Hi, my computer networking knowledge is limited so please correct me when I start saying gibberish.
Having said that, here’s the problem I gotta solve:
My company needs to run certain software in different physical locations. Software instances need to be on the same network to work properly. From my understanding a Site-to-Site VPN would be the go to solution if we had money to upgrade our infrastructure.
Here’s a guess of what I should try instead and what I think might happen:
Rent a VPS which will serve as a VPN remote access server.
as this is in a corp env, i would go for hardware s2s vpn. can be a known vendor eg palo, cisco, fortigate etc or use pfsense. or if this too hard i would get some professional services or msp to come and do it for you.
Just use site to site. There’s a thing called IPSEC with NAT, that allows all your connected sites to have the same IP range and it deconflicts all of it and fixes the routing so only traffic to your network goes to your network.
That being said, a hardware S2S setup, in terms of deployment and reliability would be better. The devices we would use for this project are sub-$300. The advantage here is that the setup is simplified and you don’t need to rely much on local IT for each site, or whether the existing network there is capable of IPSEC NAT or not.
And with both of those, you should be able to easily avoid cloud hosting as well and those costs.
Sorry, ended up having quite a hectic day today so just a quick update - tested it very briefly but it seems to work with Tailscale! Thanks for the suggestions, I’ll do further testing tomorrow.
Normal topology would probably be Site A and Site B just connect together via VPN product, and each site has routing rules to send traffic to each others subnets over the VPN connection (only).
Clients then configured to connect to one of the sites, and route both site A and site B subnets over that link (only).
Note that you really want both site A and site B to have subnet ranges clients won’t generally be on when connecting to the VPN.
You obviously can have both sites and all clients connect to a vps and have that control routing too as per your idea, but it’s not necessary. There is an argument it might be more secure, as with the clients connecting to that host it acts as a bastion of sorts.
I don’t think it really takes an infrastructure upgrade, unless you’re using residential equipment.
But this is r/homenetworking, so maybe you are.
Any relatively decent light commercial or “prosumer” equipment should be able to handle it. Like a couple OPNsense boxes would have no issues.
But if you’re on such a small scale you’re not using good enough equipment, you probably don’t (or shouldn’t) have more than one or two machines. Just VPN straight to the other site for those machines.
If you really need client and server to be on the same network, you need to tunnel your L2 through the VPN including discovery protocols. This is not the standard! You have to exactly find out what you application requires!
Side question: You need a star topology finally, right? I mean n spokes communicate to the hub (where the server of your application lives) and not across spokes?
Do you really need VPN or would the traffic be proxy-able?
WireGuard, Tailscale, IPsec, and OpenVPN can do exactly what you want on both sides.
My personal recommendation is WireGuard S2S on two pfSense firewalls.
There are some easy to follow guides out there to get it up and running, and pfSense can run on any Intel or AMD based computer (or just get two Netgate 1100s).
is this certain software database based? If so you usually do not want to run those over a VPN because of the way the data compression works. you generally want to run those in a terminal server over a VPN.
this is why you should go with an MSP or IT pro as they will be able to guide you.
There’s not going to be a whole lot of data exchange between instances so I’m hoping a cheap VPS will do.
Is it going to be easy to support?
Probably not at first but we’ve got no choice.
Is there another software your company could use that doesn‘t depend on the limitations of your network?
We’re very limited by my country’s local law. Long story short, soft needs to be able to operate a government approved receipt printer. There are other solutions but they’re way beyond our budget.
So far all the articles and videos I came across mentioned a router with certain capabilities as the “VPN product”, can this be done with software alone?