Page 1 of 1

Managing 100+ Pizzeria?

Posted: Fri Aug 12, 2022 7:42 pm
by PizzaProgram
We are remote-helping and observing 100+ separated groups with OpenVPN currently.
(Running our POS software.)
Each restaurant has 1-20 PCs, = ca 250 clients online top.
+ some bosses use remote connection from home (Windows + )
+ mobile
= avg. 20 active sessions, each ca 1-10Mit.


I would like to rent a (Linux?) VPS (Virtual Private Server) to run SoftEther from now.
(Because the response time of the OpenVPN server iT guy is avg 8 weeks...)

What is the recommended setup to do all this?

The clients should use their own internet connection to browse, this VPN is only meant to "reach the restaurant", like you would work in "home office for your company".

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 12:21 pm
by j.thelenpantheon
Hey,

i recommend using softether vpnserver with bridges on every pizzeria

like 1 server (VPS or dedicated) every pizzeria 1(if they share or are same corp u can connect multiple pizzerias to 1 hub).

Virtual hub:

Secure NAT enabled with DHCP and splittunnel config(route to the local subnet of the pizzeria).

Pizzeria:

softether Bridge (Rasp,or somthing that can run it)
connected it to the hub it needs to be.
configure secure NAT without DHCP just with 1 ip on the secure NAT interface that is in the same subnet of the virtual hub, enable Virtual NAT on The bridge.

connect with the softether client and enjoy.
example.png

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 12:56 pm
by PizzaProgram
Thank you VERY much for the detailed answer and concept!

Your recommendation would work fine, if I had a possibility to travel to all pizzerias all over the country to install 1-1 Rasp + the owners would pay for it.
But this is not an option, and also not fuel/eco-friendly.

So I would like to keep the concept of having ONE central VPN server, managing 100 groups, allowing to see which client is online or disconnected.
Also I need to be able to manage the remote client of the pizzeria owner's laptop or phone (who are connecting remotely to their group(s) ).

Since the goal is to reach EACH PC separately (if one goes down, I still should have access to the other) the "bridge concept" would be the opposite of what is needed.

So the questions remain:
- How do I set groups NOT to go to the internet through my VPN server, but see each other within the group?
- How do I prevent the clients connecting to my master-group of devices, but I should be able to "see them"?

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 1:04 pm
by PizzaProgram
To make this work properly:
  • The PCs (clients) should connect without any user interaction, already at the login screen on windows. (As a service.)
  • Should not see any annoying popup window
  • Certificates at clients should work for 10+ years (We don't have time to re-re-re-install new cert files every year to every each client one by one, but it should work securely!)
  • I should be able to see ALL clients (from my Windows Laptops + my Android phone)
  • But Clients should see only others inside their group (HUB)
Thank you very much for any help / recommendations!

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 1:10 pm
by j.thelenpantheon
Thanks then my recommendation will work and is compatible with all clients
PizzaProgram wrote:
Fri Sep 02, 2022 1:04 pm
To make this work properly:
  • The PCs (clients) should connect without any user interaction, already at the login screen on windows. (As a service.)
  • Should not see any annoying popup window
  • Certificates at clients should work for 10+ years (We don't have time to re-re-re-install new cert files every year to every each client one by one, but it should work securely!)
  • I should be able to see ALL clients (from my Windows Laptops + my Android phone)
  • But Clients should see only others inside their group (HUB)
Thank you very much for any help / recommendations!

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 1:23 pm
by j.thelenpantheon
Q1
u can use the same mathit replace the bridge with an vpn client remove the routing and remove the default gateway on the secure NAT DHCP server

Q2
softether has built in ACLs there you can set that only a certain group of users can communicate to the client and the clients cant initiate a connection to your clients
PizzaProgram wrote:
Fri Sep 02, 2022 12:56 pm
Thank you VERY much for the detailed answer and concept!

Your recommendation would work fine, if I had a possibility to travel to all pizzerias all over the country to install 1-1 Rasp + the owners would pay for it.
But this is not an option, and also not fuel/eco-friendly.

So I would like to keep the concept of having ONE central VPN server, managing 100 groups, allowing to see which client is online or disconnected.
Also I need to be able to manage the remote client of the pizzeria owner's laptop or phone (who are connecting remotely to their group(s) ).

Since the goal is to reach EACH PC separately (if one goes down, I still should have access to the other) the "bridge concept" would be the opposite of what is needed.

So the questions remain:
- How do I set groups NOT to go to the internet through my VPN server, but see each other within the group?
- How do I prevent the clients connecting to my master-group of devices, but I should be able to "see them"?

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 1:33 pm
by j.thelenpantheon
then you should remove the bridge and replace it with a client on each pc

and use user groups and ACLs for the firewalling.

leave the DHCP Default gateway blank and they use there own connection.
example2.png

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 2:04 pm
by PizzaProgram
Yes, this is the way I will try ! Thank you for the modified concept. :-)

Two things I don't understand about your picture:
1.
Why is each HUB on the same ...30.x subnet ?

Should not be :
  • VirtualHUB1 : 192.168.01.x
  • VirtualHUB2 : 192.168.02.x
  • VirtualHUB3 : 192.168.03.x
... so each one on a different subnet by enabling SecureNAT function ?


Otherwise how do I prevent one group see the other ?

(Actually I'd like to use 10.111.XXX.z where XXX is the number of the group, but that's irrelevant right know.)


2.
Both arrows of groups are all pointing to VirtualHUB 2 .
Are not the VirtualHUBs = Groups ? (For me, they are!)

I know there are also UserGroups, but that's a different thing. I will probably have only 3 groups :
1. MY admin devices
2. Owners
3. Pizza PCs

>> and all PCs inside 1 VirtualHUB will log in with the same username.

Do you agree ? OR do I miss here any hidden possibility to manage different pizzerias by creating different UserGroups maybe ?

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 2:12 pm
by PizzaProgram
One more very important thing I forgot to mention:

Each PC should have a fixed VPN address!
... so I can reach "PeppinoPizza Database" by typing 10.111.56.2

Re: Managing 100+ Pizzeria?

Posted: Fri Sep 02, 2022 2:23 pm
by j.thelenpantheon
Q1:
a virtual hub is 1 enclosed vpn network only the clients on that hub can connect to each other

so one hub per pizzeria corp

the virtual subnet doesn't matter.

Q2:

i made only one it should be on all hubs so 1 hub for each pizzaria corp group owner, group admin, group pizza PC

same username i only recommend for the pizza pc's

PizzaProgram wrote:
Fri Sep 02, 2022 2:04 pm
Yes, this is the way I will try ! Thank you for the modified concept. :-)

Two things I don't understand about your picture:
1.
Why is each HUB on the same ...30.x subnet ?

Should not be :
  • VirtualHUB1 : 192.168.01.x
  • VirtualHUB2 : 192.168.02.x
  • VirtualHUB3 : 192.168.03.x
... so each one on a different subnet by enabling SecureNAT function ?


Otherwise how do I prevent one group see the other ?

(Actually I'd like to use 10.111.XXX.z where XXX is the number of the group, but that's irrelevant right know.)


2.
Both arrows of groups are all pointing to VirtualHUB 2 .
Are not the VirtualHUBs = Groups ? (For me, they are!)

I know there are also UserGroups, but that's a different thing. I will probably have only 3 groups :
1. MY admin devices
2. Owners
3. Pizza PCs

>> and all PCs inside 1 VirtualHUB will log in with the same username.

Do you agree ? OR do I miss here any hidden possibility to manage different pizzerias by creating different UserGroups maybe ?