PDA

View Full Version : VPN or something else




mmcxiiad
Jan 20, 2011, 12:53 PM
I travel a fair amount for work and want to set up a very easy system to log back into my home network. I really want to be able to do four primary things:

1. Remotely access all of the computers on my network. I am currently using Apple Remote Desktop, but it seems that it is a pain to configure ports and settings in both the software and router to connect to more then one computer.

2. Remote file sharing. I know I could open up port 548 in the router and direct it to one computer (or port triggering to acess different computers), but I would really would rather not have open ports for every computer to have file sharing accessible.

3. Route web traffic through home network. Staying in hotels and/or accessing the internet though public access hotspots has always gotten me a bit paranoid. I would really like to be able to securely access the internet while away from home.

4. Connect remote networks. We own a small family company and work from home. Also, a few other family members work for us, and I would really like to connect all the locations to be able to do remote administration and file and print sharing.


Currently I have Verizon FIOS 35/35 so speed isn't an issue. I am using a Apple airport basestation (newest model) as my router. I also just set up Wide Area Bonjour and DNS Service Discovery (https://www.dyndns.com/support/kb/apple_wide_area_bonjour_and_service_discovery_with_custom_dns.html) to dynamically update the local domain name I use at hope with the IP address that I get from verizon.

I am not sure if using a VPN server or something else is the best way to go to make this all happen. I don't mind spending some money to make this happen.

In addition to those four things, I really want something that is easy to set up and maintain and something that will work with my mobile apple devices (macbook, iphone, ipad, etc). Also something that is very reliable.

A nice bonus, but nowhere near a priority, would be the ability to connect to remotely connect to a computer via a web browser. I know I can do this with a logmein solution, but if it was built into some appliance that was doing everything else, that would be better.

Any help or insight on this would be much appreciated



sim667
Jan 24, 2011, 06:16 AM
Im currently working on something similar. Ive got fileshares available through my vpn to freinds etc..... I'm also using the vpn.

All been done for free...... only major change was changing the firmware on my belkin dir-615...... that may help you..

My issues are
a. Can only connect one client to the VPN at a time
b. VPN does not support bonjour..... (well vpn doesnt support mulitcast which bonjour needs to be more precise). You can access them using the address...... Apparently network beacon should make all this work to replace bonjour, but i cant get it to work.

L0CKnL0aD7
Jan 25, 2011, 02:42 PM
A VPN would indeed be the best solution for remotely accessing your home network (in a safe way).
You can use the VPN Server build in with OSX Server ore
Setup a OpenVPN Server on Win/Linux/OSX. (this is a bit harder but you can do it on basically any Computer)

belvdr
Jan 25, 2011, 03:04 PM
I just bought a Cisco ASA 5505 to solve these issues. It's a firewall and VPN device with an 8 port switch on it.

mmcxiiad
Jan 26, 2011, 03:45 PM
Some great info so far

A VPN would indeed be the best solution for remotely accessing your home network (in a safe way).
You can use the VPN Server build in with OSX Server ore
Setup a OpenVPN Server on Win/Linux/OSX. (this is a bit harder but you can do it on basically any Computer)

I have access to OSX server 10.6, but have always had difficulty setting up the VPN. I always get a can not connect message. I have never found a really good tutorial on setting up the VPN


I just bought a Cisco ASA 5505 to solve these issues. It's a firewall and VPN device with an 8 port switch on it.

I really like the idea of an appliance to do vpn, but i worry that this cisco box will have a pretty steep learning curve and (from what I understand) requires a subscription to get software updates. With zero expereince with cisco, I wonder if this is a wise route.... for a router with built in vpn.

I am sure that there are other routers that do VPN that have a much easier learning curve.

L0CKnL0aD7
Jan 27, 2011, 05:08 AM
I have access to OSX server 10.6, but have always had difficulty setting up the VPN. I always get a can not connect message. I have never found a really good tutorial on setting up the VPN


If you want I could make a Tutorial, however I only have access to an OSX Server 10.3.9
I kan show you how to setup: 10.3.9 with PPTP & L2PT and OpenVPN.

mmcxiiad
Jan 27, 2011, 05:20 PM
If you want I could make a Tutorial, however I only have access to an OSX Server 10.3.9
I kan show you how to setup: 10.3.9 with PPTP & L2PT and OpenVPN.

I think that this would be great. I am sure I am not the only one who would benefit from this!

sim667
Jan 31, 2011, 05:52 AM
I think that this would be great. I am sure I am not the only one who would benefit from this!

I've been considering doing one for home users, using standard mac os x 10.6 and ddwrt router firmware.

I've got a pptp vpn working, but can only connect one client at a time........ once ive sorted that ill probably write one.

I also want to know how to only let clients access certain services, i.e. afp share, but use their own internet connection for websurfing whilst still connected to my VPN.

gdc
Jan 31, 2011, 07:15 AM
I also want to know how to only let clients access certain services, i.e. afp share, but use their own internet connection for websurfing whilst still connected to my VPN.

This is something I am interested in - establishing a VPN link to my home network to surf out through, rather than directly via an unsecure network when on the road.

Any details would be much appreciated, either software or hardware based solutions. I have considered a device like a Cisco ASA 5505 but have not had the chance to investigate how it would work yet.

gdc
Jan 31, 2011, 07:21 AM
I just bought a Cisco ASA 5505 to solve these issues. It's a firewall and VPN device with an 8 port switch on it.

Does this allow you to browse out from your home network via a remote vpn connection when on the road without having to use a client located behind your 5505? Or do you need, say, an iMac powered on at home to screenshare with etc.

belvdr
Jan 31, 2011, 11:31 AM
I use split tunneling, which only encrypts traffic I want to encrypt to my home network. All other traffic goes out my normal Internet connection. I can certainly change this to full tunneling and have all traffic come through my ASA.

People tend to think that VPNs always forward all traffic from your machine to the remote network. In very few situations is that the case.

gdc
Jan 31, 2011, 05:17 PM
I use split tunneling, which only encrypts traffic I want to encrypt to my home network. All other traffic goes out my normal Internet connection. I can certainly change this to full tunneling and have all traffic come through my ASA.

People tend to think that VPNs always forward all traffic from your machine to the remote network. In very few situations is that the case.

Thanks. I'm only just getting into this and need to do some more reading. I had appreciated that in most cases VPNs don't route all traffic to the remote network, eg a VPN tunnel to a remote server only catches traffic to that server, not other general browsing.

What I haven't grasped yet is how split tunneling works, so I can do online banking via the VPN connection home, and generally browse just via the 'unsecure' network.

I assume then that your 5505 can route out direct from your remote device, and you do not screenshare to a machine behind it for secure browsing?

Thanks for taking the time to reply - much appreciated.

tivoboy
Jan 31, 2011, 06:20 PM
I've setup a nice VPN on my mac, 256k encryption, cheap too. Has been working great. What I have noticed though, is that if I am SHARING MY INTERNET connection via Ethernet (so my primary internet connection is WIFI), that ETHERNET connection loses any connectivity WHEN the VPN is running. Is that just the way things are, or is there some way to get ICS to work through the VPN as well?

belvdr
Jan 31, 2011, 06:29 PM
What I haven't grasped yet is how split tunneling works, so I can do online banking via the VPN connection home, and generally browse just via the 'unsecure' network.

I assume then that your 5505 can route out direct from your remote device, and you do not screenshare to a machine behind it for secure browsing?

Thanks for taking the time to reply - much appreciated.

It's doing it all via IP routing. When you connect to a VPN, you are usually assigned an IP address from the remote side. Then for the IPs that are to be traversed over the VPN, a route for each subnet or IP is added to the system, pointing to your assigned VPN IP.

I've setup a nice VPN on my mac, 256k encryption, cheap too. Has been working great. What I have noticed though, is that if I am SHARING MY INTERNET connection via Ethernet (so my primary internet connection is WIFI), that ETHERNET connection loses any connectivity WHEN the VPN is running. Is that just the way things are, or is there some way to get ICS to work through the VPN as well?

I have heard of this, but never researched a solution. It sounds as if the VPN in question is doing full tunneling.

talmy
Jan 31, 2011, 09:11 PM
I've been running a Mac mini with Snow Leopard Server for nearly a year now and have been using VPN. Traffic on my remote Mac can be routed either all through the VPN tunnel or just traffic to my LAN, so it can be used for 100% secure browsing. It does support more than one remote system tunneling at the same time. As mentioned, Bonjour services don't go through, however I've tried ShareTool, and it will allow remote Bonjour access.

sim667
Feb 3, 2011, 10:14 AM
I've been running a Mac mini with Snow Leopard Server for nearly a year now and have been using VPN. Traffic on my remote Mac can be routed either all through the VPN tunnel or just traffic to my LAN, so it can be used for 100% secure browsing. It does support more than one remote system tunneling at the same time. As mentioned, Bonjour services don't go through, however I've tried ShareTool, and it will allow remote Bonjour access.

Is the splitting the local network traffic and the internet traffic something that is done on the client or the server? I have vpn's set up on freinds macs so we can remotely fileshare, however when they're connected it funnels all data through my vpn..... luckily they dont use it that often.

Unfortunately im not using snow leopard server, just snow leopard.

sim667
Feb 3, 2011, 10:23 AM
This is something I am interested in - establishing a VPN link to my home network to surf out through, rather than directly via an unsecure network when on the road.

Any details would be much appreciated, either software or hardware based solutions. I have considered a device like a Cisco ASA 5505 but have not had the chance to investigate how it would work yet.

I use a router provided by my isp, and got fed up with how slow it was running, so i took their firmware off and put DDWRT on. DDWRT is a free 3rd party firmware for routers, and I must say its excellent, although there's a lot of options you find in there that you wouldnt find on standard firmware so can be confusing at first.

I've enabled the PPTP VPN server on the DDWRT firmware, and because in the UK we generally have dynamic ip's, i needed to assign a DNS to the router. So i've signed up for a free dyndns account, and luckily there's a built in DNS updater on the DDWRT firmware, so none of the DNS or the VPN runs from my macs, making it easier to administrate (sign on to vpn, use router web interface, DDWRT allows changes to settings to be made without rebooting the router).

I never have issues with the VPN or the DNS. The only thing i do sometimes have issues with is the VNC server running on my mac, and the sharing account access, also on my mac. But i think its because sometimes the WOL doesnt work properly...... I need to work out what the deal is with that.

talmy
Feb 3, 2011, 11:07 AM
Is the splitting the local network traffic and the internet traffic something that is done on the client or the server?

On Client:
System Preferences-->Network-->VPN-->Advanced-->Options-->Send All Traffic over VPN connection.

sim667
Feb 8, 2011, 06:04 AM
On Client:
System Preferences-->Network-->VPN-->Advanced-->Options-->Send All Traffic over VPN connection.

So disabling that would make the clients only use the VPN for network data, and their web data would just go through their own local networks yeah?

belvdr
Feb 8, 2011, 07:25 AM
It would also depend on the VPN server configuration. If the VPN server is configured for full tunneling, unchecking that option will have no effect.

talmy
Feb 9, 2011, 09:15 AM
It would also depend on the VPN server configuration. If the VPN server is configured for full tunneling, unchecking that option will have no effect.

Interesting. I just checked this out and it is true, but it doesn't make sense. If the server isn't configured for full tunneling then there is no way to get it. If it is configured for full tunneling (as mine is) then the check box in the client indeed has no effect. ???

belvdr
Feb 9, 2011, 05:26 PM
Interesting. I just checked this out and it is true, but it doesn't make sense. If the server isn't configured for full tunneling then there is no way to get it. If it is configured for full tunneling (as mine is) then the check box in the client indeed has no effect. ???

It makes sense. Why would anyone leave the VPN administration/configuration up to the user(s)? If the VPN administrators do not want the overhead of all traffic coming in, then disallow it. If they want to filter it, then you enable it.

mmcxiiad
Feb 9, 2011, 05:53 PM
It makes sense. Why would anyone leave the VPN administration/configuration up to the user(s)? If the VPN administrators do not want the overhead of all traffic coming in, then disallow it. If they want to filter it, then you enable it.


One reason you may leave it up to the user, would depend on where you are VPN'ing from. For example, if you are at home and need to get into work all your http traffic may not need to be routed through them. This would also speed things up for the user. But if you are at a hotel or a open network, you may want the user to route all their traffic through the VPN for security.

belvdr
Feb 10, 2011, 06:34 AM
One reason you may leave it up to the user, would depend on where you are VPN'ing from. For example, if you are at home and need to get into work all your http traffic may not need to be routed through them. This would also speed things up for the user. But if you are at a hotel or a open network, you may want the user to route all their traffic through the VPN for security.

What's the additional security (from the company's standpoint) of encrypting the users' traffic to their personal mail account, whether at a hotel or at home? Unless you require full tunneling (for web filtering and such), then split tunneling is fine as you're encrypting the data the business deems important.

A poor security policy would allow the users to dictate what to encrypt. You lose control over how much WAN traffic you'll see and how much load you'll generate on your VPN device.

sim667
Feb 10, 2011, 09:01 AM
Also if all traffic is tunnelled through the VPN, and you have many users doing ot, then it may cause bandwidth issues.

This is why i want a split tunnel on mine, in case my clients (freinds) forget to disconnect from my VPN and use my bandwidth allowance up quickly.

talmy
Feb 10, 2011, 09:18 AM
Why is there a checkbox on the client when it doesn't work?

It looks like I need to turn VPN on and off depending on whether or not I want secure (but slow) or fast transfers. This is making ssh tunneling or ShareTool (without VPN) look more attractive. I currently use ssh tunneling to access my home from locations (such as at work) that block the VPN ports, and I've tried ShareTool but decided that, while it worked fine, it wasn't necessary for what I was doing.

belvdr
Feb 10, 2011, 01:44 PM
Why is there a checkbox on the client when it doesn't work?

Mainly those VPN providers to mask the identity of users for web browsing leave the choice up to the user.

mmcxiiad
Feb 10, 2011, 01:54 PM
What's the additional security (from the company's standpoint) of encrypting the users' traffic to their personal mail account, whether at a hotel or at home? Unless you require full tunneling (for web filtering and such), then split tunneling is fine as you're encrypting the data the business deems important.

A poor security policy would allow the users to dictate what to encrypt. You lose control over how much WAN traffic you'll see and how much load you'll generate on your VPN device.


Well, considering that this post was initially about me, my perspective isn't from a large business. We have just a few employees who are would need to vpn in to access a few things. But when a few of us travel, i would want to tunnel all traffic back through the vpn. For me the two advantages of this are piece of mind that my traffic is safe while I am on the road, and access to services that hotels and public access points tend to block.

belvdr
Feb 10, 2011, 05:53 PM
Well, considering that this post was initially about me, my perspective isn't from a large business. We have just a few employees who are would need to vpn in to access a few things. But when a few of us travel, i would want to tunnel all traffic back through the vpn. For me the two advantages of this are piece of mind that my traffic is safe while I am on the road, and access to services that hotels and public access points tend to block.

It's not a large business frame of mind. It's a business state of mind, especially small businesses. Depending on your WAN connection and applications used, you could easily flood it and cause an outage. For web browsing, you effectively double your throughput requirements.

For example, say you're on the road and you stream a YouTube or Netflix video. The data comes from the Internet, down your WAN, through the VPN (which then encrypts it), then back out your WAN again. Then again, are you going to force your users to connect to VPN any time they have an Internet connection? If not, then I'd say most users will get upset with the crappy performance and disconnect anyway.

I've never seen public Internet points block much of anything. I think you're worried a bit too much about things, but then again, it has no bearing on me really.

But again, I'll ask what is the additional security behind encrypting users' traffic destined for Yahoo or Netflix? Where's the value? By creating a VPN, you are not isolating the user from the local network.

To note, I'm just trying to point out that you really need to think this through. If you simply turn it on, it can cause all sorts of issues.

mmcxiiad
Feb 10, 2011, 07:02 PM
It's not a large business frame of mind. It's a business state of mind, especially small businesses. Depending on your WAN connection and applications used, you could easily flood it and cause an outage. For web browsing, you effectively double your throughput requirements.

For example, say you're on the road and you stream a YouTube or Netflix video. The data comes from the Internet, down your WAN, through the VPN (which then encrypts it), then back out your WAN again. Then again, are you going to force your users to connect to VPN any time they have an Internet connection? If not, then I'd say most users will get upset with the crappy performance and disconnect anyway.

I've never seen public Internet points block much of anything. I think you're worried a bit too much about things, but then again, it has no bearing on me really.

But again, I'll ask what is the additional security behind encrypting users' traffic destined for Yahoo or Netflix? Where's the value? By creating a VPN, you are not isolating the user from the local network.

To note, I'm just trying to point out that you really need to think this through. If you simply turn it on, it can cause all sorts of issues.


Ok, I want to preface by saying that I am not trying to start a flame war. I always appreciate getting a different point of view. That said, I think I pretty clearly outlined my desires in the first post. Maybe you should reread that. As the title of this thread suggests, I am not stuck on a VPN solution. Someone I know suggested an SSL connection, though I am not sure what the difference is or how to implement that.

belvdr
Feb 11, 2011, 06:59 AM
Ok, I want to preface by saying that I am not trying to start a flame war. I always appreciate getting a different point of view. That said, I think I pretty clearly outlined my desires in the first post. Maybe you should reread that. As the title of this thread suggests, I am not stuck on a VPN solution. Someone I know suggested an SSL connection, though I am not sure what the difference is or how to implement that.

Maybe you didn't realize that others chimed in asking for a similar solution. ;) It's a discussion and it's common for that to happen. You also quoted my reply to someone else (about leaving options up to the user) and it went from there. I'm not trying to start a flame war either. I have implemented many, many VPNs and have seen the good, the bad, and the ugly. It's a matter of weighing all the options together, because

You can implement an SSL VPN just as you would an IPsec VPN. However, it would not route all traffic through your main network. The bonus side of an SSL VPN is that you don't need to install a client first. The downside is you can lose some flexibility.

At this point, just implement a VPN device and be done with it. Something like a Cisco ASA 5505 will meet all of your requirements, but you'll require a VPN device at each of your locations.