I was wondering if youze guys (& girls) could elucidate the topic of VPNs. I’m curious as to the nitty-gritty of how one might go about setting one up. What sort of hardware and/or software would be required to get a VPN going here at work so that employees can connect to our network from home or offsite? We’re a small shop that lacks an IT department so I’m rather clueless as to how to get this going, but it sounds like a neat idea. At the moment we have Remote Desktop capabilities, so I’m not 100 % clear on what functionality (access to shared folders?) would be gained through a VPN, but they sound awfully secure. Perhaps a simple explanation of the advantages of such a setup would be good too.
It sort of depends what you want to achieve.
A “real” VPN creates an encrypted tunnel via an insecure internet to the internal network. This assigns an internal IP address to the client - they can operate as if they were actually in the office - mounting network drives and using email normally. This is the most natural and easiest system for road warriors and home workers. To set this up you need both a server on the internet and client software. MS provide VPN software (server and client), another common toolset is OpenVPN (free, strong and works on Linux, MacOS and Linux).
A SSL VPN uses Secure Sockets Layer to set up secure Web access to internal resources. This is useful to provide safe access to internal intranets etc where full VPN access is not required. SSL-Explorer is a very powerful (but hard to set up) SSL VPN solution. They have a free version - it works on Windows and Linux, and can be accessed by any web client that supports SSL (https), but most of the client tools and plugins seem to be Windows oriented.
There are a number of easy to use Linux servers that can set up these sorts of VPNs - some ADSL routers also provide VPNs. Most big network equipment suppliers also sell dedicated solutions. The answer to your question depends on how you want to access the system from outside, what you have inside, and how much you are prepared to spend or learn.
Si
When I ran a smallish network with several locations, and a fair number of remote workers, we used a Cisco 3005 VPN concentrator. I would have like to have added a RADIUS server to provide authentication to the Windows network. There are multiple ways to get a RADIUS server configured.
For smaller installations, MS also provides a VPN service, but I’m not sure off the top of my head how to set one up. This is what we replaced to go with the VPN concentrator. We switched as we had one site that connected via VPN, and it caused issues when multiple users in that location needed to connnect at the same time. The same issues applied to a married couple that also used VPN fairly regularly.
Cisco’s solution was fairly easy to set up, and was very reliable.
Most of the products that are sold as “SSL VPN” solutions aren’t really VPNs at all. They’re application layer proxies that force certain supported protocols through a secure web server. If the vendor doesn’t support a particular protocol (say, RDP or XWindows), you’re SOL.
Many of these SSL not-VPN products will also be sold as “clientless VPNs.” There ain’t no such thing. True VPNs allow you to access arbitrary local network resources from remote locations via an encrypted tunnel. This is usually accomplished by a protocol called IPSec, which is a standard that’s bolted on to the lower-level IP protocol that makes the Internets run.
IPSec can be a real bitch to set up properly, and most vendors don’t adhere strictly to the standard. This means that the Cisco client isn’t necessarily interoperable with a Checkpoint server, for instance. Also, it sometimes doesn’t do so well when one of the endpoints is behind Network Address Translation, meaning that the typical home user sitting behind a cable/DSL router/firewall combo may occasionally experience strange connection issues.
Now, if you’ve got the resources avaible to screw around a little, you may want to give OpenVPN a look. It’s a true SSL VPN solution, meaning that from the end-user perspective, it allows access to any available local network resource over the tunnel, just like an IPSec VPN. However, since it doesn’t require low-level access to the network stack, it’s much easier (and cheaper!) to set up and configure. It’s also free and open source. The major disadvantage is that it’s not compatible with any other commercial product. Good luck.