High-level question



  • I've been digging into VPNs lately and getting into the nuts-and-bolts, but thought it would be best to take a big step back to see if what I'm thinking is appropriate or even possible. And so I ask here.

    Situation: Work-place network which I control. Employee home networks which I have some influence over, but not complete control. What I would like is to set up VPNs so that the employee has a network that ends up looking like part of the work-place network. So if the work-place network is 192.168.48.0/20, the employee's home has a network of 192.168.60.0/26 that is accessible from work just like other subnets of 192.168.48.0/20.

    I could send the employee home with a little box, perhaps pfSense or OpenWRT (more likely), that would sit on whatever network the employee happens to have set up at home and provide the "home work network" and a VPN from it to the office. This way employees could take a work laptop home and it would function exactly as if it were at the office, only slower.

    Does this seem doable? Is there an obvious and easy way to achieve it. I only ask because the examples I'm reading seem to have wildly different addresses for the networks being connected.



  • Hmmm… No takers. Either this question is more stupid than I think it is, or I haven't described my situation very well. My sense is that I can do exactly what I want to do, but I'm just looking for a bit of confirmation before investing much time into it.

    Workplace network: 172.16.0.0/20
    Home network: 192.168.0.0/24

    I'd like to drop an inexpensive box onto the home network that gives the employee a sub-net of the workplace network (ie. 172.16.4.0/26) in such a way that they can access everything at work just as if they were plugged in to the workplace LAN (but obviously slower). Also, as an administrator, I'd like to be able to access the "home work network" (172.16.4.0/26) so that I can administer their machines (ie. VNC in and such) just as if they were at work.

    I can do anything I want with the workplace network, but I really don't want to be investing much time on the home network (ie. changing it's IP range so it doesn't conflict with the workplace networks or other employees "home work" networks).

    Is this ridiculous?



  • Why do they have to be on the same subnet?  won't a regular IPSEC VPN suffice?  Have you considered Shrew or OpenVPN?



  • Doable if they're all on unique subnets, yes. Good idea, generally no, unless you assign a DHCP reservation for the one authorized machine and only allow it across. Much better to just deploy a remote access VPN with OpenVPN.



  • @e__n:

    Why do they have to be on the same subnet?  won't a regular IPSEC VPN suffice?  Have you considered Shrew or OpenVPN?

    The "home work" networks would be different for each employee. Mine might be 172.16.4.0/26. Someone else might get 172.16.4.64/26. But ideally they would all end up somewhere under the office network (172.16.0.0/20 in this example). Why? Just to keep things clean. Also, we have several different facilities, each with a /20 under 172.16.0.0. It is nice, at least I find it nice, to keep all aspects of a particular facility inside that /20 subnet.

    But the main attraction to this approach is that an employee can pack up a laptop, bring it home, plug it in, and have it work just as it did at work. With a separate box handling the VPN work, the laptop can be fairly stupid.

    I have considered Shrew and OpenVPN. I continue to, but I'm still building up my understanding of the fundamentals. I've been trying to get Shrew working from my home to a pfSense box at my workplace with no luck as of yet. Testing VPNs across the work-home divide has been painful. I really need to come up with a way to work on this at my workplace… perhaps sticking a pfSense box on the DMZ and working behind that...



  • @cmb:

    Doable if they're all on unique subnets, yes. Good idea, generally no, unless you assign a DHCP reservation for the one authorized machine and only allow it across. Much better to just deploy a remote access VPN with OpenVPN.

    Point taken. And thanks for that. Yes, I see the issue. There would have to be some sort of control to prevent full access to the work-place network by some random computer that gets plugged in at home. In our case, laptops move from employee to employee in a fairly fluid fashion, so any work-place laptop could end up at an employee's home. Only allowing access by certain machines (ie. by MAC address) would become a nightmare real fast.

    I'm not sure that I understand what a remote access VPN would require of the laptop that travels between the work-place and an employee's home. These machines operate under a domain controller at work. It would be nice if that still applied at home.



  • @Rural:

    I'm not sure that I understand what a remote access VPN would require of the laptop that travels between the work-place and an employee's home. These machines operate under a domain controller at work. It would be nice if that still applied at home.

    They would have to connect their VPN client when outside the office. That's the typical means of remote access, then it can work anywhere not just in employees' homes, and you're not allowing whatever devices people plug into their home networks to get to your network.


Log in to reply