[aklug] Re: OT(?): Remote Access VPN

From: JP <jp@jptechnical.com>
Date: Tue Oct 20 2015 - 13:08:38 AKDT

+1 for pfSense and OpenVPN. There is a howto on the forum for setting up
your AD for RADIUS and the pfsense will use this for authentication. This
works really well.

While I agree with Royce on the fanless, as regards the CF or SSD I have
had bad experiences with them. I tend to use the full capabilities of the
pfSense packages, and with all the logging and bandwidth monitoring
services running I have killed every SSD device I have used. It might take
a year, but it dies at the most inopportune time; I admit it may be that I
am failing to configure something correctly. And when it does die, I have
more trouble finding a suitable ssd device whereas I can grab an hard drive
from anywhere.

On the contrary, I rarely have to replace a spinning drive, and if I do
then if I am worried about it I set it up so SMART warns me before it just
up and dies. In the end, I opt for surplus desktops as I pretty much never
have to worry about space to locate it, or for electrical constraints. The
ease of maintaining a desktop box, when you have a couple dozen out there,
is pretty appealing.

This is where M0n0wall had it right... CD for the OS, loads to memory then
spins down, keeps config on floppy that is read when booting and written
only when there is a config change. Upgrading the OS means replacing the
CD. Upgrade and feature needs outgrew this eventually. But i have warm
fuzzy memories of those old firewalls.

I have used M0n0wall and pfSense for 15 years and aside from a cheap
linksys or netgear here and there it is the only firewall I will offer my
clients.

your mileage may vary. Just my $.02

     ___ _______
    | | |
    | | _ |
    | | |_| |
 ___| | ___|
| | |
|_______|___|

*JP (Jesse Perry)*
voice/txt: 907-748-2200
email: jp@jptechnical.com
web: http://jptechnical.com
support: helpdesk@jptechnical.com

On Tue, Oct 20, 2015 at 12:42 PM, Royce Williams <royce@tycho.org> wrote:

> On Tue, Oct 20, 2015 at 11:18 AM, Christopher Howard
> <christopher.howard.asi@gmail.com> wrote:
> >
> > So, now I am trying to figure out if it is worth monkeying around with
> this some more to get it working, or if I should look at some other
> approach. Maybe just put a small Linux box on the network and run a FOSS
> VPN server from it? (I'm imagining complications down the road trying to
> get user authentication tied into the AD system if we eventually get
> multiple users.) I looked on our gateway router but didn't see any kind of
> VPN functionality.
>
>
> pfSense -- hands down. GUI, functionality, performance. The OpenVPN
> setup wizard is great. You can cobble together a proof of concept
> with any PC with two NICs and a hard drive. Give it a spin and you'll
> see what I mean.
>
> Since you want the box to just run 24x7, going fanless and motionless
> (CF or SSD) would be good.
>
> Board (Google for APU1D4):
>
> http://www.pcengines.ch/apu1d4.htm
>
> I used to only get them straight from Netgate, but they're only
> offering in bulk right now because they're biasing towards pfSense
> store boxes instead -- same people.
>
> Other sellers:
>
> http://www.pcengines.ch/order.php
>
> ... or order direct from PC Engines:
>
> http://www.pcengines.ch/order1.php?c=4
>
> For ~$250 shipped, you can be up and rolling with an enterprise-grade
> firewall. Buy two and you can set them up in HA. :)
>
> Also, buy an inexpensive UPS at Costco, get a new battery from Frigid
> every ~22 months, and hook up the modem, wireless, and firewall to it
> so that you have good uptime - and connectivity during local power
> outages.
>
> Royce
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Oct 20 13:09:40 2015

This archive was generated by hypermail 2.1.8 : Tue Oct 20 2015 - 13:09:40 AKDT