Securing Any Network with VPN... how?

[Mainstay]

Hi All,

Please let me preface this request with a plea not to lambast me for not "getting it" from the other posts. I have burned too many hours trying to get OpenVPN to work or at least work nicely on my various test environments and I am at the point where I just need clear, basic, up-to-date instructions.

I have clients that desperately need to secure their remote RDP sessions. Most are highly adverse to pulling all of their existing networking equipment (even when they understand the risks they are taking).

Is there a simple, off-the-shelf, device that can be plugged into an existing network that provides VPN authentication and has an easy-to-use connection client that is fully Windows and Mac compatible. And NICELY compatible.

I know some of you are Untangle fans, and I did play with that once a time...

Just looking for a plug-and-play VPN solution that plays nicely with small networks (some on domain, but most not).

Thank you for taking the time to read this.

--Matthew

 

[trevm999]

Based on your post, I assume ports are forwarded on the router to individual workstations for RDP sessions?

First of all, it sounds like these businesses need a re-evaluation of their IT needs if they want to stop sucking as a business in this day and age. However, a lot of businesses owners don't know how to stop sucking as a business and end up causing their business to suck more.

So that was a preamble to say I don't think the following is what these businesses actually need, but it is a solution.

Install Remote Utilities on each workstation that needs to be RD'd in to, install the viewer on the client and show them how to use RDP mode, and bam, Remote Desktop without Port Forwarding or a VPN.

 

[YeOldeStonecat]

I'm still going to say "Untangle"....their OpenVPN is very easy to setup. Easy for the client to use also. The pay for version has IPSec VPN.

PFSense is another good *nix distro with great VPN features.

For "out of the box"..Ubiquiti routers...either EdgeRouter, or Unifi Gateway.

 

[Markverhyden]

Have you given any thought to using a 3rd party solution? I looked at a company called Pertino several years ago and they had a nice system. Basically VPN clients on all machines and you access the resources using their servers. Worked fairly well. They were purchased by Cradlepoint which offers a similar thing. Free trial. No idea of cost though.

https://cradlepoint.com/products/netcloud-perimeter

 

[fencepost]

If they're averse to replacing routers because of cost, any additional component you can drop in will probably cost more than upgrading them to a good business-class router or UTM that has VPN capabilities built in.

If the offices are small enough, a lot of those have a base model that's good for 10-25 users and is only a few hundred $ - stuff like the Micro or Mini at https://nexgenappliances.com/40-ng-firewall-hardware

Also factor in the cost of your time for configuration and troubleshooting or for recovery if they don't do anything - I have lots of experience with trying to go the cheap route, and with trying to clean up after someone's gone the cheap route. I tell people "It's going to cost about $X. There are ways to cut the equipment cost, but that requires more billable time from me for custom configuration and troubleshooting. I'll be happy to take your money for that time, but I'd rather have you get the better equipment because I think it'll serve you better in the long run."

 

[gpg]

Possibly consider a SSH tunnel instead. Spin up your favorite Linux distro install Open SSH. On the Windows systems use Putty to access
the SSH server and then fire up RDP to access your Windows systems. Works well and best of all it's all free. Run the Linux machine in a
virtual environment on a lightly used system that is on 24/7. You can change the port number in the config file to something other than port 22 making it more difficult to access the SSH server. One other nice feature is after five failed attempts to logon to the SSH server the
remote IP is blocked.

 

[freedomit]

What about replacing the router with a Draytek? They support SSL VPN and OneTimePasswords.

Also check out RDPGuard as an alternative way to increase security although not as good as VPN

 

[putz]

If you want something "plug and play" probably one of the more easier devices to configure are Sonicwall firewalls. It probably takes less than 10 mins to setup their SSL VPN service. Then download and install their Netextender (SSL VPN Client) software and connect. Otherwise pfSense is pretty easy to get going with OpenVPN. I think there is a wizard to walk you through the setup plus there are tons of youtube videos. There is also an OpenVPN export package to export the client configuration from the firewall so you can easily import on client devices. Its what I use at home. Best of all with pfSense its all free. If networking is not your strong point them maybe recommend something like GoToMyPC?

 

[Markverhyden]

Back to the VPN device thing. Ubiquiti ERL3's are touch to beat for price/performance, under $100 down here. The great thing is it's easy to build a stock base config, including VPN, and deploy to new devices. The site specific changes become minimal so your left with adding users and changing secret and password. I used to use OS X server VPN as it was very simple. But I've switched to ERL's for VPN as well. Unless they are serving out services from their site swapping out/replacing the router is trivial.