General Questions

Hi,

I would like to ask if monowall supports star VPN setup? We need a central hub and then branches connectiong to it. does monowall let branch to branch traffic flow? can anyone recommend a configuration example.


Thanks

Jimmy

Hello Jimmy,

Sure, you could just configure PPTP VPN on the VPNrouter [configure VPN subnet and traffic rules too] and connect every branch to a centralized one - the centralized router using it's public IP.
                                                [VPNClient]
                                                        |
                                             [internet cloud]
                                                        |
[VPNClient] - [internet cloud] - [VPNrouter] - [internet cloud] - [VPNClient]
                                                        |
                                             [internet cloud]
                                                        |
                                                [VPNClient]

Hi,

Thanks for the reply, I've only ever used IPsec before so i'm a little lost in PPTP.

Each office has it's own subnet, can u still use the PPTP in this situation? each office has it's own static public IP.

Main Office (hub) : 192.168.20.0
Office1: 192.168.1.0
Office2: 192.168.3.0
Office3: 192.168.5.0

thanks,

Jimmy

PPTP won't work well on site to site. I don't think that Monowall has a PPTP client except for some ISP connections.  IPSEC is the way to go for site to site.  The problem with your setup will be the routing table. The IPSEC VPN I believe creates it's own routing table which to my knowledge you can't edit, so you have to be specific about the subnets that will be routed when you create the tunnel.

One way you could try and I have no gaurentee that this will work.  When creating the tunnels. At the remote ends, put the remote subnet as 192.168.0.0/19  This covers the address range 192.168.0.0-192.168.31.255  It will ignore it for the local subnet, but then send all other packets for the other sites to the hub.  On your hub router, you will have 3 IPSEC tunnels, for each one the remote subnet will be the actual subnet for the remote office.

You will also have to create rules to allow traffic.  Personally,  I would just put any to any to start with then look at any restrictions when it is working.

Read the monowall documentation for advice on how to set up the tunnel.

Thanks for the idea.

I cant get it to work, I know that netgear devices can do this in a similar way as you describe. Possibly a good feature for future monowall releases?

Have you managed to get any part to work?  Theoretically is should, as I mentioned, the difficult part is getting the routing to work.

I can get the tunnels to work however i can’t seem to setup the routing. Routing is an area of networking I’ve never used to I think i just need to play with it in a test lab.

The main reason I want to do this is that we actually have 5 ( soon 6) branches, setting up a mesh VPN is time consuming with 30connections to manage " n(n-1) " where n is number of locations. If all sites connected to a central high-speed hub (in a datacenter) my idea was it would reduce the amount of tunnels to maintain and manage.

Do you know of any suitable articles regarding routing for someone who's never had to deal with it before?

I can verify IPsec will route in star configuration. I have been running a 3 site VPN in a production environment for about 6 months now using 1.32.

Diagram:

http://img836.imageshack.us/img836/1581/routex.png