[aklug] Re: OT(?): Remote Access VPN

From: Royce Williams <royce@tycho.org>
Date: Tue Oct 20 2015 - 13:12:18 AKDT

JP, fair point about disk. I have six-year-old boxes doing pfSense,
but they send syslog off-box and are light use. The APU boards use
mSSD; IIRC, it used to be that you had to manually enable TRIM on
FreeBSD; not sure if that's still the case.

Royce

On Tue, Oct 20, 2015 at 1:08 PM, JP <jp@jptechnical.com> wrote:
> +1 for pfSense and OpenVPN. There is a howto on the forum for setting up
> your AD for RADIUS and the pfsense will use this for authentication. This
> works really well.
>
> While I agree with Royce on the fanless, as regards the CF or SSD I have had
> bad experiences with them. I tend to use the full capabilities of the
> pfSense packages, and with all the logging and bandwidth monitoring services
> running I have killed every SSD device I have used. It might take a year,
> but it dies at the most inopportune time; I admit it may be that I am
> failing to configure something correctly. And when it does die, I have more
> trouble finding a suitable ssd device whereas I can grab an hard drive from
> anywhere.
>
> On the contrary, I rarely have to replace a spinning drive, and if I do then
> if I am worried about it I set it up so SMART warns me before it just up and
> dies. In the end, I opt for surplus desktops as I pretty much never have to
> worry about space to locate it, or for electrical constraints. The ease of
> maintaining a desktop box, when you have a couple dozen out there, is pretty
> appealing.
>
> This is where M0n0wall had it right... CD for the OS, loads to memory then
> spins down, keeps config on floppy that is read when booting and written
> only when there is a config change. Upgrading the OS means replacing the CD.
> Upgrade and feature needs outgrew this eventually. But i have warm fuzzy
> memories of those old firewalls.
>
> I have used M0n0wall and pfSense for 15 years and aside from a cheap linksys
> or netgear here and there it is the only firewall I will offer my clients.
>
> your mileage may vary. Just my $.02
>
> ___ _______
> | | |
> | | _ |
> | | |_| |
> ___| | ___|
> | | |
> |_______|___|
>
> JP (Jesse Perry)
> voice/txt: 907-748-2200
> email: jp@jptechnical.com
> web: http://jptechnical.com
> support: helpdesk@jptechnical.com
>
>
> On Tue, Oct 20, 2015 at 12:42 PM, Royce Williams <royce@tycho.org> wrote:
>>
>> On Tue, Oct 20, 2015 at 11:18 AM, Christopher Howard
>> <christopher.howard.asi@gmail.com> wrote:
>> >
>> > So, now I am trying to figure out if it is worth monkeying around with
>> > this some more to get it working, or if I should look at some other
>> > approach. Maybe just put a small Linux box on the network and run a FOSS VPN
>> > server from it? (I'm imagining complications down the road trying to get
>> > user authentication tied into the AD system if we eventually get multiple
>> > users.) I looked on our gateway router but didn't see any kind of VPN
>> > functionality.
>>
>>
>> pfSense -- hands down. GUI, functionality, performance. The OpenVPN
>> setup wizard is great. You can cobble together a proof of concept
>> with any PC with two NICs and a hard drive. Give it a spin and you'll
>> see what I mean.
>>
>> Since you want the box to just run 24x7, going fanless and motionless
>> (CF or SSD) would be good.
>>
>> Board (Google for APU1D4):
>>
>> http://www.pcengines.ch/apu1d4.htm
>>
>> I used to only get them straight from Netgate, but they're only
>> offering in bulk right now because they're biasing towards pfSense
>> store boxes instead -- same people.
>>
>> Other sellers:
>>
>> http://www.pcengines.ch/order.php
>>
>> ... or order direct from PC Engines:
>>
>> http://www.pcengines.ch/order1.php?c=4
>>
>> For ~$250 shipped, you can be up and rolling with an enterprise-grade
>> firewall. Buy two and you can set them up in HA. :)
>>
>> Also, buy an inexpensive UPS at Costco, get a new battery from Frigid
>> every ~22 months, and hook up the modem, wireless, and firewall to it
>> so that you have good uptime - and connectivity during local power
>> outages.
>>
>> Royce
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org>
>> with 'unsubscribe' in the message body.
>>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Oct 20 13:13:10 2015

This archive was generated by hypermail 2.1.8 : Tue Oct 20 2015 - 13:13:10 AKDT