common VPN setups in small busineses

[Pants]

In a network of 1 - 20 computers, what are the most common ways to implement a VPN? 1 - 20 computers is the type of environment I've prepped for.

My Linksys e3000 router with tomato firmware has OpenVPN. Not sure how it works yet, however.

I'd like to setup a few different types of VPNs common to small businesses just so I can be familiar with how they work. This is one of a few last minute things I'm brushing up on before I finally venture out.

Got my city business license about a week ago. Couple more weeks and I'm gonna start passing out business cards.
Feels good!

 

[Pants]

Is the question too vague? I'll look around google and post back with what I find.

 

[YeOldeStonecat]

Well, depends on what purpose the VPN is for.

*Remote/Mobile/HomeWorker/RoadWarrior....where they VPN to the office, to connect to "some service" on the LAN. Like database replication of some mobile database. Or to access file shares on a server. Or to remote desktop to a workstation or terminal server (although this has mostly been replaced by easier methods).

*Site to Site VPN tunnels...like if a business has several locations, a central office (Mothership), and several satellite offices. You have full time "router to router VPN tunnels" connecting all the sites together into 1x large network. Workstations and Servers of all the sites can communication with each other..since they're all on the same network.

Old school VPN..."PPTP"
Sorta old and retiring VPN....IPSec
Popular VPN with open source...OpenVPN

All of the above sorta clunky to setup, well...OpenVPN can be wicked easy. Depends on the distro you're playing with.

More popular VPN for "road warriors" these days...because it's so wicked easy to deploy, is "SSL VPN". It's pretty much clientless...typically just runs on top of Java, through a browser. SOOOOO much easier to maintain than the old school pain the freaking buttsky thick IPSec VPN clients we used to use years ago.

 

[Magic Miguel]

Well, depends on what purpose the VPN is for.

*Remote/Mobile/HomeWorker/RoadWarrior....where they VPN to the office, to connect to "some service" on the LAN. Like database replication of some mobile database. Or to access file shares on a server. Or to remote desktop to a workstation or terminal server (although this has mostly been replaced by easier methods).

*Site to Site VPN tunnels...like if a business has several locations, a central office (Mothership), and several satellite offices. You have full time "router to router VPN tunnels" connecting all the sites together into 1x large network. Workstations and Servers of all the sites can communication with each other..since they're all on the same network.

Old school VPN..."PPTP"
Sorta old and retiring VPN....IPSec
Popular VPN with open source...OpenVPN

All of the above sorta clunky to setup, well...OpenVPN can be wicked easy. Depends on the distro you're playing with.

More popular VPN for "road warriors" these days...because it's so wicked easy to deploy, is "SSL VPN". It's pretty much clientless...typically just runs on top of Java, through a browser. SOOOOO much easier to maintain than the old school pain the freaking buttsky thick IPSec VPN clients we used to use years ago.

Speaking of OpenVPN I just got it up and running for a client of mine who needs access to their PC via remote desktop. What easier way would you suggest besides accessing it via VPN?

 

[Pants]

Windows appears to have VPN software which allows for client outside of office to connect to internal network.

But what advantage is there by using the OpenVPN in the router, over using Windows to handle the job?

 

[pceinc]

Speaking of OpenVPN I just got it up and running for a client of mine who needs access to their PC via remote desktop. What easier way would you suggest besides accessing it via VPN?

Logmein. Cheap and easy. You can also open up RDP on the router but restrict it to only allow connections from a specific IP if the remote side has a static.

 

[freedomit]

SSTP is the way forward if they have a Windows Server although can be a little tricky to setup. LogMeIn is great if they want to access a pc in the office.

 

[Markverhyden]

Speaking of OpenVPN I just got it up and running for a client of mine who needs access to their PC via remote desktop. What easier way would you suggest besides accessing it via VPN?

Depends on how they want to access it. What kind of apps? There are numerous cloud based VPN's. One I looked at is called Pertino. A Spiceworks offering. But to be honest the best thing is a dropbox type service if the user can have does not have to worry about database type apps like QB.

 

[Pants]

Windows appears to have VPN software which allows for client outside of office to connect to internal network.

But what advantage is there by using the OpenVPN in the router, over using Windows to handle the job?

Been doing a little googling on this.

There are apparently two common basic VPN topologies... Cleint-server, where workstations clients connect to a server, such as a router or other device....and Peer-to-Peer, where workstation nodes connect to each other, using some client software.

So to answer my own question that probably didn't make sense to anyone, IF I was using a Client/server method, then the server could go down and the whole VPN would be lost...So there's the disadvantage. If using the peer to peer model, VPN does not go down if one workstation is lost. Cheerio!

 

[YeOldeStonecat]

So to answer my own question that probably didn't make sense to anyone, IF I was using a Client/server method, then the server could go down and the whole VPN would be lost...So there's the disadvantage. If using the peer to peer model, VPN does not go down if one workstation is lost. Cheerio!

Using Windows Server to be a VPN server....bad idea. You need to expose those ports to the internet..and that's a domain controller service. Yikes!

You'll see most of us talk about VPN appliances instead....such as Untangle, Sonicwall, Juniper, etc. A dedicated VPN appliance that authenticates the "road warriors".

 

[YeOldeStonecat]

Speaking of OpenVPN I just got it up and running for a client of mine who needs access to their PC via remote desktop. What easier way would you suggest besides accessing it via VPN?

Oodles of remote access applications out there...LogMeIn, TeamViewer, etc. This way, you have zero "firewall/router/port forwarding/static IP" things to deal with.

Or just use the built in RDP host of Windows...but then you have to deal with port forwarding, external IP/alias, etc. RDP can be secure these days....don't leave a simple Administrator password, or user password, and set it to cancel host after XX amount of failed login attempts.

 

[Markverhyden]

Been doing a little googling on this.

There are apparently two common basic VPN topologies... Cleint-server, where workstations clients connect to a server, such as a router or other device....and Peer-to-Peer, where workstation nodes connect to each other, using some client software.

So to answer my own question that probably didn't make sense to anyone, IF I was using a Client/server method, then the server could go down and the whole VPN would be lost...So there's the disadvantage. If using the peer to peer model, VPN does not go down if one workstation is lost. Cheerio!

VPN is a service. So it runs on a client/server model. The server can be an appliance (like a router), a cloud based service running a local app (like Pertino), or a conventional server (like a OS X server).

Obviously a client is a computer or smart device. The problems with the appliances is that low end ones are under powered if you get more than a couple of connections. So they can be very slow. My tests with Pertino showed it to be reasonable from a speed perspective. I've done several OS X server VPN hosts and they run pretty good as long as the ISP connection fast.

The most important thing is to properly define the customer requirements. You can spend plenty of money on a robust system and it still will not meet the customer's requirement.

An example (real). Customer is a two person interior design studio. Their current, soon to be former, provider has done nothing about setting up proper remote file access amongst other things. So the EU ends up emailing files to himself prior to leaving or using gotomypc.com to remote in and email the files. In addition to that he has recently bought himself a high end digital camera which takes and stores pictures in raw format so they are quite large, 30-40mb.

The proper solution for this customer is not VPN but a local/remote synced folder like ownCloud/OneDrive/etc. The problem with VPN is that every time a remote file is opened the entire file is locally cached prior to accessing it. Then as auto/manual saves are done the entire file is written to the remote folder. Lots of waiting if files are several megs in size.

 

[Pants]

Alright thx for the clarification.

Just to update what I've read.

Site to Site (router based) VPNs don't require client software on the computer?
Because the router handles all of it.

Where as client/server and P2P do require client software on the computers.

I'm gonna set up my Tomato router for a client/server VPN to get a feel for this. Then I'll probably try some of the other methods, just to get a feel.

 

[YeOldeStonecat]

Sort of..yes.
Setups like "router to router" VPN tunnels are typically full time. Your local network is always connected to a remote network...you can access resources on that remote network at any time through internal/private IP ranges. Typically used in networks where there are several locations. But also sometimes used by remote workers that work from their home...and prefer a good full time connection to the main office. No work needs to be done on the remote computer(s)..the routers allow that connection to be all the time and local.

Software/Server VPN setups are typically used by mobile road warriors. You have a software client installed on the laptop or home computer...and you dial it up to "connect" to the office network...do your work, and then you disconnect when you're done. Can use a Windows server (gasp..NOOO) for this...or a *nix or Apple server, or...preferred method...a hardware appliance.