How to Connect Multiple Remote Networks to One Main Network Through VPN

In a project I'm working on I need to connect several small networks to one main network, providing full visibility through hosts. In few words, I need to setup a bridging through several remote networks to one main network.

In detail, I have the following setup:

_ Many 3G industrial routers which are connected to 2 or 3 ethernet devices directly (the router has several LAN ports). Those are all private networks which can be configured as needed.
_ One office with a VPN server which must be able to see all the devices inside every router network.

For example, let's say we have a device 'H' connected to a 3G router 'R'. The router must connect to the office through a VPN. From the office I must be able to see H to retrieve data and H to configure it. H must be able to see at least one device inside office network to send some watchdog and some monitoring data.

Main office network is 192.168.168.0/24.
I have complete control on how H and R should be configured, which network mask to use. I can use port forwarding on R to forward only needed ports to devices, if needed.

My idea was to make several different subnetworks, (i.e. 192.168.1.0, 192.168.2.0, etc…) one for each remote router and use a VPN server to make those networks visibile from the office. My questions are:

Is this network layout a good approach or is there a better way to achieve my requirements?
Can I build this network with a PPTP VPN? If not, which other type of VPN should be used?

ADDITIONAL INFORMATION:

I've arranged the following scheme to better represent my actual logical setup:

My goal is to have visibility from 192.168.168.180 to 192.168.2.10 and viceversa.

Since network enegineering is not my job and I'm certainly not an expert on this subject I may have forgot some important detail or maybe VPN is not what I need at all. Please let me know if that's the case.

Best Answer

I do something almost exactly like this for a telemetry network. The data is collected in various ways such as syslog, SNMP and some nasty proprietary protocols over UDP, and Modbus/TCP; there is also SSH and HTTP for management.

The site routers ("R") are tunnel clients into central
Some are ADSL, some ethernet, some 3G
We put central at AWS for address stability, so HQ therefore "just another site"
But of course could put centre at HQ if you wanted
If you need encryption, as said by others, use IPSec
If you don't, consider L2TP instead of PPTP

My understanding is that PPTP does do encryption (contrary to other answer), but it's not good. It's also poor at routes. Ref. I also believe it's the only thing which still shamefully uses classful addressing.

For the addressing scheme, we have something basically like this:

Site N has a router RN with NAT

LAN: 192.168.N.1
WAN: whatever ISP gives you
Tunnel: 10.10.10.N

Routes are done statically at the sites, and by a 20-line shell script in /etc/ppp/ip-up.d on the hub machine. If the centre was a router, I'd do it with a pile of static routes.

sites are nice and simple: 192.168.0.0/16 -> Tunnel
centre are all: 192.168.N.0/24 -> 10.10.10.N

A nice trick for scalability is to set up DNS for each site, so that hq-N.vpn.example.com gives the appropriate external address for that site to connect to. Then you can reconfigure/balance the hub with the DNS and not reconfiguration of the routers.

You often can't do what you want with port redirection because very frequently you can't get packets to the outside of your router without special "fixed IP address SIM cards". I designed our network so that we are extremely unfussy about how our sites connect, as often it is out of our control.

We set a lowest-common-denominator MTU on the site router interfaces: our goal is commonality and simplicity of maintenance, not performance.

Hope that's helpful.

Best Answer

Related Solutions

Cisco – Unable to connect via VPN to remote network

Vpn – Installing a Cisco ASA VPN into an existing network

Related Topic