Thread replies: 31
Thread images: 1
Thread images: 1
File: SitetoSiteVPN[1].png (20KB, 609x231px) Image search:
[Google]
![SitetoSiteVPN[1].png](https://i.imgur.com/beSzsvb.png "SitetoSiteVPN[1]")
20KB, 609x231px
Any networking guys wanna fill me in on the complexity of creating a site to site VPN network?
I have google fiber and want to run a tunnel straight to another google fiber house. Why? File and service sharing. I've setup openVPN for personal use but not sure on the amount of work for what I would like to accomplish.
Is there a certain level of hardware I should be aiming for to get the most speed? I see a lot of directions for cisco ASA's but wasn't sure if a simple pfsense box would do it? Also, each house would need a different set of IP address handed out right?
The google fiber box itself is shit for any advanced settings and since I have the TV service to there really isn't a solid replacement for it.
>>
pfsense box on both ends is good enough
> each house would need a different set of IP address handed out right?
yup.
3 subnets will be used in this setup
> VPN
> house1
> house2
>>
>>58757389
I'm kind of stupid, but why can't you just SSH into whatever box you want?
>>
>>58757458
Cool. Thanks for the info!
>>
>>58757490
One example would be the IP camera DVR software is Windows only. The overall reason is mostly for fun and seeing if it can be done, how it performs, etc.
>>
>>58757389
you know the saying, 'if you have to ask'?
>>
Buy a couple of Neatgear WNR3700/3800s. Install openwrt and setup openvpn with a shared sekret key. You can get them working while they are plugged together. Makes testing easier. The 3700/3800 has a fast cpu and plenty of flash so opkg overlay works making software installs easier.
>>
>>58757490
SSH is TCP
VPN is UDP
Just one reason
>>
>>58757810
>VPN is UDP
There is no "VPN" protocol.
Also, why wouldn't you want TCP in this case?
>>
>>58757826
UDP has theoretical benefit in throughput there is no wait for acknowledgement
Regardless I use TCP for my OpenVPN setup because the connection will stay alive without having to constantly send packets that after a while of silence UDP seems to fail... If they were both on all the time UDP would be better
>>
>>58757826
TCP in UDP > TCP in TCP
>>
>>58757534
can you not ssh over windows?
>>
>>58757851
>UDP has theoretical benefit in throughput there is no wait for acknowledgement
And no grantees about packet loss/reordering.
>>
Don't use SSL ya dunce, use IPsec!
OpenBSD has it out of the box, Linux has Openswan.
>>
>>58757876
>And no grantees about packet loss/reordering.
Thats TCP's responsibility.
For example ethernet makes no guarantees, the responsibility is with protocol higher up the stack.
>>
>>58757908
>Thats TCP's responsibility.
I know. The other anon was implying that UDP was "better" than TCP.
>>
>>58757933
Looks like I misread >>58757876
>>
>>58757854
TCP through TCP isn't that bad if the traffic is light enough like browsing. I have yet to encounter a time when I felt like it was too slow. But I'm not using OpenVPN to connect two always alive devices that can handle reliably sending and receiving packets like the OP would have and UDP would benefit. Cell phones and UDP are not friends.
>>
>>58757898
Agree not to use OpenVPN (more than just security...), but if you're going IPsec, use libreswan, not openswan.
Also not sure about the level of performance available to the typical cheap dedicated computer and gigabit NIC, but there's also softether, which is stated to perform in the hundreds of megabits and allows you to bridge the networks at layer 2 as well as layer 3. I'd advise adding it to the comparison.
>softether.org
>project of a genius programmer-professor in japan
>gpl3 license
>>
>>58759889
No, openswan is much better you fucking idiot.
>>
>>58759994
>https://nohats.ca
Please present a real argument.
>>
>>58757389
Whatever you do - I would have a dedicated device such as a pfsense box, router, UTM, etc handle the VPN connections for you.
I used a couple of Watchguard T10's for awhile with their "branch office" vpns with ipsec.
>>
>>58760083
You disagreed with me first so present your argument fuck head or get the fuck out
>>
>>58760177
>https://nohats.ca/wordpress/libreswan/
>libreswan commits
https://github.com/libreswan/libreswan/graphs/contributors
>openswan commits
https://github.com/xelerance/Openswan/graphs/contributors
>>
>>58760258
Three links does not constitute an argument jesus christ you are so fucking stupid just stop posting
>>
>>58760323
>can't open the first link to see the comparison between commits in 2014, as presented by a leading contributor to openswan before he forked it to libreswan
>can't extend this out to the idea that one project has more activity and is therefore under heavier development than the other
>litters responses with expletives and ad hominem
:^)
>>
>>58760323
Here's the next year of development from Red Hat on libreswan in a nutshell, in case you're interested:
http://events.linuxfoundation.org/sites/events/files/slides/LinuxSecuritySummit-2016-OE-16x9.pdf
>Puppet / ansible does not scale for mesh encryption
What did he mean by this?
>>
>>58760568
>>58760788
I said stop posting, whichever you are. You missed your chance
>>
>>58757389
IPSec
If you dont know what to do even after you google the term in this post, you're not cut out for the task
>>
>>58761295
Please be aware that it is IPsec, not IPSEC, IpSec, IPSec, etc.
>>
>>58761401
ipSeC is ass. Stick to OpenVPN.
Thread posts: 31
Thread images: 1
Thread images: 1