dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed

Hermitage, AR

[Tech Ops] VPN Options for Secure Access to Network Components

Well.. since we seem to have some people who think VPN is the only way a network should be accessible.. maybe a few of you can list some options for us that aren't using it currently. I have explored it a time or two and think it's a better way for security but right now I just limit access via firewalls and such.

I'd love to implement a VPN solution but haven't found too many exclusive guides.. maybe in this thread you can list the best hardware appliances and average cost for them as well as some open source solutions.



Re: [Tech Ops] VPN Options for Secure Access to Network Componen

i use ppp or ptp vpn. windows and linux both have built in clients, mikrotik has built in client & server, it is easy to set up and no longer considered insecure or broken with latest implementations (may have had issues with nt4 or something)

openvpn is SSL based vpn and has some advantages ... can't remember what they are other than it is open source and free. but you need to install client software on your endpoints. mikrotik has incomplete (but working?) support for openvpn. don't know how they can manage to have incomplete support for an open source client, server, and protocol. something about udp...

ipsec is regarded as the most secure but can be a bitch to set up. i think it takes 36 steps to set up a windows PC for IPSEC client. There are software clients you can buy ( 'the greenbow' is one i know of)


reply to mtroup

Click for full size
Click for full size
Click for full size
As I mentioned in the other thread I am hooked on the ASA series from Cisco. If you are not familiar with Cisco CLI you may have a little harder time configuring it at first but the Cisco has an ASDM which lets you do a lot of stuff via gui. However I've found that I still need to do a few things in CLI that I don't know how to do in the GUI but your experience may differ.

You can pick up an ASA5505 with UL users license for about $600 and then you can do SSL Clientless VPN or simply use the portal that can be accessed via https or install the cisco VPN client on your machine and use it semi-permanently.

What I have done is put an ASA5510 at the office and then grabbed an asa5505 for home and use it on my network so my computer at home becomes a link to my network via ipsec.

A tad expensive I suppose but very nice to have around.

Bernie, MO
reply to mtroup

I've been thinking about using a couple of rb750's as pptp access servers.

PPtP setup under mikrotik: »gregsowell.com/?p=680


reply to mtroup

I have a winxp box with the dude running on it behind a nat firewall. I just rdp / remote desktop into it and then can access the internals of the network through its second network card. Much easier when i am away and need to get access because i dont need to setup a vpn or its client - just use mstsc which is avaliable on all windows pc's above xp or via remote web for 2k/98 pc's.



What happens if that box goes down?


Washougal, WA

"What happens if that box goes down?"

Throw laptop at truck, kick tower, fix foot , fix box then go shopping for new laptop. Shopping makes me feel good.

"The Secret is in the RITHMATIC" Henry Hudson

Knowlton, QC
reply to mtroup

What happens if the box goes down???

What happens if the radios go down, or the servers? Same result... Life sucks... Truck roll.

For me it depends. If it's for a simple access to something, I use PPTP only because it has a native windows client. For the real tunnels I use L2TP with IPSec (Which yes can be a royal bitch to get the hang of, but not bad once you do). I've avoided OpenVPN only because it seems to be even MORE of a bitch to set up than IPSec.

MT is great for setting up tunnels, for business clients that want a transparent L2 tunnel between two locations on our grid, that's where two RB-450G boards, and EoIP/L2TP/IPSec comes into play. By the end of it it's nothing more than a glorified Ethernet cable.

Justin - DSLR resident grouch and Mr Negativity
TSI Fanboy - "Dontchya wish your 'net was hot like mine! Ohhh Dontchya!"
Have a nice day!


reply to mtroup

We have a MT box for the core router with VPN turned on and also a Cacti unit installed on an Linux machine with a public IP. I can access the Cacti with my Iphone and access the VPN if necessary.

GNca George
GorillaNET Wireless Broadband
Minden, ON
reply to kewlkeed

We use PPtP for most stuff between MikroTiks.

If you want a really slick, totally no brain required OpenVPN implementation try Zeroshell on an Alix. Works great for remote client and site to site.

Only costs a couple of hundred bucks at each end, dead easy to set up, uses compression and it smokes. Very high capacity solution.

Tough Broadband for a Tough Crowd!
GorillaNET.ca - 10Mbits to your desk, coming soon.


reply to mtroup

Mikrotik for the win.

Just set up a private network under the mikrotik. If you are afraid of the mikrotik going down get a 2nd dsl line with a 2nd mikrotik (they are cheap) with access to a web reboot switch.. get a good battery backup and use ping watchdog if you have to.

Then you can VPN into this machine from anywhere and you'll have access to all your private data.

On top of that you can have multiple VPN's inside the network if you choose to secure even further. As long as you can route public IP's inside you are set.