[aklug] Re: OT(?): Remote Access VPN

From: Leif Sawyer <lsawyer@gci.com>
Date: Wed Oct 21 2015 - 09:00:52 AKDT

This looks like a fun board, though….

https://omnia.turris.cz/en/



From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf Of Royce Williams
Sent: Tuesday, October 20, 2015 10:47 PM
To: Aklug
Subject: [aklug] Re: OT(?): Remote Access VPN

And if you want a different case color or other stuff from the site, I'll order whatever you want.

Royce

On Tue, Oct 20, 2015 at 10:37 PM, Royce Williams <royce@tycho.org<mailto:royce@tycho.org>> wrote:
The more I thought about it, the more I realized that it's time to upgrade.

Since I will be paying the ~$40 for shipment from Europe, if anyone wants combine shipping with me, speak up in the next 48 hours or so and I'll add your order to mine.

I'm buying direct from PC Engines. Net hardware cost is $177.40 (plus $26.10 if you want the Atheros-based a/b/g/n wireless stuff = $203.50). You would pay your actual hardware cost plus (1/n)% of the shipping, based on n people on the order.

Ignoring the shipping+handling below, this is what we'd be getting:

Qty

Description

Price

Total

HTS code

Origin

Weight

1

APU.1D4 system board 4GB

USD145.00

USD145.00

8471.5000

TW

235g

1

Enclosure 3 LAN, black, USB

USD10.00

USD10.00

8473.3000

CN

241g

1

AC adapter 12V US plug for IT equipment

USD4.40

USD4.40

8504.4040

CN

150g

1

SSD M-Sata 16GB MLC Phison

USD18.00

USD18.00

8523.5100

TW

10g

1

Compex WLE200NX miniPCI express card

USD19.00

USD19.00

8517.7000

CN

10g

2

Cable I-PEX -> reverse SMA

USD1.50

USD3.00

8544.2020

TW

10g

2

Antenna reverse SMA dual band

USD2.05

USD4.10

8517.7000

TW

56g



Shipping + handling



USD40.80





Total



USD244.30

712g



I tried a 10-box order and a 30-box order, and the shipping went up $2, but whatever the actual shipping is, I'll pass that along at the 1/n rate as well.

The assembly and software install is easy -- I'm basically doing this:

https://mateh.id.au/2014/09/build-awesome-apu-based-pfsense-router/

To address some of JP's valid points, I'll explore using inexpensive USB drives to handle write-heavy activity.

I'm not too concerned about using specialized hardware. If you back up you config, you can swap in a refurbished PC temporarily. pfSense knows when its hardware has changed, and will guide you through picking which of the new NICs are LAN vs WAN. It's very easy to restore your production setup quickly on just about any hardware. And the power draw is much lower than on a refurbished PC. The only real drawback is the Realtek NICs. I'd prefer Intel or Chelsio. From my reading, as long as you're not pushing close to the max (600 or 700Mb/s), things should be just fine.

I'm also not concerned about it being FOSS -- it's well integrated by some people who have been doing it for a long time, and designed to work well with a wide range of gear.

Let me know off list if you want to combine shipping with me -- say, by midnight Thursday night.

And if we all go to lunch when the order gets here, you can each buy 1/n of my lunch. ;)

Royce

On Tue, Oct 20, 2015 at 1:57 PM, JP <jp@jptechnical.com<mailto:jp@jptechnical.com>> wrote:
Where do you sleep Damien? :-D

A commercial solution is perfectly viable as an option, whatever you need for the application. Just don't drink the Cisco koolaid.


     ___ _______

    | | |

    | | _ |

    | | |_| |

 ___| | ___|

| | |

|_______|___|

JP (Jesse Perry)

voice/txt: 907-748-2200<tel:907-748-2200>

email: jp@jptechnical.com<mailto:jp@jptechnical.com>

web: http://jptechnical.com

support: helpdesk@jptechnical.com<mailto:helpdesk@jptechnical.com>

On Tue, Oct 20, 2015 at 1:40 PM, Damien Hull <dhull@section9.us<mailto:dhull@section9.us>> wrote:
I'll jump in here and add my 2 cents. Which is about all I have left.

1. Don't use the Windows server as the VPN end point
2. In a small office situation you should use the gateway/firewall for this.
3. You can authenticate through RADIUS which ties into AD. This is a role in Server 2008
4. I would recommend an off the shelf solution rather than rolling your own.

I'm in the middle of deploying Meraki MX80's. May not be the right solution for you but they seem to be working well for us. Dropping in Firewall number 2 this Friday. I'm deploying a total of 4. Might be adding number 5 if we get another office.

And I know someone will kill me in my sleep for recommending something other than an opensource solution. I do have opensource solutions on my network. Just not the firewall.

That's my 2 cents.


On Tue, Oct 20, 2015 at 11:18 AM, Christopher Howard <christopher.howard.asi@gmail.com<mailto:christopher.howard.asi@gmail.com>> wrote:
Hey guys... so I took up a job at a small business which is basically a Windows shop (hey, gotta eat...) and I wanted to set up a simple Remote Access VPN so the boss could access the network files while abroad. They've got a WS2008 running their AD and DHCP on the intranet (but it isn't the gateway). So, my first thought was to see if it had built in VPN functionality. It does, but I ran into some trouble -- apparently in WS2008 the remote access VPN functionality is tied into the IP routing functionality (which were aren't using). So, when I activated the RRAS, there was some strange conflict with DHCP and it instantly disconnected everyone's access to the network storage shares! Fortunately, I was able to reverse things before causing too much pandemonium, but obviously now I'm a bit nervous...

So, now I am trying to figure out if it is worth monkeying around with this some more to get it working, or if I should look at some other approach. Maybe just put a small Linux box on the network and run a FOSS VPN server from it? (I'm imagining complications down the road trying to get user authentication tied into the AD system if we eventually get multiple users.) I looked on our gateway router but didn't see any kind of VPN functionality.

Any sage advice from the seasoned admins?

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

---------
To unsubscribe, send email to <aklug-request@aklug.org<mailto:aklug-request@aklug.org>>
with 'unsubscribe' in the message body.




---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Oct 21 09:02:30 2015

This archive was generated by hypermail 2.1.8 : Wed Oct 21 2015 - 09:02:31 AKDT