Multiple Sites without VPN
-
Hello guys!
I’ve already searched through this forum for a “best practice” to have a image repository on a remote site and a fog server on the main site. In our setup there isn’t any VPN or similar between those sites, just the internet. Our goal with this solution would be, that we can store the images locally on the remote sites and the brain with the mysql database is the main fog server. We don’t want any “intelligence” on the remote site. PXE Boot also on the main site and not on remote. I assume I’m gonna need the Location plugin.
Specs:
- Images can be on main and remote site (manage with “Storage Groups”)
Remote site: - Between 5-50 Users/Computers
Thanks for any help in advance.
- Images can be on main and remote site (manage with “Storage Groups”)
-
If you would have a site to site vpn with full routing, then I would say “Sure no problem that is how FOG can be configured”.
You can probably set it up the way you wanted as long as the FOG server, storage node and all clients have a public IP addresses. But that is a big risk in itself and I would not recommend you set it up that way.
Lets assume you are using some kind of firewall at each location that is masking the clients on each end behind NAT right (each sites have clients with private addresses like 192.168.1.x hidden behind their public [internet] IP addresses. Is that how you have things setup)?
-
@Silv4n You’d need to open way too many ports between those two sites for FOG to be able to work. I don’t recommend you doing this!!
FOG was not created with intention to be set up fully open on a public IP. I’d recommend you to create a simple VPN tunnel between sites using OpenVPN or similar tools.
-
@george1421 Do I understand this correctly, the clients would also need a public IP? And yes, there is a NAT on these firewalls.
-
@Sebastian-Roth The clients would also need to be in this vpn or could it also just be between the fog servers?
-
@Silv4n said in Multiple Sites without VPN:
@george1421 Do I understand this correctly, the clients would also need a public IP? And yes, there is a NAT on these firewalls.
OK so lets go down this path. Your firewalls are using NAT. Does each site have their own internal IP addresses (i.e. you don’t have duplicate IP address ranges at any remote site)? If you do have duplicate addresses this will make routing very difficult.
Second question just to understand the context, are you a MSP offering imaging to your customers? (I only care to ensure we look at the right options)
-
@george1421 Yes, all ranges are different and also yes, that’s why we can’t really make an full blown vpn between these sites.
-
@Silv4n Is the second yes in regards to the MSP question?
-
@george1421 Yes, we have different customers, some with on site servers and some with servers in our dc. But this thread is mostly for the ones who have hardware and support from us.
-
@Silv4n OK gotcha, one last question (I should have asked in the previous go around) How do you manage the clients remotely? Do you offer remote support with with teamviewer or such? My question is around how do you remotely interact with the users and systems at the remote site?
If needed would/could your customers setup a port forwarding rule in their firewall to forward a communication from your site to a single host at their site?
While we don’t have a configuration for this type of setup just yet, I’ve been thinking about this setup for a proof of concept for a while now. I want to see if your use case fits with what I have been thinking about. That is why the 20 questions game at the moment.
-
@george1421 We have remote access to the servers (who then have access to the clients), as well as teamviewer if needed on the clients.
Yes, a port forwarding rule would be possible.
Ok, would it be currently possible to just have an openvpn between the fog servers, or do the clients communicate directly with the master instead of the storage node?
-
@Silv4n Ok here goes.
First you will need a full fog server at each location. Its probably best that way for a few reasons (not having full routing is a major one).
- Customer data isolation.
- You can only capture image to FOG Master nodes. Storage nodes are deploy only.
- If you need to use the FOG Client service then the fog clients only reach out to the FOG Master FOG server for tasks and instructions. They can download the install files from the local storage node, but they get their direction from the Master FOG Server.
Now if you have remote access into the servers, then you could just access the customers FOG server’s UI via your current remote desktop connection tool. Since you have remote access then that is all you would need. Each fog server at each customer’s site would function standalone. There is no special configuration needed. You could install dnsmasq on your remote FOG serves so all you would have to do is just drop a FOG server package at the remote site and not need to configure anything in the customer’s network (unless they had multiple subnets or some kind of bootp conflict like with existing voip phones).
If you didn’t have remote desktop access then this is the solution I was considering.
So the idea is to use OpenVPN to allow remote access to the customer’s FOG server. You would install OpenVPN on the remote FOG server and then have it phone home to your OpenVPN server running at HQ. This would then give you the ability to interact with the remote FOG server over your secure VPN tunnel. The vpn tunnel would only connect your end point node (could be a windows computer) with the remote FOG server. If you had the remote fog server initiate the VPN tunnel then you wouldn’t need any configuration at the remote site for port forwarding. OpenVPN communicates over a single port that functions well in a NAT’d environment.
-
@george1421 Okay, thank you very much for your thourough response, I’m gonna think about it.
