Multi-branch VPN setup

K

KickTheBucket

Well-Known Member
Joined
Jan 20, 2005
Messages
134
Reaction score
0
Hi Guys and Gals,

We've got a client who's looking at setting up a few offices over the next couple of years. Each satellite office will need to have secure VPN access to the head office in order to do database uploads. At the end of the project they'll have 4 or 5 satellite offices connecting to the head office. All the branched will be running ADSL.
Is this something easy enough to achieve without needing to find a VPN provider (Telkom and MWEB do it)? I'm assuming so, but need advice on what equipment will be necessary.
I'm having a look at this VPN firewall:
http://www.netgear.com/business/products/security/wireless-VPN-firewalls/FVS318N.aspx#one
Is this the kind of thing I'm looking for?

Help will be greatly appreciated!
 
Hi KickTheBucket,

Depending on the size of your satellite offices you could get away with using a few Mikrotik routers like the 750G and setup LT2P trunks to your head office assuming you have a static addressing setup on your WAN side.

There are many ways to achieve this, depends on your budget and design complexity involved.
 
The thing with ADSL is that it is asymmetric, contended and a best efforts service. In a VPN application your throughput is going to be limited by the upload speed (about 300kpbs on our 4Mbps ADSL,) your available bandwidth at any given time is going to depend on the number of users you are contending with and if there is a problem with your ADSL line, it will have a lower priority for repair with Telkom than say a Diginet. Not good if your office is off the air for 3 weeks because of stolen cables.

On the other hand, you can use the cheaper cost of rolling your own solution to add redundant connections for added bandwidth and failover.

I see that Neotel are advertising 1 Mbps business fiber for R1500 pm which is a symmetric connection. May have some merit for this type of application on paper. I'd also reccomend having the users at the branches work via a remote desktop or virtual desktop at the head office, especially if they are using traditional client/server applications or committing data to a database. Better performance and less risk of data corruption over a relatively slow connection.
 
Thanks for the replies....

Telasera said:
Hi KickTheBucket,

Depending on the size of your satellite offices you could get away with using a few Mikrotik routers like the 750G and setup LT2P trunks to your head office assuming you have a static addressing setup on your WAN side.

There are many ways to achieve this, depends on your budget and design complexity involved.
Click to expand...

The satellite offices will be small - probably no more than 4 users per office.
Bear in mind that the only reason why the VPN is needed is to backup a database from the satellites to the head office on a daily basis. I'm not worried so much about the upload speed, as I'm assuming the database won't be terribly big.
Because of the simplicity of the application, they're not looking to spend too much on the setup.
Ultimately we're looking for an automatic/ permanent VPN connection.
 
KickTheBucket said:
Thanks for the replies....



The satellite offices will be small - probably no more than 4 users per office.
Bear in mind that the only reason why the VPN is needed is to backup a database from the satellites to the head office on a daily basis. I'm not worried so much about the upload speed, as I'm assuming the database won't be terribly big.
Because of the simplicity of the application, they're not looking to spend too much on the setup.
Ultimately we're looking for an automatic/ permanent VPN connection.
Click to expand...

My suggestion would be for you to keep your solution as simple as possible.
If you go the VPN route, get a company that has done these installations for multi-branch setups before.
Many ISP's offer this as a solution where they will manage the VPN's for you at the fraction of the cost of doing it yourself or getting an IT company to do it.

There are some considerations when going for this solution though:

Where will the internet break out for the branches?
Will you be using VOIP to enable cost savings for inter-branch communication?
You will need to have 3G failover routers for mission critical systems.
Will you be dealing with Dynamic DNS or will the branches have fixed IP's?

On the other hand, for the size the branches.... If would keep it as simple as possible.

If the database is SQL based, look at the following option:
http://sqlbackupandftp.com/

It makes for a simple and clean solution.
Branches work independently, but on a daily basis the database is automatically backed up, compressed and sent to the central HQ. The process is entirely automated and works a charm.

I have implemented various solutions of many different permutations for branch setups to address this exact requirement.

Horses for courses.

PM me is you need any further advice or recommendations.

PS. I do not generate any income from this... I am merely offering advice based on past experience.
 
KickTheBucket said:
The satellite offices will be small - probably no more than 4 users per office.
Bear in mind that the only reason why the VPN is needed is to backup a database from the satellites to the head office on a daily basis. I'm not worried so much about the upload speed, as I'm assuming the database won't be terribly big.
Because of the simplicity of the application, they're not looking to spend too much on the setup.
Ultimately we're looking for an automatic/ permanent VPN connection.
Click to expand...

If you're dead set on rolling your own VPN, then an OpenVPN based solution can do what you are talking about. You could have an openvpn box at each site with site to site or if you have a small number of client machines connecting then you could configure an openVPN client on each pc that needs it and connects to a single OpenVPN server at head office. Either way, you can configure the connections to be automatic (the OpenVPN client runs can run as a windows service) and you don't need fixed IPs at the branch offices but IMHO you should use one at the head office (you could use DynDNS or similar but a fixed IP is one less thing to go wrong.) For security, pay particular attention to the role that authentication plays as this is in some respects more important than encryption.

Zeroshell will work for your server or satellite boxes. Other Linux distros such as ClearOs and Zentyal also have GUI's for configuration as an OpenVPN server and for management of security certificates. you could even implement an OpenVPN based solution without any specialised/dedicated hardware if you were so inclined.

I agree with Aquadyne's suggestion ref an FTP based solution. If your problem is file transfer, you may not need a VPN at all and a secure, automated FTP solution could be a good way to go.
 
VPN is not great with ADSL, specially cus its not a symetrical connection.
I.E
Having VPN is just an extra point of failure, and you need it to be always connected, if it disconnects there is no way for FTP to recover,

FTP only needs the connection when it copies
I would just setup a either FTP or an Rsync server if its for database backup purposes using Deltacopy
 
SBSP said:
VPN is not great with ADSL, specially cus its not a symetrical connection.
I.E
Having VPN is just an extra point of failure, and you need it to be always connected, if it disconnects there is no way for FTP to recover,

FTP only needs the connection when it copies
I would just setup a either FTP or an Rsync server if its for database backup purposes using Deltacopy
Click to expand...

This is looking like a viable option. Thanks for the suggestion!
 
Ok, scratch that idea.... they don't need it for backups, they need to consolidate the databases with head office once a day.... back to the VPN idea.

Telasera said:
Hi KickTheBucket,

Depending on the size of your satellite offices you could get away with using a few Mikrotik routers like the 750G and setup LT2P trunks to your head office assuming you have a static addressing setup on your WAN side.

There are many ways to achieve this, depends on your budget and design complexity involved.
Click to expand...

Telasera, please give me a little more info on this option.
With regards to the static addressing, I'm assuming it will only need to be on the head office side. Would a dyndns service not work?
 
Are you able to elaborate on what they're trying to do and what sort of technologies are involved with the software? I'll try to offer something constructive for you.
 
Not too much as I'm not involved with that side of the project.
The software will be custom developed software running an SQL database. All machines will have Windows 7 Pro (i.e. they won't be running Windows Server at any of the sites).
Does that help?
 
KickTheBucket said:
Not too much as I'm not involved with that side of the project.
The software will be custom developed software running an SQL database. All machines will have Windows 7 Pro (i.e. they won't be running Windows Server at any of the sites).
Does that help?
Click to expand...

Ok, now my advice has changed...

You don't seem to be the person that is tasked with resolving this issue, but more a person that is involving himself.

Sincerely you need to hand this over to someone who knows what they are doing and is a professional.

Too often small businesses use people that portray themselves as knowledgeable and then fluff the project.

It seems like an important and critical part of the business and its expansion - step back gracefully and by all means learn from the project - but allow the client to have a positive experience.

Do the right thing.
 
I was trying to work out why someone might want to build an application where the databases were distributed to remote sites and consolidated in this way, especially compared to hosting the database(s)at head office and remote users working via a web based application or terminal server as appropriate. Even if you had to consolidate a number of databases (say for separation of concerns) doing so over a LAN would be much faster and more reliable than over a VPN connection. I also feel that generally terminal services or a web based interface are best suited to slower connections.

One of the other pitfalls for you here is whether or not a vpn (whether you do it yourself or engage someone to do it for you) is up to the task required of it. If you deliver them a solution that doesn't meet their expectations in some way then that could damage your credibility, even if it wasn't necessarily your fault.

Whether you have to provide them with an actual solution or provide advice, perhaps it would be a good idea to pin them or the developers down to the specific requirements in terms of bandwidth and volume of data to be transferred. I would be especially interested to hear whether the developer can give you a useful,defintive answer or some vague answer.
 
Last edited:
I suppose that if you have the time and inclination to experiment a little, it doesn't cost you a lot to test a basic solution:

OpenVPN or Microtik router (NB I haven't used Microtik myself yet so I'm just going on the wiki and general knowledge here) at the head office
DynDNS on the Head Office ADSL (still think you want static IP is better for production setup but by all means test DynDNS)
You only need DynDns/static ip for the head office
Just setup vpn clients on test pcs and connect to the head office via any ADSL or other internet connection.
The microtik RouterOS supports OpenVPN and L2TP/Ipesc so you can test both and compare for performance
Depending on your time and budget, you can set up a second router/vpn server to test a site to site setup

If the tests are favourable, you're aware of the general potential shortcomings of ADSL VPN, so still take those into account before committing to a production setup. If the test setup does not work so well, you have added weight to the argument that your client should invest a bit more in a more appropriate solution.
 
Similar ?

Mondi set up what sounds like a similar sort of project for their distributed GeoDatabase ( Satellite offices )
( ORACLE SQL with spatial enhancements )

Some parts of the project are articled via one of the ESRI online documents.

Might be worth having a look at what they did ?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X