VPN across 2 houses

Hi i have a question regarding a VPN connection across 2 houses using a router capable of VPN, i have a Server which i store Tv shows, Films etc i want to share this across a VPN my plan is to have a 2nd server on the other end of the VPN and have a program to sync the files was thinking of using allway sync but i only want the servers to be available over the VPN nothing else so my plan was to have 2 nics on each server so the digram would be something like this.

____________ ------------------------->
Router ---- switch --- VPN router ---- Server

Could any 1 advise if this would work?
thanks in advance

Edited by deleted (Mon 10-Mar-14 00:02:26)

Check out the draytek.co.uk web site to see how to setup a vpn service

My question is not so much setting up the VPN but how to just provide acess to the server over the VPN whilst also allowing the devices before the vpn access to the server and not any other devices.

if that makes sense

Edited by deleted (Mon 10-Mar-14 20:05:03)

You should be able to filter incoming traffic on the VPN interface to make sure it can only talk to the specific IP of the server. That's pretty much your best option to do it, no extra NIC required, and you know for certain nothing can talk to anything you don't want it to.

Whether you can filter VPN interfaces depends on the router terminating the VPN your end.

VLAN?

A site to site VPN is what you are looking for.

Assuming House A with the server(s) is on the 192.168.1.0/24 subnet, and house B is on 192.168.2.0/24, both the VPN endpoints (i.e. the routers) would know about the other subnet, and would route traffic to it.

So, if your computer in house B was 192.168.2.10, and tried to access the server on 192.168.1.15, the router of house B would forward that traffic to router A, which would send it to the server, and vice versa.

Not many ISP routers will support this. You could use a small PC running OpenSSL or Sophos UTM (both free, at least for home use) at each end, or you could buy a router for each end that supports IPSec or SSL site to site. An example would be most of the Draytek series.

You could set up the VPN tunnelling rules to only send traffic for a particular IP through the VPN, so that all the house B devices can access at house A is the server, but the server at house A would be able to access everything at house B, it has to be this way as you can't have one way traffic.

So, people in house A in theory could do malicious things to house B devices by logging on to the server.

Edited by nemeth782 (Tue 11-Mar-14 09:03:15)

Will this work even if my setup is router---switch then vpn router?

VPN's create tunnels so as long as you can create a connection between the two VPN endpoints, what's in between makes no difference.

Still need to know what hardware is involved if you want to effectively 'firewall' the tunnel though.

Not sure what hardware i will be using was thinking of using the DD-WRT firmware though has any 1 got any recomandations that arent going to cost an arm and a leg?

DD-WRT would do the trick if you've got suitable hardware on which to run it.

Only issue with using a separate device for the VPN is that your VPN is going to be between two devices that are the default gateway for either network. This means any device you want to 'know' about the other network is going to have to have static routes added. Not a problem for a 'computer' but any portable devices like phones or tablets could cause you some headaches.

I'd be looking for a solution where your VPN's are between the two networks respective default gateways, then you don't need to modify any static routes on computers to know how to get from site to site. Probided the gateways know how to talk to each network, devices would just 'work' without any modification.

I have accomplished this kind og setup in the past using pfSense running on a very low power (under 15 watts) Atom-based computer (under £150 each end is doable) which effectively acts in place of a 'cable router' with PPPoE to connect to the network through a suitable modem. You could just as easily use DD-WRT each end realistically. With pfSense you can very easily lock down what even individual clients on the remote site are able to access. With DD-WRT you could use the built-in iptables to achieve this same result.

Performance will be a potential limitation though given VPN's are encrypted and therefore require effort by the endpoints to encrypt and decrypt data on the way through, which, given your stated use was to share multimedia over your tunnel, you'll want to make sure happens at a reasonable rate! May need something with a bit more grunt than the most basic router that can run DD-WRT if you wanted to go that route.