Connect two home networks via VPN

I've got two home networks (LANs in 2 locations) which i want to connect together so that PCs from both networks can be accessed from any other PC on any of those two networks.

I far as i know it's possible to setup using VPN. I have Windows 2000 Advanced Server which can be setup as a VPN host. I was going to run in as a virtual machine.

Can anyone suggest the best approach to it and how to setup the VPN (i.e. the network) and make it always connected.

Muxa

Posted 2010-01-20T06:14:51.483

Reputation: 259

Answers

Hamachi has its advantages and disadvantages, so consider this alternate VPN design. This is basically a DIY VPN router as Scott's answer discusses, using 3rd-party firmware that may work with the routers/gateways you already have.

Use DD-WRT with OpenVPN on the router/gateway of both the home networks. You'll need an OpenVPN-enabled firmware, or room to install it as an add-on package. (The latest DD-WRTs claim to make this very easy. I haven't tried it yet. Read through Enabling OpenVPN for the full process.)

Pros:
- cheap-to-free
- on if the router's on
- broadcast traffic (if using as a bridge)
- very flexible & powerful (GUI and SSH interfaces)
Cons:
- "very easy" probably doesn't mean what you think it means; Hamachi is likely simpler to manage
- doesn't run VMware or Win2000 Advanced Server
- ...and it won't make coffee

You'll end up with a site-to-site VPN between the networks, and can configure it in a routed (two separate networks) or bridged (one network in two places) configuration. Which one you should use depends on your requirements. It's worth taking the time to draw up a network design and spell out what you need out of this setup.

Routed: (source)

Why should I use a routed configuration and not a bridged configuration?

Interesting question. Well, a bridged configuration will 'join' both networks together as one, same subnet, same IP range... Looks easier, but the problem here would be that all kinds of packets, including the infamous broadcasts will be traveling from one side of the network to the other, resulting in less-than-optimized usage of your precious bandwidth. On the other hand, a routed network will only send directed packets from one side of the network to the other.
Bridged: (source)

By bridging a physical ethernet NIC with an OpenVPN-driven TAP interface at two separate locations, it is possible to logically merge both ethernet networks, as if they were a single ethernet subnet.

Examples:

The mDNS/Bonjour/Zeroconf service to supply addresses like hostname.local across both home networks might require a Bridged mode to work. On the other hand, you may prefer to setup your own internal DNS and access the networks with addresses like hostname.foo and otherhost.bar.
Windows Filesharing name resolution used to work via broadcast messages, so a bridged connection allows Windows computer browsers to find each other. A routed solution required a WINS server to allow Windows network browsing to work. (You can probably do that with W2k Advanced Server, or you could look for a Samba WINS server package for DD-WRT.) (Also, I say "used to" based on experiences with Samba; recent Win-7 improvements may have fixed this.
Some games really want broadcast capability for network games, so again bridged mode may be preferable. If they have different network modes for LAN games vs Internet games, that could be the difference.

quack quixote

Posted 2010-01-20T06:14:51.483

Reputation: 37 382

I like this approach. I've got Linksys WAG160N router and it's supported. However there's Linksys AG300 on the other end which is not supported. I suppose i can replace it with a supported device. The only concern that i have is if replace the firmware will i be able to restore it to the factory one if something goes wrong in the process? – Muxa – 2010-01-22T00:58:08.317

it's possible to brick a router during a firmware update, even with manufacturer firmware -- don't update firmware over a wireless connection. but that's worst-case. generally, reverting to manufacturer's firmware is as simple as another firmware update. – quack quixote – 2010-01-22T05:12:07.250

I also like the idea of using a third party firmware on a router, basically increasing it's capability. However, on some routers like Linksys if power is lost during the update you could brick the router, I know someone that it happened to. You can unbrick a Linksys, but that is another procedure in itself. From then on, when I would update my router’s firmware I would power the router from the same UPS as the computer pushing the update just to ensure that didn’t happen to me. – Scott McClenning – 2010-01-23T03:29:54.630

@Scott: you're right -- and note that power loss during firmware update can brick a router regardless of what firmware you apply. unbricking requires JTAG-capable hardware and perhaps some hardware hacking. – quack quixote – 2010-01-23T07:43:54.620

The easiest way is with two VPN routers (like Netgear Prosafe using gateway-to-gateway VPN example).

alt text

That way the default gateway for all the machines on the is the same for the VPN and the internet. Once setup, to go on the internet or VPN is transparent to all the clients and the VPN is usually solid. Just turn on both VPN firewalls and it just works.

If you use a second gateway (the VMs VPN), you may need to either enter a route entry in the computers routing table to use the VM's VPN or you would need to make the VM the default gateway for the rest of the machines on the network and then have the VM route traffic either to the router for internet access or to the VPN.

VPN with Microsoft can be a large topic but Microsoft has some good articles for example http://support.microsoft.com/kb/308208

After I got some VPN routers, I wouldn't want to do it any other way. But of course that mean purchasing hardware.

Hope you find the solution that works for you.

Scott McClenning

Posted 2010-01-20T06:14:51.483

Reputation: 3 519

thanks for the answer. however this appears to be a relatively expensive option. i'd rather go with a software solution. – Muxa – 2010-01-22T23:54:57.800

good answer. i've expanded on doing this with DD-WRT in a separate answer, but your points are spot on especially re: VPN router vs internal VPN server. – quack quixote – 2010-01-20T08:13:52.147

Unless you just want to play with VPN setup, I'd recommend using something like Hamachi for this. I'm looking at doing something similar and I'm considering Hamachi as the primary linkage. It should be much simpler to setup than a DIY VPN.

quack quixote

Posted 2010-01-20T06:14:51.483

Reputation: 37 382

Sounds like i reasonable solution. How would i route traffic from a PC with Hamachi to the entire internal network? – Muxa – 2010-01-21T20:00:03.557

if possible, it'd look like the "second gateway" scenario described in Scott's answer. i can't give more details without writing a textbook on IP routing, but if i run across links that describe how to set it up, i'll post them. – quack quixote – 2010-01-21T20:50:42.393

I've used Hamachi before - it can only connect a single computer to remote network. How can other computers connect via the one with Hamachi to a remove network? – Muxa – 2010-01-20T06:49:59.843

as i understand, you'd use the managed version, install the hamachi client on each PC in both networks, and in the management control add them all to the same private network. one advantage here is easy-access for joining the VPN from outside the two home networks. disadvantage is that you don't get access to the entirety of either home network (at least, without leaving one client per network powered on all the time & routing traffic from the Hamachi network to the internal network ... assuming that's possible ... but you'd have to do that with any other VPN anyway.) – quack quixote – 2010-01-20T06:59:55.017