Ask Slashdot: VPN Solution To Connect Mixed-Environment Households? 173
New submitter RavenLrD20k writes: I am a programmer by trade with a significant amount of training as a Network Administrator (AAS in Computer Networking). I have no problem with how to build three or four separate networks in each location and make them route over the internet. My weakness is in trying to setup a VPN for a secured two-way connection between location A and location B, both mixed OS environments, with the requirement that all of the internet traffic on B gets routed through A first. I've already looked at some boxed solutions, such as LogMeIn Hamachi, but there hasn't been much in the way of mixed environment support. This is a complicated one, so keep reading for more on what RavenLrD20k is trying to accomplish.
Some background: Due to recent events it's become necessary for me to have remote access to all of my Parents' computers which are about 4 hours away(location B) from my home location(location A). This is to facilitate me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites (I'm already going to be upgrading their 2 systems to Windows 7 Ultimate on my dime for this purpose). The ISP for Location B also seems to be blocking the Desktop Sharing ports as this method has completely stopped working for us without notice, and router configs have been verified as forwarding the necessary ports. Location B also has 2 grandchildren that will have a Windows 7 Home Edition Laptop (for MS Office based classwork), a Linux Mint Machine (to start, he has full reign to do whatever he wants to this machine after initial setup with the understanding that if he "breaks" it, he fixes it), and several BeagleBone or R-Pi machines for my Son's experiments while he's visiting for the summer.
Location A has two networks. First is the one with the public IP that I run my Linux servers and physically connected Desktop on. This network also has a wireless interface that allows gaming machines and phones on the North side of the house to connect to. Network two is behind the NAT and runs a dual-band wireless connection for devices on the south side. I would rather not have this second network get internet access through the VPN but through the traditional means.
Location A has a 150/30 cable connection with a 2TB cap. Location B has a 20Mb/s symmetrical uncapped Fiber connection. I also have a VPS "in the cloud" running CentOS which has a 1Gbps Inbound 20Mbps(1Gbps burstable) Outbound connection which may be repurposed for this if necessary. I figure this to be common sense but I would prefer that the the connection between the locations be routed as opposed to bridged as to avoid the issues that come with sending broadcast packets over the internet.
As I said, I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry. On top of this I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default. I want everyone to have complete open access to the full internet (this too is to help educate my son in smart browsing/chatting and encourage "you break it, you fix it").
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
Networking is hard (Score:1)
Let's go shopping!
Re: (Score:1)
I love these "Ask Slashdot" questions because everyone insults the OP for not knowing how to do something with computers.
Re:Networking is hard (Score:5, Insightful)
The only reason why I found the OP funny is, in his own words "significant amount of training as a Network Administrator".
Even network admins without significant amounts of training know the simplest fix for this is 2 cheap routers running openvpn with the second one set to route all outbound traffic through the tunnel. This has NOTHING to do with the operating systems.
Or, just use something that lets you support your parents, like teamviewer, that works across platforms, and can install as a service, and access anytime remotely. Many products out there that work on linux/mac/windows.
Tracking your kids internet while he is away seems something better accomplished with something on his device. If you are that worried about his internet habits, while he is at Grandma's you should be worried when he is off wifi, at friends, etc.
Re: (Score:2)
It will also act as an openvpn client or server.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Dear Slashdot, How do I fix my car? I have knowledge of cars because I drive one everyday. I know there are volumes of text dealing my specific repair, even an actual factory manual. However, I'm a self entitled Gen-X'er and want you to walk me through the entire process, holding my hand. I am too proud to pay a mechanic to fix the car, even though he can do it one day. I'd rather waste even more money, time and resources doing it myself. Except I don't know how to do it myself. I know that people ha
Re: (Score:2)
+1 Funny.
Open VPN or use SSH with the Linux Machine (Score:3, Insightful)
I recommend either an OpenVPN tunnel with appropriate routing (multi-OS capable) or just use the Linux machines already at the site as tunnel servers using SSH as a VPN (relatively recent versions of SSH required).
Re: (Score:1)
OpenVPN +1.
Set up the OpenVPN server on any machine in location A, the client on router on location B, make the gateway push the routes for your son's computer (and his phone and the raspberry pi's and whatever else is desired) via the VPN. Leave the rest of the traffic alone in order not to avoid the additional latency. You might want to put your son's devices into a separate subnet.
Once all is set up, it's easy to maintain.
Re: (Score:2)
OpenVPN. +1
Mac, Windows, Linux, FreeBSD...
Look at bridging using TAP. Works with same subnet. Set server to push IPs to the secondary network. Leave all other traffic to go out on the respective ISPs network. You can also setup remote TUN connect which will allow you to connect remotely on either side and see both. You can run as many instances and/or subnets as you wish as long as you map the routes.
Re: (Score:2)
Clearly a job for openvpn. Split tunnel when you don't want to control Internet access. No split tunnel when you do.
Re: (Score:1)
Openvpn (Score:4, Informative)
If I'm understanding the requirements, you will want to use openvpn. It has support for Windows and anything running Linux, all sorts of routing options to play with, etc.
Re: (Score:3)
Understanding the requirements is the hard part.
I find so many people overexplain their weird irrelevant details that it's hard to make out just what they're trying to do.
Re: (Score:2)
^ That
Re: (Score:1)
I 2nd Openvpn. Though I don't think it is something you'd have to have on all the time. Set up the router at Loc. B with Openvpn so you can log in. Set up static DHCP addresses for all devices. You can then connect from A or work or wherever to check logs or allow/block a specific device. I'd use personally OpenWRT for the router's os. Set it up so that you son's devices are routed through a log of some sort before leaving to the outside.
Re: (Score:2)
Associate of Science in Networking... (Score:2)
Re: (Score:2)
I could see this being an Ask Slashdot 15 years ago when IPSec was a new idea, but c'mon - there are devices you can buy for $100 [ubnt.com] that have a fucking web wizard to set up IPSec tunnels between them.
No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.
Re: (Score:2)
Maybe he's just trying to be cheap. Last time I messed with Linux IPSEC I got mad because the documentation was ugh. It's a PITA to even figure out which implementation of what you're supposed to use because of all the outdated docs people left lying around on the web.
Re: (Score:1)
Re: (Score:2)
Re:Associate of Science in Networking... (Score:5, Insightful)
No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.
Both of those sources will mislead you into thinking IPSec is a good solution that's not a giant pain in the ass in the real world and appropriate for this kind of install.
pfSense and OpenVPN, as everybody has been saying, is appropriate, solid, and on the easier end of the scale.
His requirements are 99% like mine, and that solution works great. My parents' pfSense box is in their basement, nailed up next to the FiOS demarc, and it works great.
Re: (Score:2)
If I wanted an enterprise level overkill solution, I'd have grabbed a couple of Cisco 1800's for <$200 off eBay with the necessary modules and configured the proprietary VPN through IOS like I learned in college (this route is still not off the table either, just not preferred). Your SSG5's are going for about the same price on ebay and would require me to learn a system I'm not immediately familiar with, which wouldn't be a problem if I needed this to work in my own lab only. Just because I'm not cur
Re: (Score:2)
Our networking track here at the college I work for is focused on Cisco and Windows AD stuff... and people who really don't care to *get into it* and learn on their own come out with a bare minimum of knowledge...
That said, I still don't know why a VPN is needed... set up a simple linux box at the parents' house, have a non-standard port on their router forward to said linux box. Add something so that you can grab the current public IP - a wget on a webpage fired by a cron job, one of the free subdomain
Re: (Score:1)
Re: (Score:2)
Or is an AAS so basic they don't even teach portforwarding has an option to use alternative ports? (don't ever use the standard remote desktop ports in the first place)
Having had to teach basic network troubleshoting skills to guys fresh out of school already made me doubt the level of education nowadays.
Re: (Score:2)
I went back to school after the dot com crash to learn computer programming.* The networking track was still the money major at the time (i.e., if you want to make boatloads of money, take this major). You know it's getting absurd when a Vietnamese couple in their 70's who can barely speak English think they can get high paying job after graduation. When health care became the new money major, the network classes got cancelled due to a lack of demand.
* Yes, I got an A.S. in computer programming; no, I'm not
Re: (Score:2)
It really comes down to the course work, the individual instructors, and what the student makes of it. I've had very curious students do all sorts of very high level things... while their classmates struggle with basic concepts.
Routers with VPN (Score:4, Informative)
http://www.cisco.com/c/en/us/p... [cisco.com]
Re:Routers with VPN (Score:4, Informative)
I agree - site to site VPN at the router level seems ideal for this challenge.
Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.
And yes, you could spend a lot of money for small business routers, or you could buy routers compatible with (or pre-installed with) firmware such as DD-WRT which will allow you almost all the same functions for much cheaper, but require a little more elbow grease to get working.
http://www.dd-wrt.com/wiki/ind... [dd-wrt.com]
Re:Routers with VPN (Score:4, Insightful)
Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each. http://www.cisco.com/c/en/us/p... [cisco.com]
Ubiquiti [ubnt.com] has a small router with enterprise level features for less than $100 [amazon.com]. A site to site VPN and VLAN support are just a few of it's features and all you need to solve this problem.
I'm still running a Juniper SRX-210 at home, but I've been happy with the UniFi APs and EdgeSwitches I have from Ubiquiti so this little router is definitely on the short list when the time comes.
Re: (Score:2)
Mikrotik has cheap ones too, that work great.
http://routerboard.com/RB750GL [routerboard.com].
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.
Yes. But stay away from the Cisco/Linksys small business routers.
OpenVPN (Score:2)
If "mixed environment" only means that there are hosts running various OS's at both locations, it's fairly irrelevant.
Anyway, I am using OpenVPN for what appears to be a similar scenario--routing traffic between a relative's and my house. I don't have Internet traffic from one site being routed through the other, although the VPN certainly could be configured that way.
I will also echo the previous recommendation for PFSense, which I am using on one side of the VPN (running on a fairly inexpensive ALIX board
TeamViewer or LogMeIn? (Score:2)
I might be totally off base, but I wonder about a program like TeamViewer or LogMeIn. If the security trade-off is acceptable, that might be an alternative to trying to create VPNs.
Re: (Score:2)
Yeah... it all he needs is remote desktop access to (primarily) a few Windows systems for patching things and snooping on your kid, just installing TeamViewer on them would be a lot easier than setting up a VPN. Once you have that, you could just put PuTTY on one of the remote Windows boxes to log into the Raspberry Pi project boxes if needed.
Of course, I guess that you could always do something fancier liking run VNC servers on different ports for each system and port forward those through the firewall for
Re: (Score:2)
I find it's interesting that the L2/L3 responses are so much different than the potential LogMeIn or GoToMyPC/etc ideas.
The software person's visage of new hardware is that it potentially opens up too many ports. The hardware people will look at the software VNC-like ideas as potentially untrustworthy.
VNC/RDC/RDP are super-simple for civilians to install and maintain, and all can be removed from memory when not in use, so as to reduce attack profile.
Just my 2c worth.
If your goal is to make things simple, this isn't (Score:2)
If your goal is to make things simple, this isn't the answer. You're going to end up with lots of "sort of works together" software, all of which will need patching and will occasionally just stop working.
For not many dollars, and a lot less time investment you can use something like logmein remote which will give you nearly always reliable, and secure remote access to the machines. You can even set it up so no one needs to be at the remote machines for you to log in. As long as the machine is booted, you'
Have you tried TeamViewer? (Score:3)
For your main goal of being able to log into your parents' machines, have you tried TeamViewer?
As for setting up VPN, I think you should be able to do it relatively inexpensively with something like a couple of consumer-grade routers running DD-WRT. The one at location B is set up as a VPN client, and the one at location A is set up as a VPN server. You might want to set up address ranges for DHCP at location B such that they're part of the network at location A but not assigned at location A. That way you can avoid needing to do NAT at location B as well as location A.
old solution... (Score:1)
TeamView FTW (Score:1)
I do almost all my friend/family support with TeamViewer. Mac and Windows without any issues at all. And since TeamViewer can use port 80 and 443 your ISP won't be blocking it. I just set their computer for unattended access and setup an account to login them through.
Now for the issue of watching you son's internet traffic. Be prepared for him to learn how to bypass things...that's what kids do ya know.
Re: (Score:2)
Be prepared for him to learn how to bypass things...that's what kids do ya know.
Fully prepared and expecting it. He likes to figure out how things work like I used to. If he takes interest in trying to bypass the security it'll escalate like a chess game. So far he's more interested in building and programming electronic projects than getting online much. It can often be a battle of wills to even get him to use the internet to find his own answers when he's stuck.
Re: (Score:1)
Easiest solution for your son: plug directly into the modem while you're not there...
Re: (Score:2)
Not quite so easy.
Modem with 4 connect points is outside the house next to the Power Meter which is double locked, one for the service key and a padlock for our access to the connect points which my dad has the key for. There's an ethernet line on one of the connect points that comes out of there and goes into the basement where it goes into a locked closet with a thick metal door and deadbolt. Inside this room the cable comes into a large locked metal breaker box flush mounted in the wall just for this
Re: (Score:2)
tinc (Score:1)
I use tinc for precisely this. One tinc on a public-facing server, then any computer in any location connects to it to form a network with the others. A bit tedious to configure, but it works well with both Linux and Windows hosts.
MikroTik RouterOS (Score:2)
pfsense (Score:2)
pfsense routers using OpenVPN connection between the two locations (probably location B acting as a Client to location A server, with it set up to route all traffic through the tunnel to A).
Likewise you could also just set up an OpenVPN server at location B and use an OpenVPN client to connect from a machine on "A" to the "B" network for when you need to work on things there (but then you won't have the traffic routing from "B" through "A" before it hits the Internet).
Personally I used a small fanless box f
LAN to LAN VLAN (Score:2)
I second many of the above suggestions. pfSense isn't a bad solution, OpenVPN will work, and little Cisco VPN routers are good too. I'd personally just put a Juniper SSG-5 on each end, for the simple reason that they are available on eBay for around 50 bucks each and are relatively easy to configure.
AutoSSH (Score:3)
If you have one Linux system there with an account you have access to AND an server on your end that you can SSH into your set. On your server you need an account for them to log into which has their autossh users public key in the authorized_hosts file.
You want an excutable file named /etc/network/if-up.d/reverse-ssh
# Ensures that autossh keeps trying to connect
AUTOSSH_GATETIME=0
su -c "autossh -f -N -R *:$8000:localhost:22 -R *:$8001:localhost:5900 pozer@myserver.com -oLogLevel=error -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" root
I have autossh run as root and log into the account pozer on myserver.com. At that point you have a computer on your network with port 8000 opened to their Linux box and 8001 available for vnc. I set the looged in users X destkop to autorun run "x11vnc -shared -forever" export their desktop over vnc. I also install UltraVNC on the windows PCs.
If you had a windows PC at 192.168.1.50 you could add "-R *:8002:192.168.1.50:5900" to the above autossh command so you can reacn it with "vncviewer myserver:8002"
If you dont know the IP address till later you can set up a forward tunnel by remoting into their server over ssh. ssh remote@myserver -p 8000 -L *:8002:192.168.1.50:5900"
As long as there is a reverse tunnel you can use to create a connection back to their linux machine you can open up and access any port on their network. you can use vnserver to run a headless desktop in the background on their linux mint PC.
I use NeoRouter for that (Score:2)
Splashtop and Sophos UTM (Score:1)
I have a similar situation for remote access, but my parents are 12 hours away.
I use Splashtop with the remote access feature (paid feature). No approval to access the machine is required.
I use Sophos UTM(next gen firewall, formerly Astaros(sp?)) for Web filtering, spam and anti-virus protection in my home as I was tired of trying to tie solutions together to make them work and SPAM was really starting to get bad. As you are doing this for personal use, you can get their Home use virtual license for free
IPv6 (Score:3)
Get some IPv6 endpoints (and subnets) from he tunnelbroken and set up some basic ipv6 linux firewalls at both ends. Ditch all the crazy NAT/VPN crap and just go 100% peer to peer.
Re: (Score:2)
err tunnelbroker
http://tunnelbroker.net/ [tunnelbroker.net]
PFsense could do all of what you want (Score:1)
OpenVPN (Score:1)
OpenVPN does exactly what you need. You can link your locations with a site-to-site tunnel and include the nets on both sides.
https://openvpn.net/index.php/... [openvpn.net]
You can set one of the VPN gateways as the default gateway for the other net and OpenVPN runs on all sorts of hardware including WLAN routers and iOS devices.
one thing at a time (Score:2)
In your desciption, you have lots of different random things you're trying to do, and it'd take me some time to parse it out, and then I'd have questions.
But you say, "I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry." Ok, so my first question would be, do you really want VPN for that? It might be easier to go with some kind of remote-control service or MDM. LogMeIn comes to mind as so
OpenVPN (Score:2)
I have 3 VPS and 2 mixed networks. All of them can communicate with each other over different subnets
Make one of the VPS servers your master OpenVPN server
Connect all the other VPS, or network gateways to the Master as clients.
Make sure you advertise the routes using server side client config directives (usually in $path/openvpn/ccd/$name_of_certificate)
Problem solved.
Can even go a little more advanced, setup a vps in another country, and use static routes to make it appear like you are local when you hit
Alternative remote desktop solution (Score:4, Interesting)
It sounds like the motivation for the change isn't that remote desktop didn't work well, but that it has stopped working, so you don't have a good way to remotely administer their machines. If so, rather than setting up a VPN, a remote desktop that does work would would do the job.
Chrome Remote Desktop (a Chrome browser extension from Google) does this quite handily. You can set up one-time remote sessions, where someone on the other end has to give you an invitation for each connection, or you can set up persistent connections which you can use any time. It's cross-platform (Windows, Mac, Linux).
I haven't looked into the underlying network protocols in detail, but I understand it uses libjingle, which implements ICE for NAT traversal (https://tools.ietf.org/html/rfc5245). What I do know is that I've used it in many bizarre network configurations and it's been flawless... if both hosts can reach the net, they can reach one another.
Re: (Score:1)
Where the hell is THAT documented? Seriously: I would look at it once.... Having Chrome always running might sound like a great idea until you NEED it, but unless it also works on Chrome Desktop (ie: Chrome books, Chrome Boxes, etc) it is of questionable use for supporting grandpa and 8yr old Susie.
Re: (Score:2)
At least for Linux there's a command-line tool that keeps the server always running. That's what I use. Not sure about Windows or Mac. As for Chrome Desktop, Chrome is always running; works fine.
In any case, the questioner indicated that he's previously used a RD solution that required some action on the remote end to initiate it, and that worked (though perhaps less than ideal). So even if you have to have someone at the remote end start Chrome, or even initiate a per-connection invitation, I expect it's
Keep it simple (Score:2)
In my opinion you are making this issue more complicated than it really is. You really don't need site-to-site VPNs and custom routing to accomplish your goals.
If I understand you correctly your goals are:
1) To have remote access to machines (Linux, Windows, others) in few remote networks.
Just set up VPN server in each of these remote networks. OpenVPN is probably a good way to go. It would run on any Linux machine, Windows machine (if you dare), even on some routers (f.e. DD-WRT compatible). If these netwo
Re: (Score:2)
Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.
Um, what?
He's not setting up a corporate network, and he's not protecting vital data. Hardcore security isn't required (and can still be had, at some inconvenience to the users, using things like this [openbsd.org], for instance), If he's got a UNIX-based firewall that can run cron scripts, that's all he needs.
Try this:
1) Put grandparents' machines on static IPs (or set their IPs on the DHCP server, if whatever's serving DHCP supports it).
2) Have grandparents put a password on their Windows boxes and set the screensaver
Re: (Score:2)
> that's all he needs
No it is not. You have contradicted yourself in your post. You have described a solution which from begining is flawed. Then you described that flaw (the kid could just change his IP to grandparents machine or even MAC if you would go for MAC based filtering). So you have basically posted a solution that is not a solution at all if you wish to make things working without beating the child.
Re: (Score:2)
I assume you don't have kids. Or work in security, for that matter.
This is standard industry practice. You weigh your security needs (very little, based on the original question) and base your policy on those. If you catch someone circumventing your policy, you take action (for parents, you punish the child; for companies, you discipline the employee).
What this setup does is make it non-trivial for the children to circumvent the basic security setup. It also makes it dead easy to find someone who is cir
Re: (Score:2)
> I assume you don't have kids. Or work in security, for that matter.
So you have lots of kids and work in security and it didn't occur to you that it would be easier and more effective to just take kids laptop and lock it up somewhere?
Hardware VPN device (Score:2)
I'd recommend you look at something like the Meraki MX64 [cisco.com]/MX64W at all three locations, it will do all of the necessary tunneling and filtering you need (with the advanced security license), as well as allow you
Re: (Score:2)
So in hardware VPN device VPN related stuff is being done in their ROM or maybe there are physical gears doing the VPN stuff...?
Re: (Score:2)
Is this like the other Meraki stuff where you have to pay Cisco licensing each year to be able to continue to use and manage the hardware (without paying the license it's a brick)? If so it may not be the best solution (also consider - to manage the device you have to have it connected to the cloud, so if that connection goes away or gets flakey, you're SOL).
Plus you have the delightful experience of buying new hardware rather than continuing to use existing stuff if you don't want to pay the danegeld any m
Re: (Score:2)
Or...TeamViewer ? (Score:2)
TeamViewer is similar to remote desktop, and quite good. It's free for personal use. You might want to try that, or simply changing Remote Desktop's ports, before launching into complicated stuff, mister Network Admin.
Is VPN the right solution or is it overkill.... (Score:2)
Yes, you could go through the trouble of setting up VPN, etc. and it would work. But VPN connections can be tricky if you don't know what you are doing.
Personally, I've been using Teamviewer (Free for private use) for remote control. They have Windows, MAC, UNIX, and mobile clients. You do have to know the password on the client that you are connecting to and I believe that you can set it to a permanent one, but I've never needed to. I just get my Dad to read the 4 or 5 digit random number back to me.
Softether (Score:1)
Simplest to maintain (Score:1)
It will cost you some bucks, but the simplest-to-maintain connection would be a dedicated machine at the far end to act as a firewall that forces all traffic through a VPN, and some box at your end to receive the VPN's traffic and route it wherever it needs to go.
Doing it this way means there is no special software to install on the clients and nothing will "break" when Windows 10 or Raspberry Pi's next OS revision comes out.
For appliances like these, I would recommend you consider one of the specialized di
Wrong solution (Score:2)
You don't need to route the traffic from their network to yours. You are making this way way way more difficult than it needs to be. Setup a router at the grandparents end which has everything running through it. Set it up with a squid proxy and all the traffic will be loggable there.
Next configure that route to be a vpn server and you connect into it whenever you want. Once connected you can read the logs and check your sons internet habits and you can access the rest of the network to fix their machin
Two ways... (Score:2)
There are two ways of doing this.
One is to look for alternative remote desktop software that does work. I've had success with TeamViewer - YMMV.
Two is to put in a lan-to-lan VPN at each site and configure your routing appropriately - either go with something like DD-WRT or get something that will do it out of the box like a Ubiquity EdgeRouter Lite ($100 and it has 3x gigabit ports and enough horsepower to route at an appreciable fraction of that rate)
https://www.ubnt.com/edgemax/e... [ubnt.com]
NetBSD IPsec (Score:2)
This is a job fo IPsec tunnels. OpenVPN could also do the job. Linux, FreeBSD and OpenBSD has been cited. NetBSD can do it too. IMO NetBSD may have the path of least resistance [netbsd.org] but that is personal opinion.
Networking 101? (Score:2)
Site to Site VPN ? (Score:2)
Easily achieved with Cisco hardware ( read that enterprise class ) but can't swear to it via PfSense. Talking a beefy and / or $$$ router though for the speeds you quoted in the Cisco world.
PfSense will do a few flavors of VPN, but I've never tried to get it working with any sort of logic to flag which traffic should bring the tunnel up and which should go out unencrypted.
However this link is informational:
https://doc.pfsense.org/index.... [pfsense.org]
Since it's a mixed environment, it would probably be best to do it a
Seriously? Come on this isn't even a hard one (Score:2)
You need two raspberry PI2B computers, dynamic dns, and openvpn.
Dynamc DNS service to tack B side ip addresses
OpenVPN to create the VPN
Leave the VPN on all the time using the raspberryPIs
ip route add 192.168.2.0/24 via 192.168.1.100
(assumes your A side raspberrypi is .100, and your net is 192.168.1.0 and their net is .2.0)
If you can't port-forward VPN through your ISP, you can fool it by "router hole punching"
Sophos UTM Home Edition (Score:1)
Cisco SOHO routers will do it (Score:2)
Cisco devices have a feature called VTI - virtual tunnel interface. Basically it's an IPSec-protected GRE tunnel, but it looks like just another interface on the router.
Then you just set up your routing rules. Policy-based routing will allow you make decisions based on the source IP.
This stuff works great in a SOHO environment. Doesn't scale well, though.
Get a NAS ... (Score:3)
Get a small NAS, such as a QNAP or Synology.
They both have OpenVPN built in, so use that. Then you have a NAS for centralized backups (because if you're managing remotely you want to make sure they're stuff is backed up, right?) and your VPN connectivity.
Win win situation. If you get creative, you can even cross-replicate the NAS's so you have a true offsite backup.
Re: (Score:2)
THEIR, not they're. Stupid autocorrect.
You're Overthinking (Score:2)
I know this is old now, but honestly you're overthinking this.
First, as others have mentioned here you can use TeamViewer to do remote desktop support, and it's free. No need to upgrade to Windows 7 Ultimate or anything else for that matter. I've used it on OSX, Windows and Linux and it works like a champ. I've supported family and friends... and even had a commercial license for TeamViewer for a while because it really is so easy to use and maintain that I found it invaluable. I don't do that job any more,
Re: (Score:2)
It's Cox. Top tier used to be soft-capped at 400 Gigs which my household alone was pegging every month until they decided to raise all their caps. Now it's a 2TB cap that we barely use a quarter of. Until this situation arose, I had been considering dropping service down a tier and saving about $50 a month. Unfortunately the only other option I have for broadband (besides satellite) is 6Mbps DSL hard-capped @ 200 Gigs... though they can't tell me if I'm close enough to the CO or not.
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
I agree that the MicroTik routers are powerful. I have been using one for several years. My biggest complaint with it is the confusing documentation or documentation that's out of date. I had a hard time figuring out things like traffic management (QoS and shaping) though now that it's working it's quite powerful. I also have had a lot of confusion on how to set up the firewall so I can VPN in with various operating systems. The only one I've gotten to work from Android is PPTP, though I would love to use I
Re: (Score:2)
Use OpenVPN; the Mikrotiks support it although setup is easier from the command-line than their gui.
The client for Windows works well.
Re: (Score:3)
If he's going to be using my or my Parents' network resources and the government says I'm responsible for what he does until he's 18, you bet your ass I'm going to do checks to make sure he isn't doing anything that will warrant a visit from the Feds. Beyond that, he has a pretty good amount of freedom and leeway on the web.
That said, I'll have to look into CRD to see if it'll work given the apparent constraints that my Parents' ISP has placed on the connection. Windows Remote Assistance was working for a
Re: (Score:2)
Seriously!
Re: (Score:2)
Re: (Score:1)
The suggestion in here to use OpenVPN or use a site-to-site router connection with DD-WRT using OpenVPN is the best bet. You could configure a small APU/ALIX machine to do this work if you didn't want to use DD-WRT.
Re: (Score:2)
This is much smarter than routing traffic from your son's computer at B through A to get to the internet. Save the extra latency and fault point.
Re: (Score:2)