Continuing the conversation about virtual private networks (VPNs), it is necessary to touch upon the issue of the structure of the network being created, which in turn depends on the tasks performed. Wrong decisions at the design stage can affect far from immediately, but as the infrastructure grows and develops, when it will be very problematic to change something with "little blood". In this article, we will consider typical scenarios for using VPN, their areas of application, advantages and disadvantages.

You can learn how to configure MikroTik from scratch or systematize your existing knowledge at the MikroTik Advanced Administration Course. The author of the course, a certified trainer of MikroTik Dmitry Skoromnov, personally checks the laboratory work and monitors the progress of each of his students. Three times more information than in the MTCNA vendor program, more than 20 hours of practice and access forever.

We will not consider solutions based on the L2 topology, when networks are combined at the data link layer, such scenarios should be avoided, allowing them only when you really need an L2 tunnel.

Very often, L2 solutions are used by novice administrators who have difficulties with routing and thus solve the issue of lack of knowledge and practical skills. But in fact, the thoughtless use of connections at the data link layer brings only a layer of new problems that will accumulate as the network grows and which cannot be solved without a significant change in the network structure.

For the remaining majority of tasks, you should use an L3 VPN that works at the network level and uses routing, which allows you to effectively manage traffic flows and build fairly complex network solutions. In this article we will not analyze the issues of routing in detail, for familiarization with its basics we recommend that you refer to our other article.

Host Connection (End-to-End VPN)

The simplest scheme in which a tunnel directly connects two nodes. In this case, the VPN server is not a router and the client does not have access outside of it. This scheme does not use routing and does not require local client and server addresses.

This solution is used primarily to create a secure communication channel for remote work with services that have an insufficient level of security. For example, to organize remote access of an accountant to the databases of 1C: Enterprise, or to access the administrative panel of a server located on the Internet.

Also, such a solution is often used to protect insufficiently secure protocols, say FTP or POP3, if the option with SSL for any reason (most often backward compatibility) is not available.

It should be understood that the client gets full access to the server, bypassing the network perimeter of protection, and here the issue of trust comes to the fore. Therefore, this type of access is most often used for key employees, the level of trust in which is high, or for access to a limited number of network services, when VPN acts only as an additional protection of the communication channel.

Host-to-Site Connection (Remote Access, End-to-Site)

In cases where a remote employee requires full access to the network, enterprises use a slightly different scheme. In this case, the VPN server should be a router, and the address space of the client and the local network should not intersect. That is why we categorically do not recommend using subnets 192.168.0.0 and 192.168.1.0 in local networks, which are widely used in network equipment of the SOHO level (for home and small office), since in this case you are very likely to encounter the intersection of the address space.

In order for the remote computer to have access to the local network, we will need to use routing. To do this, you will need to create a route on the client that indicates that all packets for the 192.168.51.0 network should be routed through the tunnel to the VPN server address 10.10.0.1. You do not need to specify any return routes from the local network.

As in the previous scenario, you should understand that such a connection provides access inside the perimeter and requires trust in the remote user. In some cases where the trust level is low, it makes sense to isolate remote users in the DMZ zone and use a firewall to control their access to the rest of the network.

Another scenario for using such a connection is the administrative one used by the system administrator to access his own network from anywhere in the world.

Site-to-Site

The most popular scheme in the corporate environment that allows you to connect the networks of offices with each other. In this case, the tunnel is usually raised between the routers of the networks, although this is not necessary, but if the VPN server and the client are located on separate nodes of the network, additional routing will be required.

In our example, the VPN hosts are the same as the default gateways and each of them will need to add an additional route that will direct packets to the remote network to the other side of the tunnel.

If there are several branches, the scheme will become a little more complicated. Since VPN is always a point-to-point connection, it should be understood that even if different nodes of the VPN network are in a single address space, traffic exchange is possible only between the two ends of the tunnel. All other interactions are resolved exclusively through routing.

As you can see from the following diagram, two branch offices with networks 192.168.41.0/24 and 192.168.31.0/24 can communicate exclusively through the central office server. All packets for other networks are sent by branches to the VPN address of the office - 10.10.0.1, because if you specify for the 41st network the path to the 31st through 10.10.0.2, then such a route will not work.

Why? Because the tunnel is point-to-point, in this case we have connections 10.10.0.2-10.10.0.1 and 10.10.0.3-10.10.0.1, but there is no connection 10.10.0.2 - 10.10.0.3. Understanding this fact makes you take a fresh look at the traffic flows between remote networks and involves building an optimal topology taking into account this fact.

Suppose networks 31 and 41 are geographically located in the same city and assume a large amount of traffic between them (say, a branch and a production site). In this case, there is no need to drive traffic through the central office and it will be more correct to configure two VPN channels: between the 31st and 51st networks (branch - office) and the 31st and 41st (branch - production), and thanks to routing we can also easily configure the office-production connection through the branch.

Internet access

To be formalists, this scenario does not apply to a virtual private network (VPN), but the use of VPN connections to access the Internet is becoming more and more popular, so consider this scenario.

When is using a VPN to access the Internet justified? First of all, a low level of trust in the current network. Let's say you are on a business trip and have to use hotel Wi-Fi, you do not know what kind of network it is and what level of security it has, so for work it will be quite justified to raise a VPN connection with a corporate gateway and already go to the global network through it.

Another scenario is access to sites that are not accessible through your primary provider or for your regional location. In this case, the VPN server should be located in a jurisdiction from which access to the site of interest is not limited.

So if you are engaged in working with American online stores, then you will need a VPN server in the United States so that you look like residents of this country for sites.

In such cases, there is no need to let all outgoing traffic into the tunnel, it is more reasonable to configure rules when only the necessary sites will work through the VPN, and all the rest of the traffic will go through the main provider.

This scenario also applies to local networks, but in this case, the VPN client should be located on the gateway, which, receiving requests from the local network, will decide which packet to send next through the provider, and which through the VPN.

Source: https://vpnheroe.com