VPN for managing training centres
0 views
Skip to first unread message
Richard Newbould
Nov 29, 2009, 1:13:04 PM11/29/09
to so-class2
Hi Pete (Smit),
It's been a while since we last chatted!
I'm heading to Delhi next week with Edward and plan to install the VPN client on the main computer in both centres (OK, the only computer for the Burmese refugees). You were pondering whether to add the computer centres to the same VPN and firewall or set up a separate VPN. Have you come to a conclusion as to what would work best and would you have a chance to implement it for later on this week (so I can test it out)?
Thanks a lot!
Richard
Richard Newbould
Nov 29, 2009, 2:03:50 PM11/29/09
to so-class2
Hey Pete,
Thinking further, I may want to move the VPN server for centre support to India so it can be managed by an Indian team in time. It may reduce latency, as the centres will be in and be mostly managed from India, though a brief experiment I did the other day (TightVNC to control a PC in the UK from India) suggests this could be negligible.
This suggests keeping a separation as different VPNs. Having said that, we could in that case move the developer VPN server to India too, and have keys managed by the Indian team.
However, do you know if the VPN GUI client can switch between two VPNs or if two VPN GUI clients can be run to allow connection simultaneously to two VPNs? This also highlights a potential security risk and a hassle factor that might be reduced by making it all one VPN but with a firewall between them.
What are your thoughts?
Cheers,
Richard
2009/11/29 Richard Newbould <ric...@switchedon.org>
--
You received this message because you are subscribed to the Google Groups "so-class2" group.
To post to this group, send email to so-c...@googlegroups.com.
To unsubscribe from this group, send email to so-class2+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/so-class2?hl=en.
Peter
Nov 30, 2009, 4:04:36 AM11/30/09
to so-class2
Hey Richard,
Indeed it has been a while. Last month I've been drowning in
University work and haven't done much Switched On stuff.
My idea's
- The two seperate vpn's are the best idea I guess. This because
unless we write some pretty advanced script, maintaining the firewall
list will be a small nightmare. The openvpn client supports multiple
"configurations" and I think it is not that much hassle at all.
- It is of course an idea to put a server in India, but I expect the
advantages in roundtrip times are limited. Then it is of course a
matter reliability, which server (UK or India) do you expect to have
more uptime (+ internet connectivity). As a seperate vpn's are
actually two vpn configurations, it is also easy to put the support
vpn in india and the dev vpn in UK.
- Related to that, it is maybe smart to put up so-called ALIAS domain
names for the vpn's. For example devvpn.switchedon.org and
supportvpn.switchedon.org. The advantage of this is that it is always
possible to move one service to another server without changing client
configurations.
- Key management: it of course doesn't matter where a server is to do
the key management. The team in India can do the key management on a
UK server and other way around.
I hope to find time today or tomorrow to finish up the installer for
the configuration on Windows clients, but I'm not sure.
Regards,
Peter
On Nov 29, 9:03 pm, Richard Newbould <rich...@switchedon.org> wrote:
> Hey Pete,
>
> Thinking further, I may want to move the VPN server for centre support to
> India so it can be managed by an Indian team in time. It may reduce
> latency, as the centres will be in and be mostly managed from India, though
> a brief experiment I did the other day (TightVNC to control a PC in the UK
> from India) suggests this could be negligible.
>
> This suggests keeping a separation as different VPNs. Having said that, we
> could in that case move the developer VPN server to India too, and have keys
> managed by the Indian team.
>
> However, do you know if the VPN GUI client can switch between two VPNs or if
> two VPN GUI clients can be run to allow connection simultaneously to two
> VPNs? This also highlights a potential security risk and a hassle factor
> that might be reduced by making it all one VPN but with a firewall between
> them.
>
> What are your thoughts?
>
> Cheers,
>
> Richard
>
> 2009/11/29 Richard Newbould <rich...@switchedon.org>
> > .
Indeed it has been a while. Last month I've been drowning in
University work and haven't done much Switched On stuff.
My idea's
- The two seperate vpn's are the best idea I guess. This because
unless we write some pretty advanced script, maintaining the firewall
list will be a small nightmare. The openvpn client supports multiple
"configurations" and I think it is not that much hassle at all.
- It is of course an idea to put a server in India, but I expect the
advantages in roundtrip times are limited. Then it is of course a
matter reliability, which server (UK or India) do you expect to have
more uptime (+ internet connectivity). As a seperate vpn's are
actually two vpn configurations, it is also easy to put the support
vpn in india and the dev vpn in UK.
- Related to that, it is maybe smart to put up so-called ALIAS domain
names for the vpn's. For example devvpn.switchedon.org and
supportvpn.switchedon.org. The advantage of this is that it is always
possible to move one service to another server without changing client
configurations.
- Key management: it of course doesn't matter where a server is to do
the key management. The team in India can do the key management on a
UK server and other way around.
I hope to find time today or tomorrow to finish up the installer for
the configuration on Windows clients, but I'm not sure.
Regards,
Peter
On Nov 29, 9:03 pm, Richard Newbould <rich...@switchedon.org> wrote:
> Hey Pete,
>
> Thinking further, I may want to move the VPN server for centre support to
> India so it can be managed by an Indian team in time. It may reduce
> latency, as the centres will be in and be mostly managed from India, though
> a brief experiment I did the other day (TightVNC to control a PC in the UK
> from India) suggests this could be negligible.
>
> This suggests keeping a separation as different VPNs. Having said that, we
> could in that case move the developer VPN server to India too, and have keys
> managed by the Indian team.
>
> However, do you know if the VPN GUI client can switch between two VPNs or if
> two VPN GUI clients can be run to allow connection simultaneously to two
> VPNs? This also highlights a potential security risk and a hassle factor
> that might be reduced by making it all one VPN but with a firewall between
> them.
>
> What are your thoughts?
>
> Cheers,
>
> Richard
>
>
> > Hi Pete (Smit),
>
> > It's been a while since we last chatted!
>
> > I'm heading to Delhi next week with Edward and plan to install the VPN
> > client on the main computer in both centres (OK, the only computer for the
> > Burmese refugees). You were pondering whether to add the computer centres
> > to the same VPN and firewall or set up a separate VPN. Have you come to a
> > conclusion as to what would work best and would you have a chance to
> > implement it for later on this week (so I can test it out)?
>
> > Thanks a lot!
>
> > Richard
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "so-class2" group.
> > To post to this group, send email to so-c...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > so-class2+...@googlegroups.com<so-class2%2Bunsu...@googlegroups.com>
> > Hi Pete (Smit),
>
> > It's been a while since we last chatted!
>
> > I'm heading to Delhi next week with Edward and plan to install the VPN
> > client on the main computer in both centres (OK, the only computer for the
> > Burmese refugees). You were pondering whether to add the computer centres
> > to the same VPN and firewall or set up a separate VPN. Have you come to a
> > conclusion as to what would work best and would you have a chance to
> > implement it for later on this week (so I can test it out)?
>
> > Thanks a lot!
>
> > Richard
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "so-class2" group.
> > To post to this group, send email to so-c...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > .
Richard Newbould
Nov 30, 2009, 4:44:46 AM11/30/09
to so-class2, .cPOn
Hi Pete,
Hope the Uni work has been going well! All seem like sensible suggestions.
- Related to that, it is maybe smart to put up so-called ALIAS domain
names for the vpn's. For example devvpn.switchedon.org and
supportvpn.switchedon.org. The advantage of this is that it is always
possible to move one service to another server without changing client
configurations.
On the present server we can only a single IP address, and we'll have to use different ports for the two VPNs. We can map multiple aliases to the same IP. I'm looking into the best way to get aliases at present (the IP address is dynamic). Will take a few days because of other things on.
Cheers,
Richard
Peter
Nov 30, 2009, 6:25:48 AM11/30/09
to so-class2
On Nov 30, 11:44 am, Richard Newbould <richard...@googlemail.com>
wrote:
I was maybe not completely clear explaining what I mean. Indeed, the
VPN's will be on different ports. However, at this moment we put in
the configuration files the dyndns hostname of the server in the UK.
If we want to avoid that we in a later stage have to change the
configuration on all clients, we would need to have an url that is
independent of the server that is used now.
A DNS alias (also CNAME, http://en.wikipedia.org/wiki/CNAME_record) is
something that you can easily point to a different server later. For
now you would put for example
devvpn.switchedon.org. CNAME theukserver.dynamic.dns.
supportvpn.switchedon.org. CNAME theukserver.dynamic.dns.
When we move than one or both VPN's to be hosted in india we change
this to
devvpn.switchedon.org. CNAME theukserver.dynamic.dns.
supportvpn.switchedon.org. CNAME aserverinindia.dynamic.dns.
No changes for the clients required as the url of the server stays the
same.
> Cheers,
>
> Richard
wrote:
VPN's will be on different ports. However, at this moment we put in
the configuration files the dyndns hostname of the server in the UK.
If we want to avoid that we in a later stage have to change the
configuration on all clients, we would need to have an url that is
independent of the server that is used now.
A DNS alias (also CNAME, http://en.wikipedia.org/wiki/CNAME_record) is
something that you can easily point to a different server later. For
now you would put for example
devvpn.switchedon.org. CNAME theukserver.dynamic.dns.
supportvpn.switchedon.org. CNAME theukserver.dynamic.dns.
When we move than one or both VPN's to be hosted in india we change
this to
devvpn.switchedon.org. CNAME theukserver.dynamic.dns.
supportvpn.switchedon.org. CNAME aserverinindia.dynamic.dns.
No changes for the clients required as the url of the server stays the
same.
> Cheers,
>
> Richard
Richard Newbould
Nov 30, 2009, 6:55:04 AM11/30/09
to so-class2
A DNS alias (also CNAME, http://en.wikipedia.org/wiki/CNAME_record) is
something that you can easily point to a different server later. For
now you would put for example
devvpn.switchedon.org. CNAME theukserver.dynamic.dns.
supportvpn.switchedon.org. CNAME theukserver.dynamic.dns.
When we move than one or both VPN's to be hosted in india we change
this to
devvpn.switchedon.org. CNAME theukserver.dynamic.dns.
supportvpn.switchedon.org. CNAME aserverinindia.dynamic.dns.
No changes for the clients required as the url of the server stays the
same.
I had forgotten that a CNAME could be another DNS name and didn't need to be an IP address. This makes life a lot simpler. I suggest creating the following aliases so they are easier to track in alphabetic listings as the aliases grow:
I'll try get it done soon (assuming my net connection is not deathly slow).
Will also create separate CNAMEs for the various other VMs on the server while I'm at it.
Cheers!
Reply all
Reply to author
Forward
0 new messages