VPN for dummies

[Tea]

I gather that there are a million ways to organise a virtual private network. I often toy with the idea of setting one up between home and work.

I have broadband connections at both ends, and the work end (the one where the data I'd want to access remotely is) has a static IP. The actual network is multi-platform, but I should imagine that that doesn't particularly matter, and that the key to it is that both the home system and the office network are behind Smoothwall boxes.

My question is this: is there an easy way to access my office machines from home with reasonable security? (There are no atom secrets there, but it would be highly inconvenient to have stuff deleted by script kiddies.)

I don't care if it means buying a commercial product, so long as the cost is reasonable, but I have not the slightest intention of doing anything that requires real skull-sweat. Zapping the current minor inconvenience of having to make a four minute drive to the office to access data from home is worth writing a cheque or bending the credit card for, but not worth spending more than an evening or two on the setup.

So my question is not "can it be done?", it "is is there an easy way?"


PS: roaming access is not an issue, just single point to single point.

 

[P5-133XL]

First, it is quite possible that smoothwall has VPN builtin and that it is simply a question of configuring it (I don't know, not having actually played with smoothwall).

For a relatively modest price you can replace the smoothwall machines with something like Linksys's VPN cable modem routers. They are very easy to setup and the cost is aprox $120-$140 US each.

 

[Tea]

Ahh! Now that looks like a genuinely easy method. Thankyou, Mark. I'll do some reading up on it. I presume that I simply plug the existing 16-port switch into one port of it, and the cable modem into the other. (i.e., use it to replace the Smoothwall.) Then figure out a way to get a replacement DHCP server. Or maybe the 4-port unit can do DHCP for ... oh .. I need about 20 or 30 units. (Don't answer these questions! I'll go read the specs, then ask anything I don't understand.)

 

[Tea]

Some substantial reading later, it looks excellent! You can use a pair of them (one at each end) or just one on the LAN and a software-based client at the other end.

It acts as a DHCP server (253 connections max, which is plenty) and has both port forwarding (to be able to run a web server, which I want to do) and a DMZ feature. Only drawback at this stage is that, according to the manual as I read it, you can't port forward and use DHCP. If I understand it correctly, the port forwarding (for a web server or whatever) requires that the server have a static local IP address, and although you can use a mixture of static and DHCP-assigned local IPs (as I already do with the Smoothwall), you can't then port-forward to one of the static -IP machines unless you switch off the DHCP. Or possibly I misunderstood it. I'll read it again. But not right now - I'm going cross-eyed.

 

[Clocker]

Tea- You should be able to port forward and DHCP. If you really wan, you should be able to assign to an IP to any MAC address you define as well (at least I do with my SMC router).

C

 

[P5-133XL]

If you think about it port forwarding is to a static address. However, DHCP is dynamic can give a machine a different IP-address. Thus, combining them is possible but problamatic because if DHCP gives a machine a different IP-address then the port forwarding will send the data to the wrong machine or to no machine (if the address has not been reassigned).

Note mixing the two will most likely work if the lease time is reasonable (two weeks) and if there aren't too many requests on the DHCP server because client machines start out with requesting the same address it had before at 50% of the lease time period. The server will not re-allocate the address until the lease time has expired. Thus as long as the machine has not been disconnected from the DHCP server for more than 50% of the lease time, it will always get the same IP-address. Further, if the DHCP server is not required to supply IP addresses often then it may not have given out the address even if the lease time has expired.

 

[ihsan]

Joining the discussion.

If I have a VPN server and a client, to speed up the decryption process, do I install a IPSEC-capable NIC such as Intel Pro 10/100 S or 3COM-3CR990 on both ends or just the client/server?

Thank you in advance.

 

[Mercutio]

Most hardware gateways like that will let you reserve DCHP addresses based on MAC addresses. You use DHCP but certain machines will always get the same address.

Alternatively, you can make your scope smaller than the whole 250-odd address range. I typically reserve the first 20 addresses in a /24 for static assignment (servers, network hardware, printers).

 

[Clocker]

Most hardware gateways like that will let you reserve DCHP addresses based on MAC addresses. You use DHCP but certain machines will always get the same address.

That's what I meant/recommend....

C

 

[Cliptin]

When troubleshooting, if you are having difficulty getting the whole setup to work then you can use DHCP. It's just that the next time a particular machine's lease runs out it may get a different address. Some DHCP impemetations attempt to reassign the previously assigned address.

Alternatively, smoothwall does implement freeswan as it's VPN solution. I have not used it though.

Also, depending what kind of access you need, VNC has some signifigant security built in.

From the FAQ:

Q55 How secure is VNC?

Access to your VNC desktop generally allows access to your whole
environment, so security is obviously important. VNC uses a
challenge-response password scheme to make the initial connection: the
server sends a random series of bytes, which are encrypted using the
password typed in, and then returned to the server, which checks them
against the 'right' answer. After that the data is unencrypted and could,
in theory, be watched by other malicious users, though it's a bit harder
to snoop a VNC session than, say, a telnet, rlogin, or X session. Since
VNC runs over a simple single TCP/IP socket, it is easy to add support
for SSL or some other encryption scheme if this is important to you, or
to tunnel it through something like SSH or Zebedee.

 

[Tea]

Smoothwall can do it. Any serious Linux head with a yen for networking could set it up using the freeware version of Smoothwall and a few other goodies, but it's beyond me. I spent some time a while ago reading up on it (there is at least one largish web page devoted to it, I have it bookmarked somewhere) but I'd have to spend far more time than the project is worth to me learning how to do it. Not easy.

Then there is the commercial Smoothwall product. They have a VPN add-on for their base "Corporate Server" edition, which would be overkill for my needs, but reasonably easy to set up and work just fine. But at around AU$800, I could buy three of the Linksys VPN routers Mark mentioned. Scratch Smoothwall.

On the DHCP thing, I suspect it's an ambiguity in the documentation. To me (as Mercutio suggests) the obvious way to set the network up is to assign static IP addresses to the servers and use DHCP for the others. (I have two local servers: one stores the accounting information, the other technical stuff such as my collection of drivers and boot disc images. I'd add a third one to be a dedicated web server.) Currently I assign the static IPs on the individual servers, set the rest to auto, and the Smoothie takes care of them. It hadn't occurred to me to assign them centrally via MAC address, as setting it locally is so easy.

I spent an hour or so cruising around last night looking for other products in the same general category as the Linksys: there seem to be quite a few, but so far the Linksys seems to be the pick of them. Accton don't provide much documentation for theirs, which puts me off, Netgear's is an 8-port unit and over AU$500, the D-Link is worth further investigation though.

 

[blakerwry]

On the DHCP thing, I suspect it's an ambiguity in the documentation. To me (as Mercutio suggests) the obvious way to set the network up is to assign static IP addresses to the servers and use DHCP for the others. (I have two local servers: one stores the accounting information, the other technical stuff such as my collection of drivers and boot disc images. I'd add a third one to be a dedicated web server.) Currently I assign the static IPs on the individual servers, set the rest to auto, and the Smoothie takes care of them. It hadn't occurred to me to assign them centrally via MAC address, as setting it locally is so easy.

Your setup sounds very similar to mine. I have a hardware router/firewall, the Dlink model 704. On any machine I am going to do port forwarding, I simply specify the IP/DNS settings in the network configuration. All other machines I set to DHCP.

The router is address 192.168.0.100, static machines are given addresses like 192.168.0.101, 102, etc. The DHCP machines seem to pull from all over, although I could easily specify the DHCP range to be 200-255 or something similar.

I have setup one of the linksys 4 port models and you should easily be able to do the same things as me...

I wouldn't worry about MAC addresses as it will just further complicate your setup and in my opinion is not needed unless you're trying to secure your network from unwanted guests trying to grab IP's (which would be more of a concern in a wireless network)