Private VPN endpoint

[Handruin]

Is OpenVPN the appropriate software stack to use when creating my own private VPN endpoint on a Linux system? I'm looking to build a way to remotely connect my devices in my home network. Since my current router does not support a VPN endpoint functionality, I'm going to try and setup this stack onto a Linux VM but wanted to understand what others may have done to do a similar task.

I'd also like to use this VPN for surfing the web remotely. My understanding is I should be able to connect my table/phone to my VPN and any internet browsing should tunnel through to my home ISP thereby encapsulating the traffic on someone else's WiFi.

 

[Chewy509]

I've used OpenVPN a few times in testing and it does what it's meant to do, in the scenario of connecting remotely into a work LAN and accessing LAN resources...

However the sticking point was trying to find client software that would connect to the OpenVPN server for all the remote devices required and have them route all traffic over the VPN rather than trying to be intelligent about it. eg, in the instance the VPN client would only route traffic destined for the remote end over the tunnel, and not all traffic as requested. The workaround would be to use a proxy server at the remote office LAN end, to get around this... Also finding VPN clients was more difficult if you wanted to use certificate based auth rather than username/password auth when brining up the tunnel.

This is going back a few years, so hopefully things have improved a little since then on the client side of things.

 

[Mercutio]

Yes, though if you're doing an OpenVPN server, you're also going to have to configure the client to talk on the end-point's network, which its own documentation doesn't do a very good job explaining. I made my students set up OpenVPN just working from its documentation and it took them about two hours to make a working connection and then probably another hour and a half setting up the server so that the clients could do something besides say they were connected and authenticated.
If you're connecting to a normal store of consumer internet connection, you'll probably find that browsing is unbearably slow, but I can definitely think of times it might be worth it.

 

[Handruin]

OK, so setting up a server and creating the endpoint connection only does half of what I was hoping for from what you've described. I'd like to be able to see my home systems to either log in via SSH or RDC once the VPN connection has been established. Would I be better off using some other software components vs trying to hack together a OpenVPN server and client configuration? I admit that my knowledge of VPNs is limited so I may not be fully envisioning how VPNs are supposed to be setup/used. Will I be able to create this VPN server by enabling port-forwarding on my router to the appropriate ports to my Linux VM?

Those cases where I connect my mobile/tablet/laptop through public WiFi/Internet will be limited and rare and I can accept that performance would be slower at the benefit of increased security. Is my assumption/understanding correct that once connected to my own VPN server that I'd essentially be using my home's ISP when browsing the web?

At my various jobs, the VPN has been both authentication based (username/password with revolving authentication key) and now it's certificate-based. Is one more preferable over the other for security?

This is a crude drawing of what my network layout is. The purple line is my expected path of the tunnel. Then from the endpoint I would guess any traffic could traverse back through the house switch to get to any other machine including going back out the router to the ISP for internet browsing.

My goal would be to have my clients (mobile/table/laptop) connect by going to something like: vpn.mydomainname.net and authenticate.

 

[ddrueding]

What you want to do is possible, but Merc and Chewy both know loads more about it than I do so I won't bother with that.

What I do is use routers that support VPN directly. I really like the Netgear ProSafe series. Router-Router connections are insanely easy and do all the things you want. Client-Router connections are possible and they include a free license of their software with each router. I haven't set it up, but one of my guys did it for the first time in about 10 minutes and it worked immediately.

 

[Handruin]

Which model ProSafe did you use? The SRX5308 looks to have good throughput for IPsec but I have no idea if I can connect to it via my mobile/table/laptop devices. Is IPsec the preferred method for a VPN endpoint? What other hardware-based routers did you consider (if any) that perform similar functionality? After looking around briefly, it looks like prices are all over the place for hardware VPN routers. The SonicWall TZ215 looks interesting but it's more than twice the price of the SRX5308.

 

[CougTek]

Is IPsec the preferred method for a VPN endpoint

IPsec allows a connection about twice as fast as OpenVPN and it's simpler to configure. Last time I've checked, OpenVPN was vulnerable since it uses OpenSSL certificates, which have been cracked several months ago. I don't know if the norm has switched to LibreSSL certificates since or not. Truth be told, not every ass hole can crack into an OpenVPN certificate, but since, thanks to that vulnerability, it is probably not safer than plain IPsec, while being slower, why bother?

 

[timwhit]

The vulnerability in OpenSSL was fixed. If you generate a new certificate it's not vulnerable.

 

[ddrueding]

When I only need one WAN port I use an FVS318G, they also have one with WiFi included, as well as units with 2 and 4 WAN ports. These can handle 99% of implementations. The only place in my control where that wasn't enough we installed a Barracuda Firewall (8 ports) and Content Filter.