Hey friends, want me to tell you the story of when I connected a client company’s branches to their main plant? Sounds like quite an adventure, doesn’t it?

In the last post we were implementing our small architecture to run Odoo on the intranet, it’s time to share it between branches :D

Dynamic IP to Static (Skip if you already have Static IP)

First challenge to solve, in all sites we have dynamic IPs since it’s an SME, with more S than ME, so we use Telmex internet, the 300 pesos one. The good thing is DuckDNS.org exists, which will help us have our static IP for an uninterrupted connection every time the power goes out or the router restarts. [You can pay for NoIP, DynDNS, etc.]

We create our DuckDNS account, and create our first sub-domain

My advice is, PRIVACY above all, don’t put CompanyBranchA, remember it’s a service that will use your real public IP. My advice, use a hash, for example 3d244f40a6b.duckdns.org; here you’ll need as many subdomains as branches you want to connect, for this exercise just two.

Branch A IP: 3d244f40a6b.duckdns.org

Branch B IP: 3a5c4bede38.duckdns.org

We create our sub domains and then, in the top menu of the page we select “Install”, below the duck, in the Routers section we choose “EdgeRouter”, then, where it says “First step …” you select your first domain, and in green letters it will give you the data:

Save that data well, in your EdgeRouter, in the configuration go to the Services � DNS section and place the information as follows and save:

Obviously fill it with your domain and your token; leave the Web, Login and Server as in the image above and click save. Repeat this for each branch or router where it’s necessary to make the connection.

You can test by pinging and it should respond with your public IP.

ping 3d244f40a6b.duckdns.org

Another method is to use the CLI terminal or if you know how to connect via SSH to your EdgeMax router

Connect Branches

First the A <�, this is our main branch: the cool one, the mother hen, here will be the databases we want to share, web services, VMs, whatever you want!

In this case, branch A uses a Ubiquiti EdgeRouter 4.

We go to: your_router_ip/#Vpn/IPSec and we’ll see the following box:

BRANCH A

In Peer or Remote Gateway (1) put the public IP or dynamic DNS of the branch you want to connect, in this case B. Here we’ll put as many peers (branches or routers) as we want to connect. In our case it will be the subdomain:

Peer = Branch B, IP: 3a5c4bede38.duckdns.org

In Description (2) I’ll put something like connection A to B.

Local IP or Local WAN IP (3) is the LOCAL or Private address of the router, for example 192.168.1.1.

Pre-shared secret (4) is what will encrypt our VPN, make sure to use something robust and secure; SHA256 for example: fd889c28184cbcbac87e

Local Subnet (5) is where our services will be on the LOCAL network, for example, a file server at 192.168.1.100, or a web server at 192.168.1.200, you get it, we’ll place the segment here, for example 192.168.1.0/24 but you can use only a pre-established range.

Remote Subnet (6) is the REMOTE LOCAL IP. For this case 192.168.2.1, that router is at 192.168.2.1.

Local and Remote subnet must be different. For example NOT 192.168.1.0/24 in both.

In Peer goes the public IP, everything else is local configuration. From there you can organize your network as you prefer.

—

BRANCH B

Branch B will be similar to branch B only with quite intuitive changes.

The Peer (1) will be the public IP of branch A. In our case:

Branch A IP: 3d244f40a6b.duckdns.org

Description (2) is the same, something quite clear, connection B to A.

Local IP (3) is the local address of your router B, in this case 192.168.2.1

Pre-shared secret (4) is the same in all routers we want to join: 101fbc01574f380f8590f5e3e08cac86f14998da

Local Subnet (5) will be our local network segment, in this case 192.168.2.0/24

Remote Subnet (6) is 192.168.1.0/24 which is the branch we want to connect to.

—

We’re almost done, we must allow traffic through the ports and protocol used by IPSec on all routers we want to join to our VPN: ports 500 and 4500 UDP, and the ESP protocol. You can do it visually from the GUI, or open the CLI tool or connect via SSH. The commands are as follows in the terminal:

configure

# Allow UDP 500 (IKE)
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow IKE'
set firewall name WAN_LOCAL rule 10 protocol udp
set firewall name WAN_LOCAL rule 10 destination port 500

# Allow UDP 4500 (NAT-T)
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description 'Allow NAT-T'
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 destination port 4500

# Allow ESP (IPSec protocol 50)
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Allow ESP'
set firewall name WAN_LOCAL rule 30 protocol esp

commit
save
exit

Remember that if you have a modem from your internet provider, you must put it in bridge mode, or open those ports and protocols as well, or put your EdgeMAX router address in DMZ mode.

Finally, if you followed the steps, within your router’s terminal you write:

show ip route # In A it will show you something like 192.168.2.0/24 via vpn ...
show vpn ipsec sa # Security associations, if you see something like INSTALLED and connected packets the tunnel is working.

… and from B [192.168.2.0/24] you could now do something like \192.168.1.100 [Shared resource from A]. Ping between branches, verifying that ICMPv4 ports and such are open both in the router firewall and server firewalls, etc.

I hope you find this information useful. It has been simplified to cover the basics. =