Seeking VPN advice
3I have a need to set up VPN access to my network in the office. Probably no more than four or five concurrent sessions. This is a new tech territory for me. Are there any networking groups here who can steer me in a direction?
My first thought is that my best bet is a VPN gateway or router in office. Am I barking up the wrong tree here?
- 6 comments, 21 replies
- Comment
Been a decade since I was involved in a system setup but it used a hardware encryption router versus a software solution. I think it was a plug and play appliance style box that sat on our existing network.
@snapster Thanks. An appliance seems like it should provide the cleanest solution.
@ruouttaurmind cleanest and easiest. We have a networked PDU that has a timer to shut down the appliance after a certain time, then someone locally turns it on as requested via a web terminal.
You don’t happen to have the kind of device that would already have this on it would you? (Probably not, but in case you’re not the person who does networking normally, it’s worth checking.)
I use a SonicWALL at work, but it might be out of your price range (maybe not the bottom tier).
As sort of an alternative, are you already paying for any remote access services? (Logmein, Teamviewer, etc)
If so, you could probably use those as a VPN of sorts.
There’s apparently some cloud services that do VPN for you- if you’re interested, I’ll dig it out of my email for you.
If there’s anything else I can help you with, just tell me.
@dashcloud
TL;DR I prefer purchased solutions to subscription options.
We used to use LogMeIn free, but when they reconfigured their business model, support for our legacy systems was discontinued. After attempting to make contact with them for a couple weeks to explore paid options, I gave up and officially ceased remote access support.
The couple folks who used it, only used it infrequently. They started using Team Viewer Free via “support sessions”. They justify using the free client suggesting it was for their personal convenience to avoid a long commute to the office for the 2 minute task of updating a time sheet or email a file they forgot so they could do some work from home over the weekend.
I turned a blind eye to this practice, but usage has become habitual, and clearly exceeds the spirit of free use. So I’m reevaluating VPN options.
It’s my standard business practice to avoid subscription services when a purchased alternative is available at a reasonable cost. Subscription services are, at least good ones, are updated and enhanced on a frequent basis. This often imposes the requirement to stay up to date with hardware and software and OS versions on workstations. The risk of obsoleting legacy systems is real and frequent (reference our LogMeIn experience).
I’ve had great success maintaining some systems for many years. We still have PowerMac G5 systems from 2003 in use and making productive contribution because I’ve managed to maintain them in a “sealed bubble” environment. What they did exceptionally well in 2003, they still do reasonably well 15 years later. Our file server is a Xserve G5 with RAID array also from 2003, and doing exactly what we need all these years later.
So my preference is for a purchased solution rather than a subscription option with the belief if I choose wisely, and buy right, and it works well today, it’ll likely provide years of reliable service.
@ruouttaurmind SonicWALL makes easy-to-use stuff, and when I bought one of their TZ series (the small business end), I got 4 licenses for their client-based VPN (there’s two different ones, and you get 2x for each), and unlimited for L2TP VPN (which uses the builtin capabilities of Windows Pro and higher, but it’s not as good as the other client-based software). Here’s the model list:
https://www.sonicwall.com/products/sonicwall-tz/
@ruouttaurmind
I did stuff sometimes with what would be a Fortune 500 sized co (privately held) that still has a number of XP systems in service to talk to special legacy hardware.
I did a bunch of stuff (about a decade ago?) for another large co. Basically an industrial sized machine shop (a typical machine might weigh 3-5 tons). They still used Win 98 machines to xmit CNC over the serial ports.
No reason to upgrade just cuz MS says so. These were special situations, not someone’s work desktop. In both situations, my read was that the sysadmins and domain people were pretty careful and conservative.
@f00l I support this strategy and it has served me well over the years. Too many sysadmins are version whores, upgrading because it’s the latest and greatest. I believe if the upgrade doesn’t offer a feature you need, skip it.
Easiest: Appliance solution
Cheapest: A box running OpenVPN community edition. Heck, if you have a router that’s doing (or supports) DD-WRT or Tomato or OpenWRT, they all have support for OpenVPN
Dunno your current network setup, but folks like Palo Alto Networks, Cisco, Juniper have relatively inexpensive, low end routers and firewalls that also support VPNs. For example, https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/pa-200 and
@Alien88 We have a pretty basic D-Link wifi router handling all routing duties for wired and wifi nodes. It’s a pretty small office (26 total nodes IIRC) so our needs have been quite modest, and it handles the traffic efficiently. No traffic jams. All the wired nodes connect to a Cisco switch @ 1000mbps. Server, legacy Macs, printers, workstations when convenient… connect via wired. Simple, secure, reliable.
@Alien88 It’s been a few years since I was in the IT sector, so my knowledge and experience is out of date. I would prefer an appliance I can install, configure and manage in-house if possible. Having to spend a few hundred dollars isn’t a problem, I’d like to avoid many hundreds.
@ruouttaurmind It’s not one of the ones that can run DD-WRT is it? https://www.dd-wrt.com/wiki/index.php/D-Link
If it is, then look at http://www.dd-wrt.com/wiki/index.php/OpenVPN
The PA is probably outside of your price range, then. I think it runs around ~1-2k.
@Alien88 I appreciate your advice. I looked at the PA info this morning. Although the feature set seems spot on, the price is a fair bit more than I hoped to target. $2k plus licensing commitment. I’m comfortable landing somewhere <$800-$1000 plus licenses.
I don’t recall which model the current router is. If DD-WRT is a viable option I won’t mind replacing our current router if necessary as long as DD-WRT offers a solid, reliable solution. Last night I read about a number of open source client-side VPN connection options for DD-WRT running the gamut of platform types. The flexibility there is attractive.
This suggestion, along with @dashcloud’s pointer to the SonicWall devices are quite worth further research. Thanks to both for your response!
Check into Ubiquiti’s EdgeRouter line. Inexpensive and I hear they run openvpn or standard l2tp vpn well (I use them with ipsec site-to-site tunnels so haven’t tried client vpns yet). You could either run alongside your d-link or preferably replace it with a vpn-capable router plus wifi access point(s).
It would be good to consider implementing two factor authentication with your vpn. I think openvpn supports this but that’s without research to back up my statement.
A caution: not to talk down others’ opinions but I think DD-WRT and the like are great projects, fun to tinker with, and provide valid security enhancements on consumer grade equipment, but I try to avoid that kind of setup in a business where the connection is important unless there is zero budget (when I was consulting, you’d still spend plenty on me setting it up). Not a fan of consumer equipment in business in general (though it happens plenty), and then add on custom firmware that requires tinkering and you are potentially up a creek if something goes wrong and you’re not the tinkerer. They are amazing for free products, don’t get me wrong.
To me the ubiquiti stuff is business grade equipment (not enterprise grade) at nearly consumer prices.
Also, I forgot to ask: what are the clients you’d like to connect? Individual computers, phones/tablets, or entire networks at other locations?
@djslack Windows 10 PCs and OSX Macs are the off-site clients. Not necessarily remote control, but remote network access.
@djslack A couple of years ago I bought a MikroTik router with AP because I was sick of consumer products. I’ve been very happy with it (and it does do VPN, although I’ve never set it up).
However, if I had it to do over again, I think I’d go with a Ubiquiti router and a separate AP.
I don’t have any of their equipment yet, but the reviews are all terrific. I’m planning to install one of their APs (just as an AP) for my parents next month when I visit them. Their wifi is the stock Uverse modem router thing and a TP Link extender, and I think we can do better.
@craigthom MikroTik is also very good stuff. You’ll be pleased with the ubiquiti ap, the only downside for a single access point situation is having to run the controller software. However if you’re not doing anything fancy (like a captive portal) the controller sw doesn’t need to be running all the time.
@djslack It’s my understanding that the phone app can be used to set it up as a stand-alone AP.
I plan to install the software on my parents’ computer, anyway, in case I need to Teamviewer in to fix something.
I’m going to set it up here before I go down there to install it to make sure it works and to work through figuring it out. It will be less stressful for my parents if I’m not figuring it out there.
@craigthom Neat. I actually didn’t know about the app. I’ll have to check it out, I see it will connect to my controller.
After reading your response to @dashcloud I realize you’re looking for remote access to systems at work. I have and would wholeheartedly recommend ScreenConnect, except that it was bought out by ConnectWise and has become a much more expensive, subscription product. However, I see that they have separate pricing for unattended remote access only, at $300 a year for 25 clients with unlimited users. That is a subscription but it’s not per user and a lot less expensive than TeamViewer. No hardware, cloud hosted, software agents on pcs, macs, and linux, clients for computers, android and ipad. It might be up your alley.
@djslack Thank you for your advice. The end game is not just “remote control” of workstations, but a tunnel to our in-house network. Server, printers, etc. I’ll look into ConnectWise, but based on your summary it seems like a remote control option?
If I have someone working at home for a few days I’d like to free up that workstation for other users. My less than current IT knowledge assumes VPN tunnels are the safest and most effective way to accomplish this. Am I barking up the wrong tree?
@ruouttaurmind You’re barking up the right tree. I read into your other comment that you were trying to replace teamviewer.
Certain things are faster/easier through remote control than through a vpn, such as applications that rely heavily on file i/o (opening a quickbooks company file over a vpn is generally gonna be a bad time, for example). So your workflows will determine your needs.
For remote access from pcs and macs, I think openvpn or l2tp is going to be good and easy. Licensed vendor vpn clients (Sonicwall, Cisco, etc) may get you additional ease and potentially additional features at greater expense and subject to licensed user limits.
@djslack By any chance, would you be willing to briefly pursue this option and offer a quick opine?
@ruouttaurmind Quick rundown: I have Zyxel USG 100s (some years old, I think comparable to USG 60s now) in place at some locations that I am slowly replacing with Ubiquiti equipment. I also had a batch of Zyxel access points that I have thrown away; they started failing randomly.
The Zyxel business model seems to be similar to Sonicwall’s and many other in the industry. The firewalls have been solid but there haven’t been active subscriptions on them since before I came to the company (all advanced features seem to be subscription based), but we’re not using any of the advanced functionality so it doesn’t harm anything. I do get irked by paying per user license fees for hardware like routers and firewalls (the needs within my staff will almost never be what I’m initially told), and I suspect but have not confirmed that the Zyxel model includes per user fees/user limits, if not on the firewall itself at least for the vpn.
If you know your needs and are comfortable with the amount of licensing you’ll need to put into it, I believe it’s a good product. I think it would be good to compare their offerings with Sonicwall.
@djslack I am grateful for your time and expertise. Thank you so much.
Cisco AnyConnect, yes. Juniper networks, no.