Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Networking Security The Internet

Ask Slashdot: VPN Solution To Connect Mixed-Environment Households? 173

New submitter RavenLrD20k writes: I am a programmer by trade with a significant amount of training as a Network Administrator (AAS in Computer Networking). I have no problem with how to build three or four separate networks in each location and make them route over the internet. My weakness is in trying to setup a VPN for a secured two-way connection between location A and location B, both mixed OS environments, with the requirement that all of the internet traffic on B gets routed through A first. I've already looked at some boxed solutions, such as LogMeIn Hamachi, but there hasn't been much in the way of mixed environment support. This is a complicated one, so keep reading for more on what RavenLrD20k is trying to accomplish.


Some background: Due to recent events it's become necessary for me to have remote access to all of my Parents' computers which are about 4 hours away(location B) from my home location(location A). This is to facilitate me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites (I'm already going to be upgrading their 2 systems to Windows 7 Ultimate on my dime for this purpose). The ISP for Location B also seems to be blocking the Desktop Sharing ports as this method has completely stopped working for us without notice, and router configs have been verified as forwarding the necessary ports. Location B also has 2 grandchildren that will have a Windows 7 Home Edition Laptop (for MS Office based classwork), a Linux Mint Machine (to start, he has full reign to do whatever he wants to this machine after initial setup with the understanding that if he "breaks" it, he fixes it), and several BeagleBone or R-Pi machines for my Son's experiments while he's visiting for the summer.

Location A has two networks. First is the one with the public IP that I run my Linux servers and physically connected Desktop on. This network also has a wireless interface that allows gaming machines and phones on the North side of the house to connect to. Network two is behind the NAT and runs a dual-band wireless connection for devices on the south side. I would rather not have this second network get internet access through the VPN but through the traditional means.

Location A has a 150/30 cable connection with a 2TB cap. Location B has a 20Mb/s symmetrical uncapped Fiber connection. I also have a VPS "in the cloud" running CentOS which has a 1Gbps Inbound 20Mbps(1Gbps burstable) Outbound connection which may be repurposed for this if necessary. I figure this to be common sense but I would prefer that the the connection between the locations be routed as opposed to bridged as to avoid the issues that come with sending broadcast packets over the internet.

As I said, I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry. On top of this I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default. I want everyone to have complete open access to the full internet (this too is to help educate my son in smart browsing/chatting and encourage "you break it, you fix it").

Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: VPN Solution To Connect Mixed-Environment Households?

Comments Filter:
  • Let's go shopping!

    • by Anonymous Coward

      I love these "Ask Slashdot" questions because everyone insults the OP for not knowing how to do something with computers.

      • by Anonymous Coward on Tuesday July 14, 2015 @02:46PM (#50111211)

        The only reason why I found the OP funny is, in his own words "significant amount of training as a Network Administrator".

        Even network admins without significant amounts of training know the simplest fix for this is 2 cheap routers running openvpn with the second one set to route all outbound traffic through the tunnel. This has NOTHING to do with the operating systems.

        Or, just use something that lets you support your parents, like teamviewer, that works across platforms, and can install as a service, and access anytime remotely. Many products out there that work on linux/mac/windows.

        Tracking your kids internet while he is away seems something better accomplished with something on his device. If you are that worried about his internet habits, while he is at Grandma's you should be worried when he is off wifi, at friends, etc.

        • by pnutjam ( 523990 )
          Instead of 2 cheap routers, I would use pfsense. It will do everything he is asking for. It will do captive portal, so I can cap bandwidth per user or device. It will give him logs and show per device usage. If he configures it, he can filter with several different plug-ins.

          It will also act as an openvpn client or server.
        • If you're after filtering rather than tracking, OpenDNS has worked well for me in the past, can be installed on the router at location B, and has built-in filtering categories. Also, it's free (but you'll need to make an account to use the filtering). I concur on TeamViewer. I use it to support several hundred clients and it's very reliable, as long as your parents don't close it or uninstall it because they don't know what it is.
      • by Anonymous Coward

        Dear Slashdot, How do I fix my car? I have knowledge of cars because I drive one everyday. I know there are volumes of text dealing my specific repair, even an actual factory manual. However, I'm a self entitled Gen-X'er and want you to walk me through the entire process, holding my hand. I am too proud to pay a mechanic to fix the car, even though he can do it one day. I'd rather waste even more money, time and resources doing it myself. Except I don't know how to do it myself. I know that people ha

  • by CajunArson ( 465943 ) on Tuesday July 14, 2015 @01:48PM (#50110601) Journal

    I recommend either an OpenVPN tunnel with appropriate routing (multi-OS capable) or just use the Linux machines already at the site as tunnel servers using SSH as a VPN (relatively recent versions of SSH required).

    • by szy ( 4052287 )

      OpenVPN +1.

      Set up the OpenVPN server on any machine in location A, the client on router on location B, make the gateway push the routes for your son's computer (and his phone and the raspberry pi's and whatever else is desired) via the VPN. Leave the rest of the traffic alone in order not to avoid the additional latency. You might want to put your son's devices into a separate subnet.

      Once all is set up, it's easy to maintain.

      • by MeNeXT ( 200840 )

        OpenVPN. +1

        Mac, Windows, Linux, FreeBSD...

        Look at bridging using TAP. Works with same subnet. Set server to push IPs to the secondary network. Leave all other traffic to go out on the respective ISPs network. You can also setup remote TUN connect which will allow you to connect remotely on either side and see both. You can run as many instances and/or subnets as you wish as long as you map the routes.

    • Clearly a job for openvpn. Split tunnel when you don't want to control Internet access. No split tunnel when you do.

    • Agree completely, I did the exact same thing with my parents home network: was going to set up OpenVPN for my parents home network for exactly the same reason as the OP - found OpenSSH was more than sufficient via tunneling and ssh keypairs, works with everything and the only requirements are having a router that can do port-forwarding to an alternate (not default) ssh port, your choice of dynamic dns and whatever old desktop or r-pi as a linux server to do the ssh-server and local logging. My only wish i
  • Openvpn (Score:4, Informative)

    by Jonathan P. Bennett ( 2872425 ) on Tuesday July 14, 2015 @01:49PM (#50110609)

    If I'm understanding the requirements, you will want to use openvpn. It has support for Windows and anything running Linux, all sorts of routing options to play with, etc.

    • by swb ( 14022 )

      Understanding the requirements is the hard part.

      I find so many people overexplain their weird irrelevant details that it's hard to make out just what they're trying to do.

    • ^ That

    • by jisom ( 113338 )

      I 2nd Openvpn. Though I don't think it is something you'd have to have on all the time. Set up the router at Loc. B with Openvpn so you can log in. Set up static DHCP addresses for all devices. You can then connect from A or work or wherever to check logs or allow/block a specific device. I'd use personally OpenWRT for the router's os. Set it up so that you son's devices are routed through a log of some sort before leaving to the outside.

    • I second this recommendation. I use OpenVPN for this purpose as well. You can either configure each individual client at location A to connect to your OpenVPN network or you can set it up on the router at location A (assuming you can OpenWRT/DD-WRT,etc firmware on it).
  • If he can't figure out how to set up VPN in an mixed environment, he should go back to school to get his bachelor's degree. A BS in networking is always valuable, especially in doing consultant work.
    • I could see this being an Ask Slashdot 15 years ago when IPSec was a new idea, but c'mon - there are devices you can buy for $100 [ubnt.com] that have a fucking web wizard to set up IPSec tunnels between them.

      No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.

      • Maybe he's just trying to be cheap. Last time I messed with Linux IPSEC I got mad because the documentation was ugh. It's a PITA to even figure out which implementation of what you're supposed to use because of all the outdated docs people left lying around on the web.

        • by I4ko ( 695382 )
          There were Linksys models in 2003 doing that for less than 150 bucks in 2003 money.. BEFSX41, some guys are still selling them on Amazon. They suffered from stability problems due to insentient power supply bricks - some were 6 volts, some were 9, 12, or 19 volts. I've built a 30+ point VPN to a central location with a Cisco 17xx, don't remember in the central location ,but even if it was a 26xx it is dirt cheap as overstock send hand hardware these days. What I would do these days is get a good router tha
          • by pnutjam ( 523990 )
            bingo, don't screw around with the ipsec garbage that's out there. Use openVPN and call it done. Monitoring / usage control is a different beast and can be easily handled on an appropriate router, which can be virtualized on an appropriate setup if necessary, or run on dedicated hardware. Something like pfsense supports logging and all sorts of filtering.
      • by bill_mcgonigle ( 4333 ) * on Tuesday July 14, 2015 @02:25PM (#50111035) Homepage Journal

        No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.

        Both of those sources will mislead you into thinking IPSec is a good solution that's not a giant pain in the ass in the real world and appropriate for this kind of install.

        pfSense and OpenVPN, as everybody has been saying, is appropriate, solid, and on the easier end of the scale.

        His requirements are 99% like mine, and that solution works great. My parents' pfSense box is in their basement, nailed up next to the FiOS demarc, and it works great.

    • Our networking track here at the college I work for is focused on Cisco and Windows AD stuff... and people who really don't care to *get into it* and learn on their own come out with a bare minimum of knowledge...

      That said, I still don't know why a VPN is needed... set up a simple linux box at the parents' house, have a non-standard port on their router forward to said linux box. Add something so that you can grab the current public IP - a wget on a webpage fired by a cron job, one of the free subdomain

      • by I4ko ( 695382 )
        Cisco had wonderful IPsec support in 2003. If you had access to it, you can't complain.
    • First thing I was wondering about is what constitutes a "significant amount of training as network administrator" if you have to ask a question like this.
      Or is an AAS so basic they don't even teach portforwarding has an option to use alternative ports? (don't ever use the standard remote desktop ports in the first place)
      Having had to teach basic network troubleshoting skills to guys fresh out of school already made me doubt the level of education nowadays.
      • I went back to school after the dot com crash to learn computer programming.* The networking track was still the money major at the time (i.e., if you want to make boatloads of money, take this major). You know it's getting absurd when a Vietnamese couple in their 70's who can barely speak English think they can get high paying job after graduation. When health care became the new money major, the network classes got cancelled due to a lack of demand.

        * Yes, I got an A.S. in computer programming; no, I'm not

  • Routers with VPN (Score:4, Informative)

    by DogDude ( 805747 ) on Tuesday July 14, 2015 @01:56PM (#50110705)
    Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

    http://www.cisco.com/c/en/us/p... [cisco.com]
    • Re:Routers with VPN (Score:4, Informative)

      by harr2969 ( 105745 ) <{moc.liamg} {ta} {9692rrah}> on Tuesday July 14, 2015 @02:03PM (#50110819)

      I agree - site to site VPN at the router level seems ideal for this challenge.

      Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

      And yes, you could spend a lot of money for small business routers, or you could buy routers compatible with (or pre-installed with) firmware such as DD-WRT which will allow you almost all the same functions for much cheaper, but require a little more elbow grease to get working.

      http://www.dd-wrt.com/wiki/ind... [dd-wrt.com]

    • by iamgnat ( 1015755 ) on Tuesday July 14, 2015 @02:08PM (#50110871)

      Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each. http://www.cisco.com/c/en/us/p... [cisco.com]

      Ubiquiti [ubnt.com] has a small router with enterprise level features for less than $100 [amazon.com]. A site to site VPN and VLAN support are just a few of it's features and all you need to solve this problem.

      I'm still running a Juniper SRX-210 at home, but I've been happy with the UniFi APs and EdgeSwitches I have from Ubiquiti so this little router is definitely on the short list when the time comes.

      • by ahodgson ( 74077 )

        Mikrotik has cheap ones too, that work great.

        http://routerboard.com/RB750GL [routerboard.com].

      • by scsirob ( 246572 )

        Can't agree more. Ubiquity has some nice and easy, open gear available. To make matters more interesting, they have added deep(ish) packet inspection which allows you to see general traffic per client. So if you want to see what your son is doing without actually wiretapping his traffic, Ubiquity will tell you he spent GB on Youtube, GB on Facebook etc.

        The router supports both site-to-site as well as single client VPN, so no problem dialling in from remote and get access to any and all networks in your cl

    • by pnutjam ( 523990 )
      I always counsel people to stay away from SOHO equipment. It's not worth the hassle when you can get mikrotik, ubiquiti, or pfsense for the same or less. If you do go with a big name consumer router, at least make sure it supports openwrt.
    • by sribe ( 304414 )

      Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

      Yes. But stay away from the Cisco/Linksys small business routers.

  • If "mixed environment" only means that there are hosts running various OS's at both locations, it's fairly irrelevant.

    Anyway, I am using OpenVPN for what appears to be a similar scenario--routing traffic between a relative's and my house. I don't have Internet traffic from one site being routed through the other, although the VPN certainly could be configured that way.

    I will also echo the previous recommendation for PFSense, which I am using on one side of the VPN (running on a fairly inexpensive ALIX board

  • I might be totally off base, but I wonder about a program like TeamViewer or LogMeIn. If the security trade-off is acceptable, that might be an alternative to trying to create VPNs.

    • by leonbev ( 111395 )

      Yeah... it all he needs is remote desktop access to (primarily) a few Windows systems for patching things and snooping on your kid, just installing TeamViewer on them would be a lot easier than setting up a VPN. Once you have that, you could just put PuTTY on one of the remote Windows boxes to log into the Raspberry Pi project boxes if needed.

      Of course, I guess that you could always do something fancier liking run VNC servers on different ports for each system and port forward those through the firewall for

      • I find it's interesting that the L2/L3 responses are so much different than the potential LogMeIn or GoToMyPC/etc ideas.

        The software person's visage of new hardware is that it potentially opens up too many ports. The hardware people will look at the software VNC-like ideas as potentially untrustworthy.

        VNC/RDC/RDP are super-simple for civilians to install and maintain, and all can be removed from memory when not in use, so as to reduce attack profile.

        Just my 2c worth.

  • If your goal is to make things simple, this isn't the answer. You're going to end up with lots of "sort of works together" software, all of which will need patching and will occasionally just stop working.

    For not many dollars, and a lot less time investment you can use something like logmein remote which will give you nearly always reliable, and secure remote access to the machines. You can even set it up so no one needs to be at the remote machines for you to log in. As long as the machine is booted, you'

  • by Chirs ( 87576 ) on Tuesday July 14, 2015 @02:05PM (#50110831)

    For your main goal of being able to log into your parents' machines, have you tried TeamViewer?

    As for setting up VPN, I think you should be able to do it relatively inexpensively with something like a couple of consumer-grade routers running DD-WRT. The one at location B is set up as a VPN client, and the one at location A is set up as a VPN server. You might want to set up address ranges for DHCP at location B such that they're part of the network at location A but not assigned at location A. That way you can avoid needing to do NAT at location B as well as location A.

  • Haven't had to do this in years (approximately 15 yrs actually) but when I did, I used FreeS/WAN to hook up a bunch of networks over the internet running on smoothwall. Everything else is routing tables. Man, what a trip down memory lane.
  • by Anonymous Coward

    I do almost all my friend/family support with TeamViewer. Mac and Windows without any issues at all. And since TeamViewer can use port 80 and 443 your ISP won't be blocking it. I just set their computer for unattended access and setup an account to login them through.

    Now for the issue of watching you son's internet traffic. Be prepared for him to learn how to bypass things...that's what kids do ya know.

    • Be prepared for him to learn how to bypass things...that's what kids do ya know.

      Fully prepared and expecting it. He likes to figure out how things work like I used to. If he takes interest in trying to bypass the security it'll escalate like a chess game. So far he's more interested in building and programming electronic projects than getting online much. It can often be a battle of wills to even get him to use the internet to find his own answers when he's stuck.

      • by ashpool7 ( 18172 )

        Easiest solution for your son: plug directly into the modem while you're not there...

        • Not quite so easy.

          Modem with 4 connect points is outside the house next to the Power Meter which is double locked, one for the service key and a padlock for our access to the connect points which my dad has the key for. There's an ethernet line on one of the connect points that comes out of there and goes into the basement where it goes into a locked closet with a thick metal door and deadbolt. Inside this room the cable comes into a large locked metal breaker box flush mounted in the wall just for this

      • by dave420 ( 699308 )
        You are assuming he won't be able to get past your security without you noticing, which judging by your "Ask Slashdot" question, seems a poor assumption. My money is on him getting past your security and you not even realising.
  • by taoboy ( 118003 )

    I use tinc for precisely this. One tinc on a public-facing server, then any computer in any location connects to it to form a network with the others. A bit tedious to configure, but it works well with both Linux and Windows hosts.

  • I'm not super-network talented, but I recently used two Mikrotik RB951s to set up a permanent VPN tunnel between two houses for much the same reason. I didn't need the additional routing to make all traffic send through point A, but I know we use that setup at work for our remote workers. My arrangement ended up being traffic from each house going out it's own connection, but with a permanent IPSEC tunnel between the two for server synchronization and tech support purposes. The Mikrotiks are fantastic lit
  • pfsense routers using OpenVPN connection between the two locations (probably location B acting as a Client to location A server, with it set up to route all traffic through the tunnel to A).

    Likewise you could also just set up an OpenVPN server at location B and use an OpenVPN client to connect from a machine on "A" to the "B" network for when you need to work on things there (but then you won't have the traffic routing from "B" through "A" before it hits the Internet).

    Personally I used a small fanless box f

  • I second many of the above suggestions. pfSense isn't a bad solution, OpenVPN will work, and little Cisco VPN routers are good too. I'd personally just put a Juniper SSG-5 on each end, for the simple reason that they are available on eBay for around 50 bucks each and are relatively easy to configure.

  • by fwarren ( 579763 ) on Tuesday July 14, 2015 @02:24PM (#50111025) Homepage

    If you have one Linux system there with an account you have access to AND an server on your end that you can SSH into your set. On your server you need an account for them to log into which has their autossh users public key in the authorized_hosts file.

    You want an excutable file named /etc/network/if-up.d/reverse-ssh

    # Ensures that autossh keeps trying to connect
    AUTOSSH_GATETIME=0
    su -c "autossh -f -N -R *:$8000:localhost:22 -R *:$8001:localhost:5900 pozer@myserver.com -oLogLevel=error -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" root

    I have autossh run as root and log into the account pozer on myserver.com. At that point you have a computer on your network with port 8000 opened to their Linux box and 8001 available for vnc. I set the looged in users X destkop to autorun run "x11vnc -shared -forever" export their desktop over vnc. I also install UltraVNC on the windows PCs.

    If you had a windows PC at 192.168.1.50 you could add "-R *:8002:192.168.1.50:5900" to the above autossh command so you can reacn it with "vncviewer myserver:8002"

    If you dont know the IP address till later you can set up a forward tunnel by remoting into their server over ssh. ssh remote@myserver -p 8000 -L *:8002:192.168.1.50:5900"

    As long as there is a reverse tunnel you can use to create a connection back to their linux machine you can open up and access any port on their network. you can use vnserver to run a headless desktop in the background on their linux mint PC.

  • Works on Windows, Linux (that's where I run my NeoRouter server) and Android. They have a free (beer) version that I used for a couple of year. I'm on the paid version now. http://neorouter.com/ [neorouter.com]
  • I have a similar situation for remote access, but my parents are 12 hours away.

    I use Splashtop with the remote access feature (paid feature). No approval to access the machine is required.

    I use Sophos UTM(next gen firewall, formerly Astaros(sp?)) for Web filtering, spam and anti-virus protection in my home as I was tired of trying to tie solutions together to make them work and SPAM was really starting to get bad. As you are doing this for personal use, you can get their Home use virtual license for free

  • by nyet ( 19118 ) on Tuesday July 14, 2015 @02:47PM (#50111225) Homepage

    Get some IPv6 endpoints (and subnets) from he tunnelbroken and set up some basic ipv6 linux firewalls at both ends. Ditch all the crazy NAT/VPN crap and just go 100% peer to peer.

  • Using a PFsense with multiple nics you could set up numerous networks and control routing between the networks at that point. Also pfsense can fully intergrate openvpn into the Scheme and has a firewall and filtering to be able to tell where everyone in the network is going. It also allows for port forwarding for you Linux box. did I mention all of this is done through a GUI interface. Software can be downloaded at: https://www.pfsense.org/ [pfsense.org]
  • OpenVPN does exactly what you need. You can link your locations with a site-to-site tunnel and include the nets on both sides.

    https://openvpn.net/index.php/... [openvpn.net]

    You can set one of the VPN gateways as the default gateway for the other net and OpenVPN runs on all sorts of hardware including WLAN routers and iOS devices.

  • In your desciption, you have lots of different random things you're trying to do, and it'd take me some time to parse it out, and then I'd have questions.

    But you say, "I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry." Ok, so my first question would be, do you really want VPN for that? It might be easier to go with some kind of remote-control service or MDM. LogMeIn comes to mind as so

  • I have 3 VPS and 2 mixed networks. All of them can communicate with each other over different subnets

    Make one of the VPS servers your master OpenVPN server
    Connect all the other VPS, or network gateways to the Master as clients.

    Make sure you advertise the routes using server side client config directives (usually in $path/openvpn/ccd/$name_of_certificate)

    Problem solved.

    Can even go a little more advanced, setup a vps in another country, and use static routes to make it appear like you are local when you hit

  • by swillden ( 191260 ) <shawn-ds@willden.org> on Tuesday July 14, 2015 @03:37PM (#50111651) Homepage Journal

    It sounds like the motivation for the change isn't that remote desktop didn't work well, but that it has stopped working, so you don't have a good way to remotely administer their machines. If so, rather than setting up a VPN, a remote desktop that does work would would do the job.

    Chrome Remote Desktop (a Chrome browser extension from Google) does this quite handily. You can set up one-time remote sessions, where someone on the other end has to give you an invitation for each connection, or you can set up persistent connections which you can use any time. It's cross-platform (Windows, Mac, Linux).

    I haven't looked into the underlying network protocols in detail, but I understand it uses libjingle, which implements ICE for NAT traversal (https://tools.ietf.org/html/rfc5245). What I do know is that I've used it in many bizarre network configurations and it's been flawless... if both hosts can reach the net, they can reach one another.

    • "Chrome Remote Desktop (a Chrome browser extension from Google) ... you can set up persistent connections which you can use any time."

      Where the hell is THAT documented? Seriously: I would look at it once.... Having Chrome always running might sound like a great idea until you NEED it, but unless it also works on Chrome Desktop (ie: Chrome books, Chrome Boxes, etc) it is of questionable use for supporting grandpa and 8yr old Susie.
      • At least for Linux there's a command-line tool that keeps the server always running. That's what I use. Not sure about Windows or Mac. As for Chrome Desktop, Chrome is always running; works fine.

        In any case, the questioner indicated that he's previously used a RD solution that required some action on the remote end to initiate it, and that worked (though perhaps less than ideal). So even if you have to have someone at the remote end start Chrome, or even initiate a per-connection invitation, I expect it's

  • In my opinion you are making this issue more complicated than it really is. You really don't need site-to-site VPNs and custom routing to accomplish your goals.

    If I understand you correctly your goals are:

    1) To have remote access to machines (Linux, Windows, others) in few remote networks.

    Just set up VPN server in each of these remote networks. OpenVPN is probably a good way to go. It would run on any Linux machine, Windows machine (if you dare), even on some routers (f.e. DD-WRT compatible). If these netwo

    • by spauldo ( 118058 )

      Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.

      Um, what?

      He's not setting up a corporate network, and he's not protecting vital data. Hardcore security isn't required (and can still be had, at some inconvenience to the users, using things like this [openbsd.org], for instance), If he's got a UNIX-based firewall that can run cron scripts, that's all he needs.

      Try this:
      1) Put grandparents' machines on static IPs (or set their IPs on the DHCP server, if whatever's serving DHCP supports it).
      2) Have grandparents put a password on their Windows boxes and set the screensaver

      • > that's all he needs

        No it is not. You have contradicted yourself in your post. You have described a solution which from begining is flawed. Then you described that flaw (the kid could just change his IP to grandparents machine or even MAC if you would go for MAC based filtering). So you have basically posted a solution that is not a solution at all if you wish to make things working without beating the child.

        • by spauldo ( 118058 )

          I assume you don't have kids. Or work in security, for that matter.

          This is standard industry practice. You weigh your security needs (very little, based on the original question) and base your policy on those. If you catch someone circumventing your policy, you take action (for parents, you punish the child; for companies, you discipline the employee).

          What this setup does is make it non-trivial for the children to circumvent the basic security setup. It also makes it dead easy to find someone who is cir

          • > I assume you don't have kids. Or work in security, for that matter.

            So you have lots of kids and work in security and it didn't occur to you that it would be easier and more effective to just take kids laptop and lock it up somewhere?

  • You could do all of this through software (openVPN, etc.), but honestly life is too short to go through all the effort required as well as making sure it all works and stays updated. I'm getting too old for this crap and just need something that works in the least amount of time and effort required.

    I'd recommend you look at something like the Meraki MX64 [cisco.com]/MX64W at all three locations, it will do all of the necessary tunneling and filtering you need (with the advanced security license), as well as allow you

    • So in hardware VPN device VPN related stuff is being done in their ROM or maybe there are physical gears doing the VPN stuff...?

    • Is this like the other Meraki stuff where you have to pay Cisco licensing each year to be able to continue to use and manage the hardware (without paying the license it's a brick)? If so it may not be the best solution (also consider - to manage the device you have to have it connected to the cloud, so if that connection goes away or gets flakey, you're SOL).

      Plus you have the delightful experience of buying new hardware rather than continuing to use existing stuff if you don't want to pay the danegeld any m

      • by musicon ( 724240 )
        Yes, there is an annual cost for support on the device. However, it's minimal (~$70/year) and the ability to manage and monitor from anywhere is nice. I'm actually not sure what functionality is lost without maintenance, but I assume it's like most of their other products in that you stop receiving updates but it continues working fine with the last installed version.
  • TeamViewer is similar to remote desktop, and quite good. It's free for personal use. You might want to try that, or simply changing Remote Desktop's ports, before launching into complicated stuff, mister Network Admin.

  • Yes, you could go through the trouble of setting up VPN, etc. and it would work. But VPN connections can be tricky if you don't know what you are doing.

    Personally, I've been using Teamviewer (Free for private use) for remote control. They have Windows, MAC, UNIX, and mobile clients. You do have to know the password on the client that you are connecting to and I believe that you can set it to a permanent one, but I've never needed to. I just get my Dad to read the 4 or 5 digit random number back to me.

  • I'm surprised no one mentioned Softether https://www.softether.org/ [softether.org] - with multi-protocol support and site-to-site capability, it should be able to cover all your needs. Setup a server in the cloud - DigitalOcean is a cheap and excellent host - with Softether. Setup another softether client in your household on an old machine and set the two to do a site-to-site. From the digital ocean installation, ensure that the gateway is whatever you like to be (another VPN to work, perhaps?) and you're all set.
  • It will cost you some bucks, but the simplest-to-maintain connection would be a dedicated machine at the far end to act as a firewall that forces all traffic through a VPN, and some box at your end to receive the VPN's traffic and route it wherever it needs to go.

    Doing it this way means there is no special software to install on the clients and nothing will "break" when Windows 10 or Raspberry Pi's next OS revision comes out.

    For appliances like these, I would recommend you consider one of the specialized di

  • You don't need to route the traffic from their network to yours. You are making this way way way more difficult than it needs to be. Setup a router at the grandparents end which has everything running through it. Set it up with a squid proxy and all the traffic will be loggable there.

    Next configure that route to be a vpn server and you connect into it whenever you want. Once connected you can read the logs and check your sons internet habits and you can access the rest of the network to fix their machin

  • There are two ways of doing this.

    One is to look for alternative remote desktop software that does work. I've had success with TeamViewer - YMMV.

    Two is to put in a lan-to-lan VPN at each site and configure your routing appropriately - either go with something like DD-WRT or get something that will do it out of the box like a Ubiquity EdgeRouter Lite ($100 and it has 3x gigabit ports and enough horsepower to route at an appreciable fraction of that rate)

    https://www.ubnt.com/edgemax/e... [ubnt.com]

  • This is a job fo IPsec tunnels. OpenVPN could also do the job. Linux, FreeBSD and OpenBSD has been cited. NetBSD can do it too. IMO NetBSD may have the path of least resistance [netbsd.org] but that is personal opinion.

  • You can pay a couple hundred bucks for a pre-built solution, or you can build a pair of OpenBSD routers to do the job. You can either use a pair of old machines that you've been too lazy to send for recycling, or you can buy a pair of Raspberry PIs with a second (USB) ethernet connector, for a low power solution. VPN them together, and set the default route for the router at network 'A" to be through network 'B'. Problem solved. People have suggested both IPsec and OpenVPN to build the tunnel. . Just
  • Easily achieved with Cisco hardware ( read that enterprise class ) but can't swear to it via PfSense. Talking a beefy and / or $$$ router though for the speeds you quoted in the Cisco world.

    PfSense will do a few flavors of VPN, but I've never tried to get it working with any sort of logic to flag which traffic should bring the tunnel up and which should go out unencrypted.

    However this link is informational:

    https://doc.pfsense.org/index.... [pfsense.org]

    Since it's a mixed environment, it would probably be best to do it a

  • You need two raspberry PI2B computers, dynamic dns, and openvpn.

    Dynamc DNS service to tack B side ip addresses
    OpenVPN to create the VPN
    Leave the VPN on all the time using the raspberryPIs
    ip route add 192.168.2.0/24 via 192.168.1.100

    (assumes your A side raspberrypi is .100, and your net is 192.168.1.0 and their net is .2.0)

    If you can't port-forward VPN through your ISP, you can fool it by "router hole punching"

  • Go download: https://www.sophos.com/en-us/p... [sophos.com] You'll have a free licence for 50 ip addresses per side. Beauty is.. its linux; supports more hardware options than pfsense. I use this to do exactly what you're wanting to do. I built small cheap computers($250 a pop from newegg, tri nic'd) to be the "FW", installed the UTM box to every family household that needed one and setup site-to-site VPN between them. Works perfectly and it easy to manage.
  • Cisco devices have a feature called VTI - virtual tunnel interface. Basically it's an IPSec-protected GRE tunnel, but it looks like just another interface on the router.

    Then you just set up your routing rules. Policy-based routing will allow you make decisions based on the source IP.

    This stuff works great in a SOHO environment. Doesn't scale well, though.

  • by nbvb ( 32836 ) on Wednesday July 15, 2015 @07:49AM (#50115793) Journal

    Get a small NAS, such as a QNAP or Synology.

    They both have OpenVPN built in, so use that. Then you have a NAS for centralized backups (because if you're managing remotely you want to make sure they're stuff is backed up, right?) and your VPN connectivity.

    Win win situation. If you get creative, you can even cross-replicate the NAS's so you have a true offsite backup.

  • I know this is old now, but honestly you're overthinking this.

    First, as others have mentioned here you can use TeamViewer to do remote desktop support, and it's free. No need to upgrade to Windows 7 Ultimate or anything else for that matter. I've used it on OSX, Windows and Linux and it works like a champ. I've supported family and friends... and even had a commercial license for TeamViewer for a while because it really is so easy to use and maintain that I found it invaluable. I don't do that job any more,

It's been a business doing pleasure with you.

Working...