I want to set up a VPN at my house so that I can remotely connect to the computers connected to my LAN. I have a dedicated server running Debian, which I would like to use as the VPN server, and two other machines on the same network I would like to connect to. Also, at some point in the future I would like to allow that same VPN connection to allow me to connect out over my home Internet- I work from Starbucks often and want a secure tunnel to connect to the Internet through.

With that in mind I have done a little research and found many different protocols and software packages to do this. I am looking for something that is secure and easy to set up. Can someone advise me on what protocols and software packages they would recommend me focusing on to solve my needs?

Thanks,
Jason

A simplistic tool is to use SSH to connect securely, and set up TCP forwarding through that connection to allow connecting to other hosts, and to services that would not be secure on their own. Your home router would have to open up one port to reach the SSH server. If you choose this, I highly recommend using a port number other than port 22 just to avoid all the "noise" of hacker kiddies all over the world trying to guess passwords (that and require the use of keys on SSH).

Your router may already have VPN support itself. Or you could open a port for OpenVPN to run on your computer that would otherwise handle SSH itself. There's also option -w on SSH to run a simpler VPN over TCP.

BTW, if you do choose to open a port for SSH to connect in, you could do so for other machines, too. Just use a different port number on the incoming side for each host on your LAN while they can have the same port number on the inside.

Thanks Skaperen for your reply. I do have SSHD running and port forwarding set up to get through the firewall. I am running SSHD with password authentication (very complex password) on port 22 and running fail2ban. I was under the impression that this was a pretty secure setup.

How would I go about setting up the forwarding on the server so that I can access the other computers?

I did try running encryption on my router (ASUS WL500GP with OpenWRT firmware) using openvpn but my router doesn't have hardware encryption and gets taken to its knees running just a small amount of VPN traffic.

I'll try playing a little more with openvpn and SSH to see if those can do why I need.

It is generally secure if all the right steps are taken (like the complex passwords, or the use of SSH keys). There is some potential for a light DoS attack. Changing to another port number just avoids the "noise" in your logs, which makes it easy to see more legitimate security issues happening in those logs. It won't prevent even a DoS attack, but the attacker has to find your port number to do anything more than a traffic volume attack. Unless you are a particularly interesting target, they will just move on if port 22 (and a few other well known commonly exploitable ones) doesn't answer (they are more interested in finding another usable host to launch other kinds of attacks from).

The server configuration needs to have forwarding allowed. Then on the client side, use the -L option for local forwarding where the client listens to other ports and the server makes the designated connections. Or use the -R option for remote forwarding where the server listens to other ports and the client makes the designated connections. These can also be configured in the config file. The man files for ssh and sshd have more details.

How unfortunate. The small SoC CPUs they put in these don't generally have that much power. Hardware encryption would add a few dollars cost, so they won't do that in a market were a couple dollars can make a consumer buying decision. For a lot more dollars a higher end router could support that.

Some people recycle their older server or desktop hardware into router duty and put in one of the special firewall distros. But a carefully configured Debian or Slackware can do just as well (depends on whether you want that as an opportunity to try another distro, or prefer to just keep things as much alike as possible). Add another ethernet port or two and you're good to go.

Or just push the crypto work off to your server, whether for SSH or for OpenVPN. Just open a port on the router to let that traffic through.

FYI, I'm using the Buffalo WZR-HP-AG300H firewall router which has DD-WRT Linux built in with their own customized web front end. It can be loaded with a public DD-WRT or other small firewall distro. But I haven't needed to. And I have not put it to crypto duties to see what it can do, either, since I am doing the SSH thing from internal server to external server (both forwarding and VPN concurrently).