Site to Site VPN (Openvpn)



  • Could anyone clarify this for me?
    Want to know if I'd need a Public IP Address on both sides when setting up a Site to Site VPN.



  • For a site-to-site vpn you‘ve to set up a server at one site and a client at the other site.
    If the connection goes across the internet, both sites will have a public address, of course. But I guess, that‘s not that what you’re asking for.
    I think, you will know, if you need a static one. A static IP is only necessary at the server side. Alternatively you can also use a dynamic DNS service with a dynamic address.
    The client establishes the connection to that public server address or to the hostname.



  • When you connect to the server, you only need to know it's public address. It helps if it's static or virtually static, as mine is. My host name is static, based on the cable modem and router MACs.



  • @viragomann Sorry if my question wasn't clear enough initially but this was exactly what I was asking for. I have about four sites that are miles apart so yes the connection will go across the internet, so I guess I will need each site to have a static public address if I got you right?

    Or is it possible to just connect the clients to the server without assigning each one a Public IP Address as the Server?



  • Still not clear, why you're asking that question and what you don't understand here.
    Each device which is connected to the internet has a public IP.
    So since a site-to-site vpn is recommended to be terminated on the edge routers, yes, all vpn endpoints, server and clients, will have public addresses in the strict sense. But only the servers address or hostname has to be static and known by the clients. The clients must only have access to the internet to reach the server. The clients IPs don't matter to establish a vpn connection.
    Fundamentally the clients may also have a private address and access to the internet for connection to the server.

    VPN-sitetomultisite.png


  • LAYER 8 Netgate

    OpenVPN is more tolerant of NAT than IPsec.

    The client connects to the server. The client can be behind NAT or whatever.

    The server has to be able to receive client connections. It does not matter if the server address is static or not but it has to be able to receive connections from the internet so it has to either be public or be forwarded from something with a public address.

    If the server address is dynamic then you need a way to communicate what the current address is to the clients. Most people use dynamic DNS for this and tell the clients to connect to the dyndns hostname. I suppose they could always call you and ask what the current IP address is and alter their configuration to connect to that address today instead.



  • Its a server client relationship. Only the server side has to have a discoverable address with openvpn.



  • I get it now, thanks, guys!


Log in to reply