VPN or something else

[mmcxiiad]

I travel a fair amount for work and want to set up a very easy system to log back into my home network. I really want to be able to do four primary things:

1. Remotely access all of the computers on my network. I am currently using Apple Remote Desktop, but it seems that it is a pain to configure ports and settings in both the software and router to connect to more then one computer.

2. Remote file sharing. I know I could open up port 548 in the router and direct it to one computer (or port triggering to acess different computers), but I would really would rather not have open ports for every computer to have file sharing accessible.

3. Route web traffic through home network. Staying in hotels and/or accessing the internet though public access hotspots has always gotten me a bit paranoid. I would really like to be able to securely access the internet while away from home.

4. Connect remote networks. We own a small family company and work from home. Also, a few other family members work for us, and I would really like to connect all the locations to be able to do remote administration and file and print sharing.


Currently I have Verizon FIOS 35/35 so speed isn't an issue. I am using a Apple airport basestation (newest model) as my router. I also just set up Wide Area Bonjour and DNS Service Discovery to dynamically update the local domain name I use at hope with the IP address that I get from verizon.

I am not sure if using a VPN server or something else is the best way to go to make this all happen. I don't mind spending some money to make this happen.

In addition to those four things, I really want something that is easy to set up and maintain and something that will work with my mobile apple devices (macbook, iphone, ipad, etc). Also something that is very reliable.

A nice bonus, but nowhere near a priority, would be the ability to connect to remotely connect to a computer via a web browser. I know I can do this with a logmein solution, but if it was built into some appliance that was doing everything else, that would be better.

Any help or insight on this would be much appreciated

[sim667]

Im currently working on something similar. Ive got fileshares available through my vpn to freinds etc..... I'm also using the vpn.

All been done for free...... only major change was changing the firmware on my belkin dir-615...... that may help you..

My issues are
a. Can only connect one client to the VPN at a time
b. VPN does not support bonjour..... (well vpn doesnt support mulitcast which bonjour needs to be more precise). You can access them using the address...... Apparently network beacon should make all this work to replace bonjour, but i cant get it to work.

[L0CKnL0aD7]

A VPN would indeed be the best solution for remotely accessing your home network (in a safe way).
You can use the VPN Server build in with OSX Server ore
Setup a OpenVPN Server on Win/Linux/OSX. (this is a bit harder but you can do it on basically any Computer)

[belvdr]

I just bought a Cisco ASA 5505 to solve these issues. It's a firewall and VPN device with an 8 port switch on it.

[mmcxiiad]

Some great info so far

Quote:

Originally Posted by L0CKnL0aD7

A VPN would indeed be the best solution for remotely accessing your home network (in a safe way).
You can use the VPN Server build in with OSX Server ore
Setup a OpenVPN Server on Win/Linux/OSX. (this is a bit harder but you can do it on basically any Computer)

I have access to OSX server 10.6, but have always had difficulty setting up the VPN. I always get a can not connect message. I have never found a really good tutorial on setting up the VPN

Quote:

Originally Posted by belvdr

I just bought a Cisco ASA 5505 to solve these issues. It's a firewall and VPN device with an 8 port switch on it.

I really like the idea of an appliance to do vpn, but i worry that this cisco box will have a pretty steep learning curve and (from what I understand) requires a subscription to get software updates. With zero expereince with cisco, I wonder if this is a wise route.... for a router with built in vpn.

I am sure that there are other routers that do VPN that have a much easier learning curve.

[L0CKnL0aD7]

Quote:

Originally Posted by mmcxiiad

I have access to OSX server 10.6, but have always had difficulty setting up the VPN. I always get a can not connect message. I have never found a really good tutorial on setting up the VPN

If you want I could make a Tutorial, however I only have access to an OSX Server 10.3.9
I kan show you how to setup: 10.3.9 with PPTP & L2PT and OpenVPN.

[mmcxiiad]

Quote:

Originally Posted by L0CKnL0aD7

If you want I could make a Tutorial, however I only have access to an OSX Server 10.3.9
I kan show you how to setup: 10.3.9 with PPTP & L2PT and OpenVPN.

I think that this would be great. I am sure I am not the only one who would benefit from this!

[sim667]

Quote:

Originally Posted by mmcxiiad

I think that this would be great. I am sure I am not the only one who would benefit from this!

I've been considering doing one for home users, using standard mac os x 10.6 and ddwrt router firmware.

I've got a pptp vpn working, but can only connect one client at a time........ once ive sorted that ill probably write one.

I also want to know how to only let clients access certain services, i.e. afp share, but use their own internet connection for websurfing whilst still connected to my VPN.

[gdc]

Quote:

Originally Posted by sim667

I also want to know how to only let clients access certain services, i.e. afp share, but use their own internet connection for websurfing whilst still connected to my VPN.

This is something I am interested in - establishing a VPN link to my home network to surf out through, rather than directly via an unsecure network when on the road.

Any details would be much appreciated, either software or hardware based solutions. I have considered a device like a Cisco ASA 5505 but have not had the chance to investigate how it would work yet.

[gdc]

Quote:

Originally Posted by belvdr

I just bought a Cisco ASA 5505 to solve these issues. It's a firewall and VPN device with an 8 port switch on it.

Does this allow you to browse out from your home network via a remote vpn connection when on the road without having to use a client located behind your 5505? Or do you need, say, an iMac powered on at home to screenshare with etc.

[belvdr]

I use split tunneling, which only encrypts traffic I want to encrypt to my home network. All other traffic goes out my normal Internet connection. I can certainly change this to full tunneling and have all traffic come through my ASA.

People tend to think that VPNs always forward all traffic from your machine to the remote network. In very few situations is that the case.

[gdc]

Quote:

Originally Posted by belvdr

I use split tunneling, which only encrypts traffic I want to encrypt to my home network. All other traffic goes out my normal Internet connection. I can certainly change this to full tunneling and have all traffic come through my ASA.

People tend to think that VPNs always forward all traffic from your machine to the remote network. In very few situations is that the case.

Thanks. I'm only just getting into this and need to do some more reading. I had appreciated that in most cases VPNs don't route all traffic to the remote network, eg a VPN tunnel to a remote server only catches traffic to that server, not other general browsing.

What I haven't grasped yet is how split tunneling works, so I can do online banking via the VPN connection home, and generally browse just via the 'unsecure' network.

I assume then that your 5505 can route out direct from your remote device, and you do not screenshare to a machine behind it for secure browsing?

Thanks for taking the time to reply - much appreciated.

[tivoboy]

I've setup a nice VPN on my mac, 256k encryption, cheap too. Has been working great. What I have noticed though, is that if I am SHARING MY INTERNET connection via Ethernet (so my primary internet connection is WIFI), that ETHERNET connection loses any connectivity WHEN the VPN is running. Is that just the way things are, or is there some way to get ICS to work through the VPN as well?

[belvdr]

Quote:

Originally Posted by gdc

What I haven't grasped yet is how split tunneling works, so I can do online banking via the VPN connection home, and generally browse just via the 'unsecure' network.

I assume then that your 5505 can route out direct from your remote device, and you do not screenshare to a machine behind it for secure browsing?

Thanks for taking the time to reply - much appreciated.

It's doing it all via IP routing. When you connect to a VPN, you are usually assigned an IP address from the remote side. Then for the IPs that are to be traversed over the VPN, a route for each subnet or IP is added to the system, pointing to your assigned VPN IP.

Quote:

Originally Posted by tivoboy

I've setup a nice VPN on my mac, 256k encryption, cheap too. Has been working great. What I have noticed though, is that if I am SHARING MY INTERNET connection via Ethernet (so my primary internet connection is WIFI), that ETHERNET connection loses any connectivity WHEN the VPN is running. Is that just the way things are, or is there some way to get ICS to work through the VPN as well?

I have heard of this, but never researched a solution. It sounds as if the VPN in question is doing full tunneling.

[talmy]

I've been running a Mac mini with Snow Leopard Server for nearly a year now and have been using VPN. Traffic on my remote Mac can be routed either all through the VPN tunnel or just traffic to my LAN, so it can be used for 100% secure browsing. It does support more than one remote system tunneling at the same time. As mentioned, Bonjour services don't go through, however I've tried ShareTool, and it will allow remote Bonjour access.

[sim667]

Quote:

Originally Posted by talmy

I've been running a Mac mini with Snow Leopard Server for nearly a year now and have been using VPN. Traffic on my remote Mac can be routed either all through the VPN tunnel or just traffic to my LAN, so it can be used for 100% secure browsing. It does support more than one remote system tunneling at the same time. As mentioned, Bonjour services don't go through, however I've tried ShareTool, and it will allow remote Bonjour access.

Is the splitting the local network traffic and the internet traffic something that is done on the client or the server? I have vpn's set up on freinds macs so we can remotely fileshare, however when they're connected it funnels all data through my vpn..... luckily they dont use it that often.

Unfortunately im not using snow leopard server, just snow leopard.

[sim667]

Quote:

Originally Posted by gdc

This is something I am interested in - establishing a VPN link to my home network to surf out through, rather than directly via an unsecure network when on the road.

Any details would be much appreciated, either software or hardware based solutions. I have considered a device like a Cisco ASA 5505 but have not had the chance to investigate how it would work yet.

I use a router provided by my isp, and got fed up with how slow it was running, so i took their firmware off and put DDWRT on. DDWRT is a free 3rd party firmware for routers, and I must say its excellent, although there's a lot of options you find in there that you wouldnt find on standard firmware so can be confusing at first.

I've enabled the PPTP VPN server on the DDWRT firmware, and because in the UK we generally have dynamic ip's, i needed to assign a DNS to the router. So i've signed up for a free dyndns account, and luckily there's a built in DNS updater on the DDWRT firmware, so none of the DNS or the VPN runs from my macs, making it easier to administrate (sign on to vpn, use router web interface, DDWRT allows changes to settings to be made without rebooting the router).

I never have issues with the VPN or the DNS. The only thing i do sometimes have issues with is the VNC server running on my mac, and the sharing account access, also on my mac. But i think its because sometimes the WOL doesnt work properly...... I need to work out what the deal is with that.

[talmy]

Quote:

Originally Posted by sim667

Is the splitting the local network traffic and the internet traffic something that is done on the client or the server?

On Client:
System Preferences-->Network-->VPN-->Advanced-->Options-->Send All Traffic over VPN connection.

[sim667]

Quote:

Originally Posted by talmy

On Client:
System Preferences-->Network-->VPN-->Advanced-->Options-->Send All Traffic over VPN connection.

So disabling that would make the clients only use the VPN for network data, and their web data would just go through their own local networks yeah?

[belvdr]

It would also depend on the VPN server configuration. If the VPN server is configured for full tunneling, unchecking that option will have no effect.

[talmy]

Quote:

Originally Posted by belvdr

It would also depend on the VPN server configuration. If the VPN server is configured for full tunneling, unchecking that option will have no effect.

Interesting. I just checked this out and it is true, but it doesn't make sense. If the server isn't configured for full tunneling then there is no way to get it. If it is configured for full tunneling (as mine is) then the check box in the client indeed has no effect. ???

[belvdr]

Quote:

Originally Posted by talmy

Interesting. I just checked this out and it is true, but it doesn't make sense. If the server isn't configured for full tunneling then there is no way to get it. If it is configured for full tunneling (as mine is) then the check box in the client indeed has no effect. ???

It makes sense. Why would anyone leave the VPN administration/configuration up to the user(s)? If the VPN administrators do not want the overhead of all traffic coming in, then disallow it. If they want to filter it, then you enable it.

[mmcxiiad]

Quote:

Originally Posted by belvdr

It makes sense. Why would anyone leave the VPN administration/configuration up to the user(s)? If the VPN administrators do not want the overhead of all traffic coming in, then disallow it. If they want to filter it, then you enable it.

One reason you may leave it up to the user, would depend on where you are VPN'ing from. For example, if you are at home and need to get into work all your http traffic may not need to be routed through them. This would also speed things up for the user. But if you are at a hotel or a open network, you may want the user to route all their traffic through the VPN for security.

[belvdr]

Quote:

Originally Posted by mmcxiiad

One reason you may leave it up to the user, would depend on where you are VPN'ing from. For example, if you are at home and need to get into work all your http traffic may not need to be routed through them. This would also speed things up for the user. But if you are at a hotel or a open network, you may want the user to route all their traffic through the VPN for security.

What's the additional security (from the company's standpoint) of encrypting the users' traffic to their personal mail account, whether at a hotel or at home? Unless you require full tunneling (for web filtering and such), then split tunneling is fine as you're encrypting the data the business deems important.

A poor security policy would allow the users to dictate what to encrypt. You lose control over how much WAN traffic you'll see and how much load you'll generate on your VPN device.

[sim667]

Also if all traffic is tunnelled through the VPN, and you have many users doing ot, then it may cause bandwidth issues.

This is why i want a split tunnel on mine, in case my clients (freinds) forget to disconnect from my VPN and use my bandwidth allowance up quickly.