Although the topic is beaten, nevertheless, often many experience difficulties - whether it is a beginner System Administrator or just an advanced user who was forced by his superiors to perform the functions of an enikey. Paradoxically, despite the abundance of information on VPN, finding a clear option is a whole problem. Moreover, one even gets the impression that one wrote - while others brazenly copied the text. As a result, search results are literally littered with an abundance of unnecessary information, from which the worthwhile can rarely be isolated. Therefore, I decided to chew all the nuances in my own way (maybe it will come in handy for someone).

So what is a VPN? VPN (virtualPrivatenetwork- virtual private network) - a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (including the Internet). Depending on the protocols and purposes used, a VPN can provide three types of connections: node-node, node-network and network-network. As they say, no comment.

Stereotypical VPN scheme

A VPN makes it easy to combine a remote host with the local network of a company or another host, as well as combine networks into one. The benefit is quite obvious - we easily get access to the enterprise network from the VPN client. In addition, a VPN also protects your data through encryption.

I do not pretend to describe to you all the principles of how a VPN works, since there is a lot of specialized literature, and to be honest, I don’t know a lot of things myself. However, if you have a “Do it!” task, you need to urgently join the topic.

Let's consider a task from my personal practice, when it was necessary to combine two offices via VPN - the head office and the branch office. The situation was further complicated by the fact that there was a video server in the head office that should receive video from the IP camera of the branch. Here's your task in a nutshell.

There are many ways to solve. It all depends on what you have on hand. In general, VPN is easy to build using a hardware solution based on various Zyxel routers. Ideally, it may also happen that the Internet is distributed to both offices by one provider and then you will not have any problems at all (just turn to Provo). If the firm is rich, CISCO can also afford it. But usually everything is solved by software.

And here the choice is great - Open VPN, WinRoute (note that it is paid), operating system tools, programs like Hamanchi (to be honest, in rare cases it can help out, but I don’t recommend relying on it - the free version has a limit of 5 hosts and another significant disadvantage is that your entire connection depends on the Hamanchi host, which is not always good). In my case, it would be ideal to use OpenVPN, a free program that can easily create a reliable VPN connection. But we, as always, will take the path of least resistance.

In my branch, the Internet distributes a gateway based on client Windows. Agree, not the best The best decision, but enough for a trio of client computers. I need to make a VPN server from this gateway. Since you are reading this article, you are probably sure that you are new to VPN. Therefore, for you, I give the simplest example, which, in principle, suits me.

Windows of the NT family already have rudimentary server capabilities built into them. Setting up a VPN server on one of the machines is not difficult. As a server, I will give examples of screenshots of Windows 7, but general principles will be the same as for old XP.

Please note that in order to connect two networks, you need to they had a different range! For example, at the head office, the range can be 192.168.0.x, and at the branch, it can be 192.168.20.x (or any gray ip range). This is very important, so be careful. Now, you can start setting up.

On the VPN server, go to Control Panel -> Network and Sharing Center -> change adapter settings.

Now press the Alt key to bring up the menu. There, in the File item, select "New incoming connection".

Check the boxes for users who can log in via VPN. I highly recommend Adding a new user, giving it a friendly name, and assigning a password.

After you have done this, you need to select in the next window how users will connect. Check the box "Via Internet". Now all you have to do is assign a virtual network address range. Moreover, you can choose how many computers can participate in the data exchange. In the next window, select the TCP / IP version 4 protocol, click "Properties":

You will see what I have in the screenshot. If you want the client to access the local network where the server is located, simply check the "Allow callers to access the local network" checkbox. In the paragraph "Assignment of IP addresses", I recommend that you specify the addresses manually according to the principle that I described above. In my example, I gave the range only twenty-five addresses, although I could have just given two and 255.

After that, click on the "Allow Access" button.

The system will automatically create a VPN server that will orphanedly wait for someone to join it.

Now the only thing left is to configure the VPN client. On the client machine, also go to the Network and Sharing Center and select Set up a new connection or network. Now you will need to select an item "Connecting to a workplace"

Click on “Use my Internet connection and now you will be thrown into a window where you will need to enter the address of our Internet gateway in the branch. For me it looks like 95.2.x.x

Now you can call the connection, enter the username and password that you entered on the server and try to connect. If everything is correct, then you will be connected. In my case, I can already ping any computer in the branch and query the camera. Now its mono is easy to cling to the video server. You may have something else.

Alternatively, when connecting, error 800 may pop up, indicating that something is wrong with the connection. This is a firewall issue on either the client or the server. Specifically, I can’t tell you - everything is determined experimentally.

That's how unpretentiously we created a VPN between two offices. Players can be combined in the same way. However, do not forget that this will still not be a full-fledged server and it is better to use more advanced tools, which I will discuss in the following parts.

In particular, in Part 2 we will look at configuring OPenVPN for Windows and Linux.

Contact a specialistGoryainov Denis Technical Director +79851256588 Ask a question

Combining two or more local networks

Networking tasks:

1. establish a fast, secure and reliable exchange of information between several remote offices and branches;

2. connect mobile employees to the local network, ensuring security connections ;

3. create a single telephone channel for branches to save and control costs, ease of switching;

4. create a centralized Internet channel and traffic distribution between branches;

5. take control of the "center" remote offices.

If you need to solve these problems, the service from ZSC will allow your company to link all remote branches and employees into a single network.

Consolidation of local networks

When companies need to combine several branches and offices, today it is no longer enough for a contractor to simply set up a centralized local network and improve the exchange of information.

The client needs complete solution with:

1. a single telephone channel;
2. managed Internet traffic;
3. the possibility of automated control and remote technical support computers and servers of branches;
4. free access for remote employees to corporate information.

At the same time, it must be ensured high degree security of all these information flows.

Today customer service local area networking required under key» - the contractor must carry out each stage of the work independently, with a minimum participation of the customer. As a result, the client needs to provide centralized system branch management with all the necessary IT components and control and support tools. We are not talking about a simple VPN - we are talking about the virtual unification of remote offices to the level of "physical".

At the same time, we must not forget that the project combining two or more local networks must be economical, otherwise all its positive result will be unprofitable.

If you need to perform such a combination of branches and remote offices or implement any of its components (single telephone network, balanced Internet traffic), we are open for cooperation. With vast experience and high qualifications in the market digital technologies, we are ready to offer you the most effective and economical option, focused on the specific needs of your business.

Network Aggregation Devices

The specialists of our ZSC company work with equipment from any manufacturer. If you have your own routers, we will configure them to combine local networks of remote offices.

Combining Mikrotik networks

In our practice, we use professional equipment from Mikrotik(more economical and popular solution) and Cisco (more expensive and functional solution).

Using the example of Mikrotik equipment, we will analyze the technologies for combining local networks. Despite the rather low market value compared to analogues, the Mikrotik software platform allows you to set up flexible, secure and functional information exchange channels. The equipment of this manufacturer has proven itself in our numerous projects and in offices clients. In addition, Mikrotik allows you to seriously save your budget.

Mikrotik routers support up to seven protocols for securely sending information, which is encrypted as separate packets with a second IP header assigned. This header includes the destination IP address and the sender IP address. When trying to intercept information, a fraudster sees only this information, and it is impossible to determine the source computer and the recipient computer. In the event of a leak of information, it will take too long to decrypt the code, and it is not yet certain that this will work out. There are other options for secure transmission of information.

Security Protocols:

more

PPTP(tunnel point-to-point protocol) - used to build dedicated networks over open ones. Is different high performance, a variety of encryption options and the ability to use different software platforms.

L2TP- Unlike PPTP, it has higher fault tolerance and better security. It is used both for building closed networks inside open ones, and for accessing corporate network from remote devices, as well as to use a variety of connection schemes.

IP2IP- encrypts information into packets and assigns it a separate IP for reliable transmission to the addressee. It is used to build tunnels between routers via the Internet.

PPPOE- works similarly to the PPTP protocol, but is a simpler and less resource-intensive solution.

IPSec- one of the most reliable options for building a closed tunnel. In addition, the information is encrypted, for reading it is necessary to use individual keys. This provides a high, two-level degree of protection for data transmission.

VLAN- provides the creation of logical high-speed secure tunnels, which in terms of security are close to the "physical" transmission of information, for example, inside the office through cables.

EoIP- organizes a transparent association of remote offices and branches on top of the created virtual channels. Allows you to flexibly configure Internet traffic, individual security policies, carry out balancing and settings for remote branches. To use EoIP, a fairly wide bandwidth is required, since the protocol takes up to 15% of the traffic for control.

The combination of various security protocols allows you to build flexible, secure and reliable information exchange channels and meet specific business needs. If you need maximum security, the IPSec protocol is suitable, and if you need a simpler channel for transmitting encrypted information - PPTP, L2TP or IP2IP. VLANs and EoIP can be a choice for organizing transparent and controlled information logistics between branches and offices.

The price of combining two or more local networks

Submit a unified price list with unambiguous prices for connecting two or more local networks, which would apply to all projects, is impossible. In the final calculation, a lot depends on the tasks, business needs, scope of work, the number of Ethernet sockets, cable footage, and much more.

However, there are several basic indicators that apply to certain types of work:

Actual on 16.02.2017 (excluding VAT)

Our specialists and designers are able to create a project to combine two or more local networks of any complexity and scale, for the specific needs of the business, coordinate it with the customer and implement it on a turnkey basis.

Combining computer networks - how we work:

• we get the initial data, settings and security policies that work within your company;
• we integrate them with the settings of the router, we configure the equipment according to the requirements you need;
• send the configured router to the remote branch (office) and connect it;
• carry out commissioning ;
• provide you turnkey solution- Association of two and more local networks.

For you - everything is elementary simple! And on our side - vast experience, high qualifications and dozens of implemented projects. And all this allows us to work quickly, efficiently and with serious budget savings without sacrificing quality.

And if you are our client of a complex premium subscription service, then this service provided for you free of charge (only equipment is paid)!

Let's take a closer look at the individual components. complete solution "Combining two or more local networks".

Telephony between remote offices

Task : create a unified telephone network with "short" subscriber numbers in remote branches, ensure cost savings on calls and control over use telephone lines, connect to telephone network mobile workers, introduce a single number.

When we united by a common network ethernet central and remote offices, we have thus formed a single informational space. Any data can be transferred inside this space: files, video content, voice content and other information. The most massive segment of information that is transmitted within the company is server data; second in popularity voice and video content.

A single local network allows you to configure the equipment in such a way that employees who can be separated by thousands of kilometers are located in the same office.

Stationary employees

To build a unified telephone network between branches and the "center" it is necessary own digital office PBX installed in the central office. And in the branches, IP phones are connected, for which IP addresses are configured as if it were a network of one office. The PBX and the remote phone identify each other, after which we assign a "short" number for the remote office. Everything happens as if we just added a new employee in the central office.

As a result, your employees begin to work in a single space, no matter how far they are from each other. When an incoming call comes to the PBX, the telephone exchange “thinks” that you are on the same network and forwards the call, and it is heard in another city or even country. This provides high level data transmission - communication is carried out through secure encrypted tunnels.

Mobile workers

Mobile employees can also be connected to the unified telephone network of the company. To do this, they need to use phones that support tunneling. An encrypted tunnel is configured inside the smartphone, which “rises” when the phone is connected to WiFi networks and is authorized through the prescribed settings from the central PBX in your office.

As a result, your mobile employee is included in the corporate telephone network, may have a "short" number for quick switching and use favorable rates for making and receiving calls that are configured on your central PBX.

Advantages of a single telephony between branches:

• flexible configuration of internal call routing;
• the possibility of using several operators and tariffs;
• the possibility of using a single telephone number with subsequent forwarding to the numbers of branches;
• significant savings in telephony costs;
• centralization and control over incoming and outgoing calls.

Among these and many other advantages of a telephone network between remote branches, there are two main ones that have made this service so popular today: first- use of multichannel numbers; and, second- savings on telephony costs.

Thanks to multi-channel, calls are comfortably distributed between remote offices. It is enough just to set up a voice menu so that the client can call a single number and connect to a specific region, city, office or division.

Cost savings are provided by logical routing between several operators that are connected to a single PBX in the central office. That is, it is enough to correctly configure the telephone exchange at the head office once, connecting several operators to it, in order to reduce the cost of telephony for the entire branch network of offices. For example, all calls within Russia are made through one IP-telephony operator. Analog calls in Moscow pass through unlimited urban lines, and long-distance calls through a third SIP telephony operator. And so it is for everyone separate species communications: incoming / outgoing, calls within Russia, within the region, city, long distance and international calls, from fixed and mobile phones.

Our clients, in complex configurations, have from 2 to 5 telecom operators, which ensures the most optimal spending of funds. They need to monitor the correct operation of only one central equipment in order to actually serve dozens of offices and not spend tens of thousands of rubles on illiterate use of telephone traffic.

More information about this service can be found in the section "Office PBX". Here you will find out exactly how much a company can save when using a central exchange.

Internet networking

Task : provide stable, uninterrupted Internet traffic in a remote office or branch office

When a company has a small branch in another city, its effective work connected with a constant and stable Internet connection and all business processes stop as soon as the connection breaks, it is necessary to without fail reserve internet channels.

Applying modern equipment from MikroTik and Cisco, we are able to ensure that the customer's business processes do not stop and remote branches constantly receive stable Internet.

Balancing Internet channels of remote offices - what is it?

To accomplish this task, we set up the channels of the main and backup ISPs. At the same time, the backup can be either a terrestrial additional channel or a more economical channel of mobile operators (Beeline, MTS, Megafon, Yota, Tele2).

In case of failure of the main, usually more powerful, channel, automatic switching to the backup channel occurs. With such a switch, the equipment is reauthorized, and a tunnel for secure encrypted data transmission is raised in the backup channel. Beforehand, it is necessary to authorize the equipment in such a way that it is possible to balance between two Internet channels, depending on their availability.

For the end user, no changes will occur - he will simply continue to use the Internet, which will be temporarily supplied via a backup channel. And our automated system monitoring receives this data, specialists see the information and send a request to the provider of the main channel to fix the problem.

We urge clients not to save on the backup channel, since the cost of using it (up to 1,000 rubles depending on the region) will be significantly lower than possible business losses due to interruptions in the only Internet channel.

There are also more complex schemes for balancing Internet channels of remote offices. For example, Cisco developed and implemented GRE tunnels. They are familiar tunnels, but the GRE header is superimposed "on top" of the standard IP packet. Such tunnels allow you to perform domain authorization within the network.

The option of balancing the Internet channel depends on the specific needs of the customer.

Local area networks between remote offices can also be used for other combination options, for example, for videoconferencing, ensure unified security policy and much more.

We, for our part, are able to ensure such a unification of the client's branch network so that its IT infrastructure works without failures, so that its business processes do not stop - we are ready to provide for you unparalleled fault tolerance all components.

In many organizations that have several branches, there is a need to combine local area networks of offices into a single corporate network. Connecting networks increase business efficiency and reduce costs associated with the remoteness of offices. Networking remote offices of the company allows you to solve the following tasks:

• Work of employees of all offices in a single database (for example, 1C)
• Providing remote employees with access to the company's shared corporate resources via the Internet ( remote access to network)
• Fast and convenient data exchange between employees of remote offices

Connecting networks is carried out through public Internet networks, in view of this, the issue of security of network aggregation and confidentiality of transmitted information is acute. VPN technology (Virtual Private Networks) is used to securely and securely connect two networks over public communication channels.

Setting up VPN (Virtual Private Networks)

VPN setup(Virtual Private Networks) between company offices (connection of networks) provide encryption of transmitted data. Depending on the needs of the customer and the existing IT infrastructure, a VPN network can be created on the basis of a software or hardware complex. A fairly common way to create a VPN network is to configure a VPN based on a software package, which, in addition to implementing a VPN network, can serve as a firewall and filter network traffic.

Remote access to a computer

Suppose we have 2 offices in different parts of the city, or in different cities or countries, and each of them is connected to the Internet for enough good channel. We need to link them into a single local network. In this case, none of the users will guess where this or that computer or printer is located on the local network, they will use printers, shared folders and all the advantages of a physical network. Remote employees connected via OpenVPN will also be able to work on the network, as if their computers are in the physical network of one of the offices.

We will set up in operating system Debian Squeeze, but the instructions are fully applicable to any Debian-based distribution, and with minor modifications to the bridge and OpenVPN installation and configuration commands, will be applicable to any Linux or FreeBSD distribution.

Assume that a Debian or Ubuntu distribution is installed using one of the instructions: .

Install and configure a VPN network based on OpenVPN using a bridge tap0

We create a network bridge between the physical network eth1 and virtual interface tap0

Install the necessary programs by agreeing to the request of the package manager:

We configure the server network based on the fact that we have 2 network cards: network eth0 eth1 br0

Editing the configuration file /etc/network/interfaces:

Auto lo iface lo inet loopback # internet provider auto eth0 iface eth0 inet static address 192.168.50.2 netmask 255.255.255.0 gateway 192.168.50.1 # local network auto eth1 iface eth1 inet static address 10.10.10.1 netmask 255.255.255.0

Auto lo iface lo inet loopback # Register the bridge, include the tap0 VPN interface and the eth1 network card in it auto br0 iface br0 inet static # Add the openvpn interface bridge_ports eth1 tap0 address 10.10.10.1 netmask 255.255.255.0 # Internet auto eth0 iface eth0 inet static address 192.168.50.2 netmask 255.255.255.0 gateway 192.168.50.1

After that, when executing the ifconfig command, a bridge should appear br0 with IP 10.10.10.1, interface eth0 with IP address 192.168.50.2 and interface eth1 without an IP address, as it is in the bridge br0

Set up OPENVPN:
We copy the scripts for configuring our openvpn server with the command:

Cp -Rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa

Making changes to a file /etc/openvpn/easy-rsa/vars to define global variables and type less data when creating keys:

Vi /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL=" "

Export KEY_COUNTRY="UA" export KEY_PROVINCE="11" export KEY_CITY="Kiev" export KEY_ORG="NameFirm" export KEY_EMAIL=" "

Go to the folder with scripts for creating certificates and keys with the command:

Cd /etc/openvpn/easy-rsa/

We initialize PKI (Public Key Infrastructure) with the commands:

. ./vars ./clean-all

Attention. When executing the command ./clean-all all existing certificates and keys of both the server and clients will be deleted, so do not run on the production server, or do it after saving the folder /etc/openvpn/ to the archive with the command:

Tar cf - /etc/openvpn/ | gzip -c -9 > /home/openvpn_backup.tgz

We generate a Certificate Authority (CA) certificate and key with the command:

./build-ca

Most parameters will be picked up from the vars file. Only the Name parameter must be specified explicitly:

Name :vpn

In general, you can fill in all the fields every time as you need.

We generate the Diffie - Hellman parameters with the command:

./build-dh

We generate a certificate and a private key for the server, do not enter anything to the password request, and when prompted Sign the certificate?: enter y and press Enter by running the command:

./build-key-server

All parameters are accepted by default. On request common name enter server

Common Name (eg, your name or your server "s hostname): server

Questions Sign the certificate? and 1 out of 1 certificate requests certified, commit? we answer positively:

Sign the certificate? :y 1 out of 1 certificate requests certified, commit? y

It remains to create certificates and keys for clients. First we initialize the parameters:

Cd /etc/openvpn/easy-rsa/ . ./vars

Create keys for the user server1. For example, add as many users as you need:

./build-key server1 ./build-key client1 ./build-key client2

Based on the fact that we have a network 10.10.10.0/24 we immediately allocate a pool of addresses for office computers 1 - 10.10.10.40-149 , for office 2 we allocate a pool of addresses 10.10.10.150-254 and allocate a pool of addresses for remote employees 10.10.10.21-39.
Create a folder /etc/openvpn/ccd/ where we specify which client which ip command:

Mkdir -p /etc/openvpn/ccd/

We assign each client its own IP on the network with the commands:

echo "ifconfig-push 10.10.10.150 255.255.255.0" > /etc/openvpn/ccd/server1 echo "ifconfig-push 10.10.10.21 255.255.255.0" > /etc/openvpn/ccd/client1 echo "ifconfig-push 10.10.10.22 255.255.255.0" > /etc/openvpn/ccd/client2

Create a server config file:

Vi /etc/openvpn/server.conf ################################## port 1195 proto udp dev tap0 ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key # This file should be kept secret dh easy-rsa/keys/dh1024.pem mode server tls- server daemon ifconfig 10.10.10.1 255.255.255.0 client-config-dir /etc/openvpn/ccd keepalive 10 20 client-to-client comp-lzo persist-key persist-tun verb 3 log-append /var/log/openvpn.log #script-security 2 # uncomment when running on OpenVPN version 2.4 up up /etc/openvpn/up.sh ########################## ######

Vi /etc/default/openvpn

OPTARGS=""

OPTARGS="--script-security 2"

Create a script /etc/openvpn/up.sh launched when the OpenVPN server starts:

vi /etc/openvpn/up.sh #!/bin/sh brctl addif br0 tap0 brctl addif br0 eth1 ifconfig tap0 0.0.0.0

Give permission to execute the script /etc/openvpn/up.sh command:

Chmod +x /etc/openvpn/up.sh

After that, restart the OpenVPN server with the command:

Execute the command ifconfig, interface should appear tap0 without an IP address.

We collect an archive with keys for distribution to remote employees and sending to office 2

Create folders with usernames with commands:

mkdir -p /etc/openvpn/users/server1 mkdir -p /etc/openvpn/users/client1 mkdir -p /etc/openvpn/users/client2

Create a folder with archived keys with the command:

Mkdir -p /etc/openvpn/users_tgz

We collect keys and certificates from user folders with the commands:

cp /etc/openvpn/server/easy-rsa/keys/server1.key /etc/openvpn/users/server1/ cp /etc/openvpn/server/easy-rsa/keys/server1.crt /etc/openvpn/users/ server1/ cp /etc/openvpn/server/easy-rsa/keys/ca.crt /etc/openvpn/users/server1/ cp /etc/openvpn/server/easy-rsa/keys/client1.key /etc/openvpn/ users/client1/ cp /etc/openvpn/server/easy-rsa/keys/client1.crt /etc/openvpn/users/client1/ cp /etc/openvpn/server/easy-rsa/keys/ca.crt /etc/ openvpn/users/client1/ cp /etc/openvpn/server/easy-rsa/keys/client2.key /etc/openvpn/users/client2/ cp /etc/openvpn/server/easy-rsa/keys/client2.crt / etc/openvpn/users/client2/ cp /etc/openvpn/server/easy-rsa/keys/ca.crt /etc/openvpn/users/client2/

We create configuration files based on the fact that server1 is the remote office server 2, and client1 and client2 these are remote employees connecting to the VPN network outside of Windows.

Instead of IP-SERVER-VPN, we put the external IP address of the OpenVPN server.

Create an OpenVPN configuration file for server1:

echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert server1.crt key server1.key comp-lzo verb 4 mute 20 verb 3 log-append / var/log/openvpn.log up /etc/openvpn/up.sh " > /etc/openvpn/users/server1/server1.conf

Archive keys for server1 command:

Tar cf - /etc/openvpn/users/server1 | gzip -c -9 > /etc/openvpn/users_tgz/server1.tgz

client1:

echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 4 mute 20 verb 3" > /etc /openvpn/users/client1/client1.ovpn

We archive the keys for client1 with the command:

Tar cf - /etc/openvpn/users/client1 | gzip -c -9 > /etc/openvpn/users_tgz/client1.tgz

Create a config file for client2 command:

echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client2.crt key client2.key comp-lzo verb 4 mute 20 verb 3" > /etc /openvpn/users/client1/client2.ovpn

Archive keys for client2 command:

Tar cf - /etc/openvpn/users/client2 | gzip -c -9 > /etc/openvpn/users_tgz/client2.tgz

Setting up VPN server office 2

In the instructions above, we installed and configured the VPN server on Debian GNU/Linux Using OpenVPN, we created keys with certificates for the remote office server 2 and remote employees. Now we need to connect office 1 to office 2 into a single local network via VPN.

Suppose that in office 2 we have a Linux server (gateway) installed and configured, which distributes the Internet channel for office 2 employees. This server has 2 network cards: eth0 - ISP and eth1- local network, it will be included in the bridge, and will have a pool of addresses 10.10.10.100-254

We need to install the software with the command:

Aptitude install bridge-utils openvpn

Setting up the server network

We configure the network based on the fact that we have 2 network cards eth0- receives the Internet from the provider and through it office 1 accesses the Internet, as well as the network eth1- included in the office 1 LAN switch, it will be included in the bridge with the interface br0

Edit the configuration file /etc/network/interfaces:

Vi /etc/network/interfaces

Auto lo iface lo inet loopback # internet provider auto eth0 iface eth0 inet static address 192.168.60.2 netmask 255.255.255.0 gateway 192.168.60.1 # local network auto eth0 iface eth0 inet static address 192.168.1.1 netmask 255.255.255.0

Auto lo iface lo inet loopback # We register the bridge, we include the tap0 VPN interface and the eth1 network card in it auto br0 iface br0 inet static # Add the openvpn interface bridge_ports eth1 tap0 address 10.10.10.150 netmask 255.255.255.0 # Internet auto eth0 iface eth0 inet static address 192.168.60.2 netmask 255.255.255.0 gateway 192.168.60.1

Save the changes and reboot the network with the command:

/etc/init.d/networking restart

After that, when executing the command ifconfig there should be a bridge br0 with IP 10.10.10.150 , interface eth0 with IP address 192.168.60.2 and interface eth1 no IP address as it is in the bridge br0

For office 2 computers, we issue IP addresses to computers without going beyond 10.10.10.150-254 , where 10.10.10.150 is the IP address of the office server 2.

Upload the collected OpenVPN key archive from the VPN server of office 1 to the office server 2 with the command:

Ssh -P22 /etc/openvpn/users_tgz/server1.tgz :/root/

Or, if server1 of office 2 does not have a permanent or dynamic IP, we will merge the keys from the VPN server of office 2 with the command:

ssh -P22 :/etc/openvpn/users_tgz/server1.tgz /root/

When prompted for a password, enter the user's password root , after entering the correct password, the archive with the keys is downloaded to the folder /root/server1.tgz

Unpack the contents of the archive ( only key files without folders) /root/server1.tgz to a folder /etc/openvpn/

Let OpenVPN run scripts:

Vi /etc/default/openvpn

OPTARGS=""

OPTARGS="--script-security 2"

Create a script /etc/openvpn/up.sh launched when the VPN client connects to the VPN server:

Vi /etc/openvpn/up.sh #!/bin/sh brctl addif br0 tap0 brctl addif br0 eth1 ifconfig tap0 0.0.0.0 chmod +x /etc/openvpn/up.sh

Reboot the OpenVPN server with the command:

/etc/init.d/openvpn restart

When executing the command ifconfig interface should appear. tap0 without an IP address.

Now you can ping computers of another office from both offices, use shared folders, printers, resources of another office, and also arrange game battles office 1 against office 2 :)

To check the interfaces connected to the bridge, run the command:

brctl show

System response:

Bridge name bridge id STP enabled interfaces br0 7000.003ds4sDsf6 no eth1 tap0

We see our local network card eth1 and an OpenVPN virtual interface tap0

The task is completed, two remote offices are connected to one local network.

If the article was useful to you, share it with your friends by clicking on your icon. social network at the bottom of this article. Please comment on this manual, did you like it, did it benefit? You can also subscribe to receive notifications of new articles to your mail on the page

And now let's take a short break and rest for half a minute, raising our spirits for more productive work, watch the video and smile: