Koozali.org, home of the SME Server

Moving the SME/GW/VPN to a new location with new IPs

Offline dbaddour955

  • 4
  • +0/-0
Moving the SME/GW/VPN to a new location with new IPs
« on: January 05, 2022, 12:49:10 PM »
Good Day all,
I am new to the SME, I do have a knowledge with Linux base systems as well. But most of my cert are Microsoft.
I have inherited the SME from previous employee and he is retired.
our office is moving from one location to a new one, and new ISP provider. which means all new IP addresses from the net. I have 2 SME system with only GW, one is used for Site-to-Site VPN and the other is User VPN.
my questions or concern is this:
- since it is only VPN/GW how to change the main external IP for the VPN? especially for the user VPN on the server it is well hidden. I believe the StoS  can be done on the other location server, and re-generate the files??

- now with changing the IP, all users that have already the config files from the previous set up, do i need to re-generate them and apply them to each user system?
- we are using SME 9.2 with routed VPN....

you help is much appreciated, this request may look basic for some, but as I said I am not scared to learn something new and exciting
thank you

Offline Jean-Philippe Pialasse

  • *
  • 2,041
  • +6/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #1 on: January 05, 2022, 02:34:30 PM »
changing IP:
all depends on you current setting and new setting....
1- is  the first SME connected directly to the modem ?
2- is the modem acting as transparent gateway or acting as router...
3- static IP or dynamic?
4- cable, DSL
5- type of connection : static, dhcp, mac address,  pppoe...
6- what about the 2nd SME: behind first one, behind another connexion, then same question 1 to 5 for the second SME

new settings:
- same one with same provider ?
- different ?

VPN and regenerate config:
- depends if a domain was used in it or IP, most probably it is an IP so yes.


also what version of SME are you using SM9? if yes time to upgrade....
If SME( also your certificates for VPN might about to expire (about 10 years) then as you are about to contact all your vpn user and update their config, you might want to do it once for the next 10 years....


you might get some of the information from the server-manager in check configuration and other from your ISP (current and future)

Offline dbaddour955

  • 4
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #2 on: January 05, 2022, 02:49:25 PM »
changing IP:
all depends on you current setting and new setting....
1- is  the first SME connected directly to the modem ? we have SonicWall, that 1st SME is connected to for our VPN
2- is the modem acting as transparent gateway or acting as router... it is a Gateway transparent
3- static IP or dynamic? all static IP
4- cable, DSL... cable but moving into fiber connection with our new provider
5- type of connection : static, dhcp, mac address,  pppoe... all connection via Static
6- what about the 2nd SME: behind first one, behind another connexion, then same question 1 to 5 for the second SME.  for the second one is the same as the first. the same behind the SOnicwall/GW

new settings:
- same one with same provider ? should be the same but different provider totally.
- different ?

VPN and regenerate config:
- depends if a domain was used in it or IP, most probably it is an IP so yes. IP it is


also what version of SME are you using SM9? if yes time to upgrade.... Using now SME9.2 we will upgrade for sure, just want the site up and running with less down time.
If SME( also your certificates for VPN might about to expire (about 10 years) then as you are about to contact all your vpn user and update their config, you might want to do it once for the next 10 years....


you might get some of the information from the server-manager in check configuration and other from your ISP (current and future)

Offline Jean-Philippe Pialasse

  • *
  • 2,041
  • +6/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #3 on: January 05, 2022, 03:07:41 PM »
as root on the server cli this should give you more information f the definitive configuration

config show ExternalInterface

to change, unless you have something like Configuration=DHCPEthernetAddress ; you will have to login as admin or root to the server console directly or from lan with ssh

if logged as root run console
if logged as admin it will run the console directly
then follow the directives after choosing 2 configure this server.
you can check wiki to see the different steps before

edit : considering sonicwall
you should have only modification to do on this firewall server, if all stay the same in term of network , and both SME are behind this firewall with their own local ip behind this firewall
then just update your vpn info
« Last Edit: January 05, 2022, 06:08:23 PM by Jean-Philippe Pialasse »

Offline dbaddour955

  • 4
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #4 on: January 06, 2022, 01:50:47 PM »
sounds Great, Yes I have done that...
just to find out it is behind an DMZ so I believe that should be fine for the external IP. but for sure the config need to be changed.
on other hand, I may be going to install brand new 2 SME server, just got the V10.0 the site to site is fine to install and easy to proceed. now what is the best or doc on how to install the openVPN on the sme for user connections. has to be routed connections
would you suggest going with that version of SME 10.0?

Thank you so much for your active responds
Cheers

Offline Jean-Philippe Pialasse

  • *
  • 2,041
  • +6/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #5 on: January 06, 2022, 03:00:35 PM »
for laptop/ desktop open vpn bridge is better and easier to config


for ios phones and tablets you have to go with the routed as ios does not support openvpn bridge. 

all is in our wiki, section contribs

one last word, if you set a different port for the vpns of your sme10 on your firewall (port forwarding) you could take the time to migrate your users without cutting the access to one not already migrated.

« Last Edit: January 06, 2022, 03:05:30 PM by Jean-Philippe Pialasse »

Offline dbaddour955

  • 4
  • +0/-0
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #6 on: January 06, 2022, 03:57:04 PM »
thank you so much and good point about the forwarding..
I am all with Bridge VPN and I believe I have tested the install few years ago. but my colleague argued with me on the security involve with bridge vs routed? what do you think about security level?

Offline Jean-Philippe Pialasse

  • *
  • 2,041
  • +6/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Moving the SME/GW/VPN to a new location with new IPs
« Reply #7 on: January 06, 2022, 04:16:59 PM »
as long as you add a VPN you need to be conscious that you open a door to your LAN.
if you use routed, you need to manually enter all the needed routing lines to allow access to specific resources (e.g. only a specific file server, or only a specific internal webserver) , if you do not and just do a generic routing to allow access to LAN, then you are not better than simply bridging !


Security should rather emphasize on who is given access, how they use their device, and contact you ASAP as the device is lost or compromised in order to revoke the access key.