What's new

Remote Access / VPN / LAN setup advice needed

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

snibs

New Around Here
Hi all

I'm not sure if this is the correct sub-forum for my post - if not I apologize in advance



I need some advice on how to setup our work network for secure vpn access.

Our setup is currently configured as follows :-


we have a router (Thomson TG582n) that the outside world is connected to. We plug one of the LAN outputs from that into a switch. The switch is patched into all of the LAN sockets in the skirting board around the office. We also have a Windows Server 2008 R2 box, which is the domain controller + dns, and a NAS box connected to the switch.

The router is also the DCHP server and we have some static ip assignments (to the servers, and some printers).

Access to some of our internal server (subversion, mantis bug tracking) is done through port-forwarding on the router. When we started there wasn't much to keep secure but now that we have grown a bit I'm concerned that this really isn't very secure, and so I'd like to setup a vpn (using SSL).

I did a quick test by installing RRAS on the windows server and enabled PPTP which kind of 'just worked' with some port forwarding on the router, and I was able to access machines on the network via their domain/machine name. But then I read that PPTP is not really secure, and that SSL (or at the very least ipsec) is a better option. I've also read that installing the VPN role on the DC is also not secure (but I'm not sure why)

Since we're all running windows for development work, SSTP (which is windows only) would also be ok I suppose

So now I'm not sure what to do. As far as I can see I have the following options :-

1. Create another Win Server box and install the VPN server role on it, with 2 NICS etc...

but I need some clarification on a few things. The tutorial I read has the router-facing NIC IP set to 192.168.1.x and the DC facing NIC set to 10.0.0.x

So with the DC on the 10.0.0.x network how do other machines on the LAN see it? Or should the DC also have 2 NICS (the other on 192.1.1.x) so that LAN machines can see it?


2. Buy some kind of dedicated VPN box that does SSL, in which case does _all_ traffic (in and out) go through this box? If this is the way to do it, what would be a suitable box?

3. something else that anyone might suggest?

Thanks for reading my ramble

Rob
 
in order to use SSTP or IPSEC you will need certs first before you can set it up. If windows server doesnt have it you will need to install the software needed. Using another windows server box will not solve your problem

You can use a dedicated VPN box and there are various boxes. I would recommend a mikrotik routerboard CCR models or PPC based (Each PPC core at 1 Ghz does 500Mb/s of PPTP, each CCR core does 300Mb/s of PPTP(each connection/user can only use 1 core)). It is also a good router firewall too. Other choice would be pfsense (on a good x86 box) which can also function as your router and AP if you add a wireless NIC. However if you cant configure SSTP server on one solution it is unlikely you can achieve it on other platforms because all of them require similar amounts of configurations at least to get them working. I myself am still trying to get SSTP or IPSEC tunnelling to work but my problem is mainly with certs.

Although consumer routers will do what you ask easily they are very slow at VPN. Ubiquiti edgerouters are also very slow at VPN.

Mikrotik RouterOS can handle complicated networks very easily because of its flexibility (you can have multiple interfaces with the same IP address for example or multiple IPs for the same interface active all at the same time).
 
Your server should be doing DHCP, not the router. Helps active directory run tighter, better maintain dns registration of clients.
DC should be the only DNS used and handed out for LAN clients. And this will tie in with the RRAS for VPN clients.

However, speaking of VPN, you don't want to use a Windows server for your VPN server...especially a DC. You're exposing a Windows authentication service to the whole world. Not to mention performance..

Best approach is to get an edge appliance to handle the VPN part for you. Be it a biz grade router that also has VPN server capabilities (fine for say..10 or less concurrent remote users)...or if high performance is a concern and/or you have a higher number of concurrent remote users, get a dedicated VPN appliance that sits behind your primary edge device (router). SSL VPN with clientless agent for remote users is the way to go, instead of "fat" VPN client software for the remote users (like the old clunky IPSec days).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top