Tell me about VPNs

Factual Questions
1

I already know what a VPN is in general term - a way to create a small network where some nodes may attach remotely, usually via the internet, but appear to be part of the local network. I also know there is more than one way to achieve this but my knowledge of what these solutions are is sorely lacking.

I have in mind a particular situation which I expect is quite a common one. A small not-for-profit organization runs a small office network so that employees and volunteers can access shared documents, databases and printers etc. It would be useful if these people could securely access these resources from home, both for convenience and space considerations. Ideally the home-workers would not need any special hardware and should not be tied to accessing from a fixed ip address. Additionally, because the turnover in staff and volunteers is quite fluid it must be easy to administer access. It is expected that the actual traffic across the VPN would be pretty low and cost would be more important than performance. Because of the way the organization is funded it may be easier to manage an up-front expenditure through a specific grant rather than regular payments to a service provider.

Can any dopers point me in the right direction? Specific recommendation would be welcome as would more general advice.

2

First, what people refer to as a VPN can vary.

Your understanding of a VPN is correct - a way to extend a private network to a remote device over an untrusted network. However, some companies use VPN to refer to a (generally encrypted web) portal that allows access to internal network resources. These are secure (relying on HTTPS) and usually require no client configuration, so they can be used from a variety of devices, including internet cafe computers and mobile devices.

Also, the solution depends on the existing infrastructure. My recommendation for organisations like the one you describe is SME server - a linux server that runs on commodity hardware (I use an old Dell desktop PC) and is reliable and easy to manage (all done via a web console). The best thing is that SME Server is free. Another option is Windows Home Server, but that does cost money, has more specific hardware requirements and is less flexible (IMHO).

The standard SME server supplies external web mail and file access (via HTTPS), and a PPTP-based VPN (that any Windows XP client can connect to). However, PPTP has fallen out of favour. For more VPN security, OpenVPN can be installed - this is an SSL-based VPN, and works really well. The management is via a web page on the SME server, and just relies on copying some certificates to the client, and installing the OpenVPN client.

With a bit more work, a product called Adito can be installed - this is a HTTPS portal that allows external access to internal resources. Adito is an open-source spin-off of a product called SSL-Explorer (which is still sold as a hardware device). This requires a bit more thought and setup, but can be used from any browser (although java is required for some functionality).

If you already have a Windows network server, both Adito and OpenVPN can be installed on Windows servers.

Otherwise, some internet Routers can be set up to provide VPN functionality for a very low cost. The Linksys WRT54GL is USD60 and can be configured (with open-source firmware such as OpenWRT, DD-WRT or Tomato) as a OpenVPN router giving access to your internal network.

I hope this helps.

Si

I’m not to far from London and would be happy to help configure equipment.

3

May or may not be an issue, but in general VPNs don’t work well over home satellite installations (i.e. HughesNet).

4

Thanks for the info si_blakely, I will check out SME Server when the link is back working. A VPN-enabled router also looks like an attractive option, I was surprised how cheap they can be. You very kind offer of help is duly noted :cool: but working with this organization is an object lesson in incompetence and frustration, my conscience makes me wary of introducing an innocent to this microcosm of hell :(.

Nope, not an issue :smiley:

5

I’ve spent the last few years working on UK govt IT projects. Incompetence and frustration are my daily experience. :rolleyes:

And I am certainly no innocent :smiley:

Si