Koozali.org: home of the SME Server

Moving the SME/GW/VPN to a new location with new IPs

Offline dbaddour955

  • 9
  • +0/-0
Moving the SME/GW/VPN to a new location with new IPs
« on: January 05, 2022, 12:49:10 PM »
Good Day all,
I am new to the SME, I do have a knowledge with Linux base systems as well. But most of my cert are Microsoft.
I have inherited the SME from previous employee and he is retired.
our office is moving from one location to a new one, and new ISP provider. which means all new IP addresses from the net. I have 2 SME system with only GW, one is used for Site-to-Site VPN and the other is User VPN.
my questions or concern is this:
- since it is only VPN/GW how to change the main external IP for the VPN? especially for the user VPN on the server it is well hidden. I believe the StoS  can be done on the other location server, and re-generate the files??

- now with changing the IP, all users that have already the config files from the previous set up, do i need to re-generate them and apply them to each user system?
- we are using SME 9.2 with routed VPN....

you help is much appreciated, this request may look basic for some, but as I said I am not scared to learn something new and exciting
thank you

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #1 on: January 05, 2022, 02:34:30 PM »
changing IP:
all depends on you current setting and new setting....
1- is  the first SME connected directly to the modem ?
2- is the modem acting as transparent gateway or acting as router...
3- static IP or dynamic?
4- cable, DSL
5- type of connection : static, dhcp, mac address,  pppoe...
6- what about the 2nd SME: behind first one, behind another connexion, then same question 1 to 5 for the second SME

new settings:
- same one with same provider ?
- different ?

VPN and regenerate config:
- depends if a domain was used in it or IP, most probably it is an IP so yes.


also what version of SME are you using SM9? if yes time to upgrade....
If SME( also your certificates for VPN might about to expire (about 10 years) then as you are about to contact all your vpn user and update their config, you might want to do it once for the next 10 years....


you might get some of the information from the server-manager in check configuration and other from your ISP (current and future)

Offline dbaddour955

  • 9
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #2 on: January 05, 2022, 02:49:25 PM »
changing IP:
all depends on you current setting and new setting....
1- is  the first SME connected directly to the modem ? we have SonicWall, that 1st SME is connected to for our VPN
2- is the modem acting as transparent gateway or acting as router... it is a Gateway transparent
3- static IP or dynamic? all static IP
4- cable, DSL... cable but moving into fiber connection with our new provider
5- type of connection : static, dhcp, mac address,  pppoe... all connection via Static
6- what about the 2nd SME: behind first one, behind another connexion, then same question 1 to 5 for the second SME.  for the second one is the same as the first. the same behind the SOnicwall/GW

new settings:
- same one with same provider ? should be the same but different provider totally.
- different ?

VPN and regenerate config:
- depends if a domain was used in it or IP, most probably it is an IP so yes. IP it is


also what version of SME are you using SM9? if yes time to upgrade.... Using now SME9.2 we will upgrade for sure, just want the site up and running with less down time.
If SME( also your certificates for VPN might about to expire (about 10 years) then as you are about to contact all your vpn user and update their config, you might want to do it once for the next 10 years....


you might get some of the information from the server-manager in check configuration and other from your ISP (current and future)

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #3 on: January 05, 2022, 03:07:41 PM »
as root on the server cli this should give you more information f the definitive configuration

config show ExternalInterface

to change, unless you have something like Configuration=DHCPEthernetAddress ; you will have to login as admin or root to the server console directly or from lan with ssh

if logged as root run console
if logged as admin it will run the console directly
then follow the directives after choosing 2 configure this server.
you can check wiki to see the different steps before

edit : considering sonicwall
you should have only modification to do on this firewall server, if all stay the same in term of network , and both SME are behind this firewall with their own local ip behind this firewall
then just update your vpn info
« Last Edit: January 05, 2022, 06:08:23 PM by Jean-Philippe Pialasse »

Offline dbaddour955

  • 9
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #4 on: January 06, 2022, 01:50:47 PM »
sounds Great, Yes I have done that...
just to find out it is behind an DMZ so I believe that should be fine for the external IP. but for sure the config need to be changed.
on other hand, I may be going to install brand new 2 SME server, just got the V10.0 the site to site is fine to install and easy to proceed. now what is the best or doc on how to install the openVPN on the sme for user connections. has to be routed connections
would you suggest going with that version of SME 10.0?

Thank you so much for your active responds
Cheers

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #5 on: January 06, 2022, 03:00:35 PM »
for laptop/ desktop open vpn bridge is better and easier to config


for ios phones and tablets you have to go with the routed as ios does not support openvpn bridge. 

all is in our wiki, section contribs

one last word, if you set a different port for the vpns of your sme10 on your firewall (port forwarding) you could take the time to migrate your users without cutting the access to one not already migrated.

« Last Edit: January 06, 2022, 03:05:30 PM by Jean-Philippe Pialasse »

Offline dbaddour955

  • 9
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #6 on: January 06, 2022, 03:57:04 PM »
thank you so much and good point about the forwarding..
I am all with Bridge VPN and I believe I have tested the install few years ago. but my colleague argued with me on the security involve with bridge vs routed? what do you think about security level?

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #7 on: January 06, 2022, 04:16:59 PM »
as long as you add a VPN you need to be conscious that you open a door to your LAN.
if you use routed, you need to manually enter all the needed routing lines to allow access to specific resources (e.g. only a specific file server, or only a specific internal webserver) , if you do not and just do a generic routing to allow access to LAN, then you are not better than simply bridging !


Security should rather emphasize on who is given access, how they use their device, and contact you ASAP as the device is lost or compromised in order to revoke the access key.


Offline dbaddour955

  • 9
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #8 on: April 04, 2022, 12:43:31 PM »
Good Day,
So now, both SME on latest Version. using Site-To-Site between the 2 offices. up until now, one office moved to a new location and had to get different internet provider. so now we only have one way communication. that office can access the other office network fine, but the Other office cannot ping or access any of that site recourses. not even a ping.
any idea, does the Cert need to be redone on both sites to enable? or am I missing something.
thank you from a new guy with SME.



Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #9 on: April 04, 2022, 01:22:35 PM »
have you updated your existing configuration or created a new one? Or you have just set site 2 site for the first time?

what says your log on both side?

Offline dbaddour955

  • 9
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #10 on: April 04, 2022, 01:29:19 PM »
I have to say, you are a good person. Quick reply.
what I have is Office1 and Office2. office2 moved to new location with new IP address. the Site-to-Site was already installed and working until we moved to new location. now office2 can access office1 but office1 cannot and not even a ping.
both of the SME are behind SonicWall, the only config was done is changing the Sonic wall IP in office2. I was assuming no other should change as long the SonicWall know. No changes of any config on the SMEs..
I will get the logs, waiting on someone to wake up from the other office so I can access it. As I don't have access now.

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #11 on: April 04, 2022, 04:12:23 PM »
i guess the client is office2 and server is office1 in the respective gui of s2s.

again check the logs. they are in /var/log/openvpn-s2s

any other changes in term of office2 lan ?
is the office2 sme server only or gateway?

is the lan subnet in office 2 the same as before or has it changed, if yes you have to update it in the office1 s2s configuration.

Offline dbaddour955

  • 9
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #12 on: April 05, 2022, 12:19:34 PM »
I cannot thank you enough for your assistance and help.
after many digging into the issue, for to find out that the ISP provider have installed couple of their modems with wireless capability on both, haven't said that, the DHCP of course was enabled on both causing the issue with the internal network for Office2."both offices are in remote location to where I am at". as soon as I was able to access both of these modems and shutdown the wireless, the network is working smooth.
Panic moment for sure, since no configuration changes on either side were made beside the external IPs.
Again thank you for all of your responds and help

Cheers

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #13 on: April 05, 2022, 01:33:48 PM »
Nice resolution, your work vindicated, :-) it was the other bastards :-)
--
qui scribit bis legit