How to set up a VPN for roaming users on Internet?
Suppose some employee is on business trip and is now sitting in a internet cafe, he wants to access some resource in his company's head quarter's intranet. It is desired to have a secured connection, so, I guess VPN should be a good fit for this scenario. Anyone has thoughts about how to set up such a VPN? Suppose the employee has his own laptop for this connection since we can never expect any machine in the internet cafe for some fancy use. But the employee can plug his machine into a local area network either through a wired line or a wireless access point. In either way, his laptop will act as a DHCP client.
Thanks! |
While VPNs are necessary if the resources to be accessed are via a UDP-based protocol, ssh is all you need for TCP-based services.
|
Thanks.
But the issues are: first, normal users feel uncomfortable with command-line tools s.a. ssh or scp, etc. second, there may exist some applications for accessing some intranet resource but they are supposed to work in an intranet and thus just provide no encryption and weak authentication, etc; third, vpn seems to be more secure. So, if suppose we have to provide such a configuration, how to implement it or just no way? |
Some comments:
- Ssh tunnels can be implemented as a GUI with no command-line "terminal" for end-users. I've done this several times. SSh tunnels are an implementation of an ad-hoc VPN. - The primary purpose of ssh is to provide secure encrypted communications - it will use many of the same ciphers as traditional VPN software (I recommend blowfish). The level of security with ssh is equal to or greater than traditional VPNs. - Ssh is more flexible for end users. A common request is to use local networked printers (at home), while securely connected to corporate resources. This is difficult/impossible with traditional VPNs, but trivial with ssh. - Traditional VPNs typically require a greater (dedicated) resource requirement on the server side. Since ssh is ad-hoc by nature, you need only allocate 2MB RAM per concurrent session + network bandwidth. - Traditional VPNs are very useful for "nailed-up" communications between systems communicating over insecure facilities. I find them less useful for ad-hoc operation by end-users. You might also find stunnel useful in addition to or in place of ssh. If you are looking at VPNs anyway, contact your network provider (e.g. Cisco). They will set you up with the hardware/software you need to do it right. If you'd like to set it up yourself, take a look at OpenVPN. |
I agree fully with macemoneta. I had to setup a separate VPN server for my users to access the network resources remotely. I prefer to use ssh myself because it is just as if not more secure than VPN without the need of a dedicated server.
The server I setup is a Debian 4.0 stable box with PopTop for PPTP VPN and ShoreWall for configuring the firewall (iptables). There are several VPN solutions available. Do your reading and pick one that suites your needs. |
Hello,
I would use a dedicated VPN-Server. I use "OPENVPN". It is available for all major Platforms either as Server or Client. Your Users just need to start the Client-Software and use all resources in your network. (Connect to Network drives, access their mails etc) All Communication between Server and Client is encrypted. Setting up the VPN-Server is straightforward and well documented. The Port for the Server shows as closed. You can use many types of Authorization-Methods. Any other network service needs Authorization. Using a VPN your users don't need to change their habits. More Info http://www.openvpn.org HTH |
Quote:
This is a list of some tasks that may be performed by a remote user: - use the LAN printer - access some shared network folders on some file servers - access some web-based applications, which only allow local access; in other words, these are supposed to be internal services. So, can GUI-like SSH fulfill the above requirements? I think the first two should be OK. But what about the 3rd one? I would agree that the network can be configured such that the servers running these services can be accessible to the Internet as well. But they have a local access nature. In addition, common practice (?) is to group public servers (accessible to Internet) together and separate from internal servers (invisible to internet). So, these web-applications have to be accessed from a private network address server. I am not familiar with networking configuration. So, above is just my thoughts. Any comments about this? Thanks! |
Quote:
Thanks! |
Quote:
I've heard a lot of OpenVPN recently but not aware of all its power. So, can it be used in the scenario that mentioned in here? Suppose the intranet resource that the user wants to use (either locally or remotely) is "sth" (could be a printer or a private web-application). - when the user plugs his laptop in his office (intranet), the openvan will not create tunnel or encrypt the connection to "sth". (OR will it?) - when the user accesses "sth" from internet through a wireless network in the airport, the access will be a VPN connection from the user's laptop to the destination of "sth". Could you please give some hints on both server-side and client side set-up? Thanks! |
Quote:
|
Quote:
I will definitely read on openssh for more detail. But to get a quick education, could you please give a little more hints how a remote client can access private web server from his laptop's firefox in the airport? Thanks, thanks! |
For example, let's say that the internal web server listens internally (on the intranet) on port 8000. Your client setup would:
ssh -L 80:server.com:8000 user@host To get access to the internal (intranet) server, your user would then browse to "http://localhost" (or whatever alias you define). This works because the ssh command above defines port 80 (the default web port) on the local host as connecting to port 8000 on server.com. This is of course only one of thousands of possible configurations. You can specify many ports at the same time in the setup (or in the client's ssh configuration file), forwarding any services to your internal servers. Those ports which are not forwarded, remain locally accessible (for example port 631, for ipp network printing). There are network cost savings as well. If your client is connecting at a WiFi hot spot, connecting to a non-internal service (like http://google.com) is routed to the internet as usual. A traditional VPN would send that traffic to your internal servers and over your corporate internet connection. As many corporations pay for internet service by the amount of data transfer, you would pay twice for traditional VPN traffic (but not for intelligently routed ssh traffic). As you can see, there is a great deal of flexibility to you as an administrator. Your clients don't care. They just use their services/bookmarks as usual. |
Quote:
So, basically, this is somewhat port forwarding for any access to a local port. For any internal service behind firewall (sshd server) to be accessed remotely, we create this tunneling on user's local machine and access the service as if it is hosted locally (localhost). This is to pretend that we have a web server, smtp server, imap server, ftp server, etc. To me, this is to say that any tcp-based service can be thus tunneled. So, most intranet resources can be securely accessed from internet, including ftp, email, web, etc. What about printing? |
Yes, it appears the forwarded services are local, but you can fix that by appending entries to the hosts file while ssh is running. For example:
Code:
#------------------ |
Quote:
But it still has its limitation due to its port forwarding scheme I think. For example, it is not always predictable what tcp ports will be used by a new service and you have to define port forwarding explicitly for each such service on a client's machine. In such scenario, we simply create a VPN to secure all the traffic w/o worrying about which service should be tunneled and which not or distinguishing local service from forwarded ones... |
All times are GMT -5. The time now is 07:59 PM. |