Author Topic: Simple & good VPN router?  (Read 2058 times)

0 Members and 1 Guest are viewing this topic.

Online nctnico

  • Super Contributor
  • ***
  • Posts: 22008
  • Country: nl
    • NCT Developments
Simple & good VPN router?
« on: October 01, 2021, 07:42:11 pm »
I inherited some more tasks and one of them is getting VPN links up & running. I hope to offload this task ASAP but for now  :'(

Anyway, the system is setup using a central VPN server running OpenVPN. What I would like to know is what is the absolute simplest router to add client networks. Currently routers from Mikrotik are being used and while these look great, they have way too many settings and way too many ways to shoot yourself in the foot. For example: I examined one of the configured routers and it turns out that some ports allow to get onto the network at the side which connects to internet.

What I'm looking for is a router which has 1 'WAN' port and 1 (or more; if it has an internal switch) VPN client ports but all client ports must adhere to the same security settings so connecting something to the other ports makes no difference. Any suggestions?
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 4166
  • Country: hr
Re: Simple & good VPN router?
« Reply #1 on: October 01, 2021, 09:09:46 pm »
In my opinion Mikrotik is simplest and cheapest equipment that isn't toy.
But my network knowledge is quite advanced so I understand it can be a bit much if you're not ready or interested to spend some time learning it to some level.

Mikrotik has Quick Set page in Winbox. There you can basically set up all of the stuff you need.
Start by reseting router to factory settings (if it is not a new one).

On that page you can set one port (by default Eth1) ot be wan port and it's ip config (for Internet).
Then you set local network subnet and if needed DHCP.
Enable NAT (now you have all internal traffic to WAN nated and firewalled)

And enable VPN acces.
That will enable basic username/password based VPN (for more advanced security you need to go deeper) and also give you DynamicDNS host name to connect to.

And that is it.
You can go now and take a look in details what it have set up and to get a feeling what is needed.

 
The following users thanked this post: nctnico

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1397
  • Country: br
Re: Simple & good VPN router?
« Reply #2 on: October 02, 2021, 11:29:52 am »
In my opinion Mikrotik is simplest and cheapest equipment that isn't toy.
(..)

1+ Mikrotik.

That is TRUE and being a customized Linux all networking goodies are ready to deploy.
Their console interface is easy to adapt and hardware very affordable.

Best option besides very expensive CISCO stuff

Paul
 
The following users thanked this post: nctnico

Online nctnico

  • Super Contributor
  • ***
  • Posts: 22008
  • Country: nl
    • NCT Developments
Re: Simple & good VPN router?
« Reply #3 on: October 02, 2021, 07:13:05 pm »
In my opinion Mikrotik is simplest and cheapest equipment that isn't toy.
But my network knowledge is quite advanced so I understand it can be a bit much if you're not ready or interested to spend some time learning it to some level.
Well, I used to setup this kind of networking gear but lost interest in doing this sort of work a long time ago. Nowadays I want something that just works quickly & easy. I guess I have to dig a bit deeper into the Mikrotik then and see if there is a guided way to get it to do what I want (keys, routes, physical ports, firewall, etc). BTW: I don't need to setup a VPN server, I need to setup a VPN client in the form of a router which uses keys to access a (fixed IP) VPN server.
« Last Edit: October 02, 2021, 07:16:56 pm by nctnico »
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1397
  • Country: br
Re: Simple & good VPN router?
« Reply #4 on: October 03, 2021, 08:18:51 am »
Check their site for demos or trials of new firmware kernels..

They used to have very good demos that can be tested inside any decent vm like qemu

I may be outdated on these but that used to be quite a good test before deploy new stuff

Paul
 

Offline voltsandjolts

  • Supporter
  • ****
  • Posts: 1438
  • Country: gb
Re: Simple & good VPN router?
« Reply #5 on: October 03, 2021, 08:57:38 am »
Another one to consider is draytek, pretty good reputation, web interface is sane.
 
The following users thanked this post: nctnico

Offline nfmax

  • Super Contributor
  • ***
  • Posts: 1392
  • Country: gb
Re: Simple & good VPN router?
« Reply #6 on: October 03, 2021, 10:02:22 am »
Also the Firebrick 2900 https://www.firebrick.co.uk/fb2900/ - most probably wildly over-specified for your needs but provides full firewall facilities and top-notch support from the manufacturer
 

Offline Shock

  • Super Contributor
  • ***
  • Posts: 3740
  • Country: au
Re: Simple & good VPN router?
« Reply #7 on: October 03, 2021, 11:30:24 am »
If they already have Mikrotik hardware that does what you need then fixing the open port/service problem and expanding with the same hardware is the right way to go. Purchase extra units and power supplies for redundancy as well. If you can't secure them or pin point and resolve vulnerabilities then you need someone with more expertise to help out.

Edit:

Most network guys will dump the config, if it has no plain text you can do it in the cli then compare to another router, also an open or routed port may be like that for a reason or even legacy. This is why documentation is important.

« Last Edit: October 03, 2021, 11:41:56 am by Shock »
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 189, 87V, 117, 112   >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 22008
  • Country: nl
    • NCT Developments
Re: Simple & good VPN router?
« Reply #8 on: October 10, 2021, 10:25:21 am »
If they already have Mikrotik hardware that does what you need then fixing the open port/service problem and expanding with the same hardware is the right way to go. Purchase extra units and power supplies for redundancy as well. If you can't secure them or pin point and resolve vulnerabilities then you need someone with more expertise to help out.
I'm looking at it from a different angle: the configuration I need is not something very special so I shouldn't need to go through a lot of steps or have a lot of options to get the configuration going. In the end more steps & more options means more chances for things to go wrong. Also, using a standard configuration (either through a wizzard or by having limited options) means that all the hard work has been done already. No need to re-invent the wheel / waste time & money.

So all in all I'm going to look at the Mikrotik configuration tool to see if it can make the router do what I want without needing to dive deep into the configuration and have a look at the Drytek routers as well.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Shock

  • Super Contributor
  • ***
  • Posts: 3740
  • Country: au
Re: Simple & good VPN router?
« Reply #9 on: October 10, 2021, 02:55:30 pm »
I understand your reasoning. It's just bad practice from a technical standpoint, experienced network engineers would not change standardized infrastructure if a config change or firmware update could resolve the problem. Does depend on the scale of the business and circumstances of course, if the hardware is outdated and eol it's justified but you would still typically also stay with the same vendor if proven reliable.
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 189, 87V, 117, 112   >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 5361
  • Country: nl
Re: Simple & good VPN router?
« Reply #10 on: October 10, 2021, 08:20:48 pm »
Microtik has some scary history with winbox, they were already popular at the time ... and their coding was trash at the time.
 

Offline Shock

  • Super Contributor
  • ***
  • Posts: 3740
  • Country: au
Re: Simple & good VPN router?
« Reply #11 on: October 10, 2021, 09:02:06 pm »
If you leave a public side service open, people will test it for you :D.
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 189, 87V, 117, 112   >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 6369
  • Country: de
  • A qualified hobbyist ;)
Re: Simple & good VPN router?
« Reply #12 on: October 10, 2021, 09:07:18 pm »
Simple & good VPN router? Never seen one. If you want a simple VPN solution have a look at wireguard.
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 5361
  • Country: nl
Re: Simple & good VPN router?
« Reply #13 on: October 10, 2021, 11:51:06 pm »
If you leave a public side service open, people will test it for you :D.

If you create your own public side service protocol and do it poorly you have no one to blame but yourself, they should have just tunneled through SSH.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf