conclusions khổng lồ effectively resolve sầu the problem.