Aha, i misunderstood. So only the 'corporate network' needs a weird subnet. I can live with that.
There are different flavours of VPN, with different protocols, suited to different scenarios.
The corporates prefer the 'mandatory' protocols which were designed for bridging LAN 2 LAN. - Partly because they are more secure, partly because of Cisco's marketing (in my opinion). Those protocols (IPSec, L2TP) are embedded at Layer 3 and require a good understanding of L3 routing to set up. There is nothing weird about it but you do need to understand how L3 routing works. Typically, the more problematic area is the encryption negotiation.
Smaller businesses are usually willing to compromise security for ease of use. In this case, an 'ad-hoc' point to point protocol may be a more appropriate choice (PPTP). The client end appears similar to a modem connection, and is no more difficult to configure. You still need to know how a network, works, to set up the server end. There is a perfectly good PPTP client included with most versions of Windows since Win98/NT4 - It may be all versions but those pesky 'Home' flavours sometimes catch me out. OSX has it's own native PPTP client and of course you can download a package for every flavour of Nix I have come across.
Some of you probably are wondering why i am so 'difficult' : i don't want our users to have to make any changes to their systems. The reason : because they will ask how, and i am not an IT guru. I am not willing to offer that support.
So it really has to be made as simple as possible, both for the user and for me (corporate).
I am not sure about difficult but you are making a meal of it, in my opinion. What you are trying to achieve is specific, more than it is difficult.
I have set up PPTP VPNs for dozens of different clients. The first one ~1998, was a pretty steep learning curve but had I not negotiated it, I would never have reached the objective. Such is par for the course with network solutions. Connecting a billion computers, spread across the planet, using protocols developed 40 years ago, is not exactly simple. You need to understand what protocols do what, how they work, how they fit together, the choices you must make or, it just don't work (!)
The client end of a VPN can be made simple to use - A few clicks, in the right order, written on a couple sheets of A4 with some screen shots. The connection can be made completely transparent but that takes a lot more effort, as automation scripts which match the specific network infrastructure, need to be written and tested.
At the server end you need a number of different infrastructure components to all be working together. If any one component is missing, wrongly configured or downright faulty, then no, it won't behave in the seamless way you want.
In the future , as we grow, we may seek a dedicated IT solution. Right now, we cant afford even a person that spends 50% of his time on that.
50%, LOL. I provide '3rd line' server and network assistance to over a dozen small businesses. My contract cost is based on having to assist for one hour, per server, per month. Which still leaves me enough time to derive a decent income from project work. To be fair, keeping the intervention time down is based on getting the server configuration 'right' and avoiding unnecessary or unreliable features.
We can afford to buy 2K hardware and software to solve this problem 'temporarily' (read : until we are larger and can implement our own server and dedicated IT guru. )
You should not need to spend 2K. You do need a bit of expertise.
Another solution could be to go to weirsdstuff warehouse and buy a couple of used servers.
Stop thinking of servers as being huge, multi-processor, multi-terrabyte, do it all boxes. You are not trying to build a data-centre like Google.
A NAS is a server. Your workstation is a server. My Raspberry Pi is a server. My router is a server. They all have enough grunt to provide a VPN for a small business. Essentially, what you need for a seamless VPN is; a VPN endpoint, IP address distribution, split horizon name resolution and an authentication scheme. The amount of disk space you need is trivial and the CPU will go no faster than the upload bandwidth you have available.
By far the easiest and quickest solution is a Windows 2003 Server. Everything you need to configure, is in the box, is well tested, well documented, with a decent management GUI. You also get Remote Desktop, so you can manage remotely. As most of the clients are Windows, you avoid the risk of inter-op issues, which can be the bane of VPN solutions. Later versions of Windows server add a bunch of unnecessary complication which get in the way.
Another of my preferred solutions are the Intel based, business class, Synology NAS boxes (like the 713+ and 1513+). Synology are slightly ahead of QNAP on the GUI front (in my experience). Importantly, some of the components you need for a seamless VPN, can only be configured on the QNAP by editing conf files by hand. NAS box VPN solutions fall down on ease of use, compared to a Win2K3 server, as the components are not so well integrated.
Draytek 8000 series routers have always been strong in the low cost VPN endpoint department. Draytek are a little bit like the Rigol of routers, you get a stupid amount of features for the money. However, similar to Rigol, firmware is poorly documented and lacks regression testing between versions - Draytek refer to it as 'dynamic.' The 8000s were lacking the split horizon DNS support needed for a seamless VPN but it got added in the last firmware release. The Draytek may be the hardest to get working, due to the dire documentation and needing services which are not in the box.
As you are already invested into a NAS. If you can find a used copy of Win2K3 server and a decent workstation for a few hundred bucks, that's what I would do. Use Win2K3 to run the PPTP endpoint and the network infrastructure services, while your NAS continues to look after the file sharing. For authentication, Active Directory can provide a single sign on, which your NAS should be able to plug into.
Otherwise, the Draytek but you will still need a DNS server for the private side of the split horizon and will probably end up with a separate set of user accounts. The 8000 series are supposed to support plugging into an LDAP directory but it's one of those features I have yet to see working reliably.
So there : that's the 'why' of what i am trying to do.
Say you get it working. Have you ever experienced using a mapped drive across a VPN? At the protocol level, file sharing is nothing like a database transaction. I could tell you why that is but this post is long enough.
In simple words. Samba/WFS across a VPN, is typically a ponderously slow user experience. I will put up with it, as not driving hundreds of miles in the car is key to my business model. Many home workers find it too frustrating to work with routinely. Hence the raft of investment into file sync and remote desktop solutions.
SSHFS, (Fuse etc) is even slower and less reliable.
Finally, keep in mind internet connections typically have less upload bandwidth than download bandwidth. Home workers, with 80Mbps of download fibre, dedicated to just their use, often set their expectations accordingly. If you only have 40Mbps of upload, you may struggle to meet one of those users expectations, let alone five connected concurrently.
Home
Help
Search
Login
Register
