How to securely join two networks together over the Internet?

can VPN be implemented on the routers only? Can the computers on the network be configuration free?

Yes. Assuming reasonable routers and a reasonable network layout. If your sites are all sharing the same IP range (i.e. they are all using 192.168.0.0/24 and therefore overlapping) then you'll have to do full NAT and things get messy.

If you provisioned each site in its own subnet, then this is simple, and your only considerations are:

  • minimising traffic over the VPN
  • security of the VPN (i.e. use the right type of VPN)
  • integrating systems across the VPN (i.e. cross-subnet Windows network browsing)

The standard solution is to use use a VPN between two routers, and you adjust the routing so all LAN-to-LAN traffic crosses the VPN.

Domains/Workgroups are really not related at all. A more relevant bit of information would be what type of routers both sites have, and if they can create L2TP, PPTP, or some other encrypted tunnel, or if they are running a standard OS like Linux where you can install software. There are many routers that already support VPN connections. Even some home-routers can do it if you install custom firmware. You can create a VPN between your servers, though getting the routing right may be a bit tricky.

I really like OpenVPN as a solution if I have a system that will support it. Many other good VPN solutions exist.

The obvious solution seems to be VPN, but can VPN be implemented on the routers only? Can the computers on the network be configuration-free?

These completely depends on what type of router you have. If your router is a computer running Linux then yes. If your router is an inexpensive broadband router, then maybe your current hardware can do this. If your current hardware can't do this, you can certainly buy routers that will.

The clients really shouldn't need to know anything about the VPN.


While the "open" suggestions are great, if you're asking this question, my guess is that you're unlikely to have success implementing them.

Save yourself alot of trouble and pick up two routers with VPN capabilities from a vendor like Linksys, Netgear, D-Link, or even Sonicwall. They are very easy to set up and will connect two networks together securely.

Once that is done, whether the computers "see" each other, is very dependent on the network being run and how that traffic passes over the VPN. Windows Workgroups are broadcast based systems which may interfere with the "network neighborhood" showing all the systems. Use of "lmhosts" files can help with name resolution. This is typically what domains are used for along with trusts between domains if they are different. By having a central registration for computers (Active Directory and DNS), they are able to "find" each other without configuring name resolution on each machine.


OpenBSD and IPSEC. Use an OpenBSD server at the respective ends of the link to act as an IPSEC gateway. It is very easy to setup.