dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1762
share rss forum feed

RolandD70

join:2013-02-19
Toronto, ON

1 edit

Mobile Access 2 Home LAN Via IPCop (or pfSense) FW w/OpenVPN

Hi!

Lots of research and too many questions; as far as I can tell, even though this should be a popular question, I don't see an answer.

Here's the scenario: I'll be travelling with my laptop. For all the usual reasons I'd like secure access to home computer, and have secure browsing via VPN. The setup is DSL-Modem-IPCop-Switch-Multiple PCs.

LAN w/FIREWALL AT HOME

1. IPCop can do OpenVPN. So I'm assuming I can make it the end-point for StrongVPN? So when I connect in, how do I get to a particular desktop? Is it via VNC with port forwarding? I'm looking for a recipe book but haven't found it yet. But given the plain-vanilla nature of my question, I'm sure lots of people have done or would like to do this.

(Later Note Adding pfSense firewall: I see a lot of people do this with pfSense. I'm short of time to learn and config pfSense, although it seems very good. Am I correct that IPCop can do everything I need it to?)

LOCKOUT MAYBE?

2. What happens to other people at home when I'm connected? Do they still have access to the Internet the usual way? When I worked for a company, the VPN would grab the connection and lock everyone else out. Will that happen in this scenario?

DYNDNS ETC?

3. Are there any things to worry about? The "dreaded 'double-NAT'" problem for example? Or security holes? My IP address is dynamic, so the whole thing has be be routed through a dyndns IP address.

SECURITY? "STEALTH"?

Is this anticipated setup secure? Will I be presenting (via IPCOP thru the modem thru dyndns) an "open port" to the internet? And then get pinged by bad people multiple times a second? Or will the thing be invisible, and only respond to the approved client? And therefore won't get hit?

Thanks for anyone's advice. I'm sure there are lots of details, but going in the right direction from the beginning is important!

RD



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Have you considered Team Viewer?


RolandD70

join:2013-02-19
Toronto, ON
reply to RolandD70

Haven't considered Teamviewer -- doesn't seem to be in the right category.


RolandD70

join:2013-02-19
Toronto, ON
reply to RolandD70

Quick Report:

1) Hard to figure out OpenVPN on IPCop 2 (the older "Zerina" add-on looked like it was more explicit, but is apparently not recommended for the new IPCOP V2). Not sure how to import all the security parts (key, cert etc. etc.)

2) The Network Manager bug on OpenSuse was incredibly frustrating -- two or three years and no results -- the OpenVPN file generated by StrongVPN contains all the security items -- but you don't know this. And the "import" only imports the top item, but doesn't do the individual items. So it is subtly frustrating because it "looks like it works", but in fact doesn't. So you have to actually edit the file as a text file and create the four or five separate items. Then it actually imports all at once and works. But I'm a champion and fan of opensource, so this is quite maddening . . .

3) StrongVPN documentation assumes you know stuff. They have some nice material on their site, but the documentation is not that great. Granted there are a lot of combination, but the fact that Network Manager is just plain "busted" is not highlighted. So most people with this problem (various flavours of popular Linux) will fail.

RD


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to RolandD70

said by RolandD70:

1. IPCop can do OpenVPN. So I'm assuming I can make it the end-point for StrongVPN? So when I connect in, how do I get to a particular desktop?

"Give the device VPN'ing in an IP address on your LAN and get the VPN software to tunnel the traffic OVER
the tunnel TO your LAN" would be a highlevel answer. The devil is in the details / config and as I've never
worked with IPCop, I couldn't give you a "recipe" how to make this work RolandD70 See Profile.

said by RolandD70:

2. What happens to other people at home when I'm connected?

If you configure this right, nothing should happen. You VPN'ing in should be transparent to them.

said by RolandD70:

3. Are there any things to worry about? The "dreaded 'double-NAT'" problem for example? Or security holes? My IP address is dynamic, so the whole thing has be be routed through a dyndns IP address.

Not from your rough diagram. If the modem is operating as a plain old DSL modem and it's IPCop that gets
the public IP address, you should be fine. As to dynamic IP address, you MAY want to consider dyndns
as a possibilty.

said by RolandD70:

Is this anticipated setup secure? Will I be presenting (via IPCOP thru the modem thru dyndns) an "open port" to the internet?

That's a question for the IPCop inbound rule config. Rule of thumb is aways "permit only what you need, deny
the rest." If your ruleset ONLY permits VPN inbound and drops everything else, generally speaking you should
be okay.

My 00000010bits

Regards

RolandD70

join:2013-02-19
Toronto, ON

Thanks HF! Some good points. In fact I will be using DynDNS. Once I figure this all out, I will write up for both my own satisfaction and documentation -- and share it as well.


HarryH3
Premium
join:2005-02-21
kudos:2
Reviews:
·Suddenlink

TeamViewer will do all you want and you can have it setup and running in 10 minutes or less. They have really made it easy. I use it frequently to access my desktop from anywhere there is an internet connection. I sometimes even use it at home, logging into various systems around the house, while sitting on the sofa with my laptop.

If you just want to go through all the other gyrations for educational purposes, then have at it and enjoy. But if you just want remote access that works with minimal fuss, then TeamViewer rocks.