When connecting two geographically separated networks over the Internet, we need to achieve three fundamental objectives:
- Secure encrypted communication
- Transparent network resource access
- Minimal endpoint configuration
The most efficient approach is implementing VPN at the router level. Modern routers support various VPN protocols:
# Sample OpenVPN server configuration (Router A)
dev tun
proto udp
port 1194
topology subnet
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
# Corresponding client configuration (Router B)
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
For Windows environments, a domain controller provides several advantages:
- Centralized authentication
- Simplified resource sharing
- Group policy management
However, workgroups can be used with proper DNS configuration:
# Example DNS configuration for cross-site resolution
zone "corp.internal" {
type forward;
forwarders { 192.168.1.10; 192.168.2.10; };
};
For a Cisco router setup, here's a basic IPsec configuration:
! Site A Configuration
crypto ikev2 proposal IKE-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 19
!
crypto ipsec profile IPSEC-PROFILE
set ikev2-profile IKE-PROFILE
!
interface Tunnel0
tunnel protection ipsec profile IPSEC-PROFILE
To achieve true configuration-free endpoints:
- Configure route propagation via DHCP
- Implement split tunneling properly
- Set up cross-site DNS resolution
# DHCP option for route propagation (Linux dhcpd.conf)
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
option rfc3442-classless-static-routes 24, 192, 168, 2, 10, 8, 0, 1;
When connecting two geographically separated networks with independent internet connections, we need to achieve:
- Secure encrypted tunnel for all inter-site traffic
- Transparent network visibility (all nodes should appear as local)
- Minimal endpoint configuration (ideally zero-touch on workstations)
- Proper IP addressing scheme to prevent conflicts
Here are the most common approaches with their trade-offs:
| Method | Configuration Level | Performance | Security |
|---|---|---|---|
| Router-based VPN | Network devices only | Hardware-accelerated | IPSec or WireGuard |
| Software VPN Server | Requires server setup | CPU-dependent | OpenVPN/SSL |
| Cloud-managed | Central console | Varies by provider | Provider-dependent |
This is the most efficient solution for our requirements. Here's a sample configuration for pfSense routers:
# Site A configuration (192.168.1.0/24 network)
phase1 {
ikeid = 1;
remoteid = "site-b.example.com";
mode = main;
protocol = esp;
encryption = aes-256-gcm;
hash = sha256;
dhgroup = 14;
lifetime = 28800;
nat_traversal = on;
remote_gateway = 203.0.113.2;
}
phase2 {
ikeid = 1;
mode = tunnel;
protocol = esp;
encryption = aes-256-gcm;
hash = sha256;
pfsgroup = 14;
lifetime = 3600;
localid {
type = lan;
network = 192.168.1.0/24;
}
remoteid {
type = lan;
network = 192.168.2.0/24;
}
}
For optimal performance:
- Use non-overlapping private IP ranges (e.g., 192.168.1.0/24 and 192.168.2.0/24)
- Configure proper static routes on both routers
- Enable MSS clamping for TCP optimization
- Disable NAT for VPN traffic between sites
While workgroups can function, a domain controller provides better management:
# Sample Windows Server DNS conditional forwarder
Add-DnsServerConditionalForwarderZone
-Name "corp.site-b.com"
-MasterServers 192.168.2.10
-PassThru
Essential monitoring commands for Linux-based routers:
# Check IPsec tunnel status ipsec statusall # Monitor VPN throughput iftop -i eth0 -f "port 500 or port 4500" # View connection statistics conntrack -L -j