The moving parts:
1 Digital Ocean "droplet" running Linux with OpenVPN server
4+ Raspberry Pi 3 (to be) configured as VPN clients connected to above via their WiFi port. Via Ethernet, connected to...
2-10 Devices of various types per location with static IPs
All this needs to "plug in" via WiFi to any basic consumer-grade router.
The objective: all devices, in all locations "see" each other as if they're local. Internet traffic from these devices (which will be minimal) can be NAT'd and sent through the residential router or through the OpenVPN server - it doesn't much matter. So long as everything inside the VPN can ping each other regardless of location, and have some Internet access, we're good. (And obviously things on the VPN don't see the devices on the home network, and vice versa).
Normally I'd just say "have anything that needs to be on the VPN run OpenVPN as a client" and call it good. Enable the client-to-client setting on the server, no big deal. But some of the hardware involved isn't smart enough to run the client side of a VPN, so we need something to do that for them. RPi's are cheap, modular, and should do the job fine.
Here's how I see it:
ISP <---> (public IP) Home Router (192.168.x.y) <----WiFi----> (192.168.x.z WiFi adapter) (172.16.a.b VPN address) RPi (172.16.a.c Ethernet port) <----Cheap Switch---> (172.16.a.d) Misc. Device
(I figure Class B is more rarely used in residential settings so it will be easily distinguishable, and has the advantage of being able to set a different "a" for each site, making it really easy to read. 172.16.site#.dev#)
My gut tells me it's not going to be as simple as just setting up OpenVPN on the RPi and telling it to bridge the two adapters. Maybe I'm wrong. But I'm hoping someone out there has done this before, or at least knows enough to know what I need to do to make this work right the first (or at least within single-digit tries) time.
The story behind this: My friend and I have been running a small IT consulting firm for a couple years now. Business is starting to pick up and we're getting requests for more and more work that either we don't have time for ourselves, or is outside our particular wheelhouses. Enter a few subcontractors, most of whom are remote and/or simply prefer working from the comfort of their own homes. That's cool, I work from home so I understand how it goes. The conundrum is that we want to be able to send them equipment that we own, or that a client owns, for testing, fixing, whatever and have that equipment be able to talk with our equipment all on the same network. I could host the VPN at my house (and have been up till now) but we're expanding beyond the circle of people I know and trust well enough to know they won't try messing with my home PCs when everything is on the same network. So we need to be able to insulate a few machines at each location so that they're all on one big (geographically) VPN, everyone has privacy (and so do our clients). If Joe Subcontractor visits bad websites on his home PC and gets some spyware, I don't want that PC poking its nose around a client's new thingamajig we're being paid to test.
To make matters more interesting, we need this all to work with enough simplicity that even a graphic designer can set it up. (No offense to graphic designers, I'm just kidding.) But seriously, not everyone knows their way around iptables (I can manage to not get lost, but I'm no expert). I want to ship them a RPi where all they have to do is input the WiFi SSID and password and it just works - anything plugged into the Ethernet port is on the VPN, visible to anything else on the VPN and vice-versa.
So what do you think? Am I over-complicating it? Am I overlooking something? Help me out here. The first batch of Pi's arrive on Friday and I'd need to have them ready to go before Christmas if at all humanly possible. My current plan is bridge eth0 (or whatever) to the adapter created by OpenVPN and set the default gateway as the OpenVPN server - that feels less stupid than my other ideas, but I still think I'm missing something.
I originally posted on the Tech Support Forum and got nothing but crickets... hopefully the community here is a bit livelier.
Edited by Spektyr, 14 December 2017 - 07:13 AM.