Virtual Privat Networks (VPN)
are very useful. VPNs are great. They enable “road-warriors” to use your
secured network services. But from a server and network administrators point of view I tell you: “Forget all those bloated VPN solutions“.
Problems with well known solutions
Every commercial solution I have stumbled upon in the Internet, works the following way:
- 1. start your VPN client
- 2. VPN client takes over all machine’s network interfaces
- 3. ALL network traffic is redirected through the VPN client and thus through the target network as soon as a VPN connection has been established
I think this is bad, because
- Most often the connecting client desktops are home based and therefore
not managed by the SysAdmins of the company’s network. This rips the
company’s network wide open to any kind of attack. Network security no longer exists. Do not trust any “road warrior” desktop! - Trojans on rogue road warrior desktops gain full
access to all IP protocolls and all services on the company’s net,
unless you install high sophisticated firewall rules. But why let them
in and then block them out? It is too prune to misconfiguration. - My home DSL-downlink provides much more speed than my company’s uplink. Thus I loose a lot of speed. While surfing, I consume my company’s bandwidth twice – fetching form the InterNet and downloading to my desktop. This really sucks.
- The SysAdmin of the target network can sniff all my network activities – bye bye data privacy even at home.
I much dislike the thought that any unmanaged, possibly
Triojan/Virus infected client machine - an overtaken SpamBot – may slip
in the secured network, passing the border firewall. In that case the network is wide open unless a DMZ is established.
Much simpler, cheaper solution
Use SSH to tunnel all needed TCP protocols and leave everything else untouched on the client machine. You will get all access to all necessary resources without opening your whole network. All necessary software is free and consumes a lot less CPU power.
Server side installation
In case you do not own a linux server, use Cygwin to install a free SSH server (see this HOW-TO). Then redirect a single port on your firewall to your new VPN servers port 22. eg.:
<external IP>:8433 –> <internal server>:22
Another usefull thing is a proxy server on the VPN server. That is all you need on the server side. You even get better security if you use a virtual machine, like VirtualBox (free). And you may restrict the destinations that a client may open a tunnel to (setting “PermitOpen“) – no complicated firewall rules are needed.
Client side setup
All you need is Putty, a free SSH client (most linux distributions come with OpenSSH preinstalled)! Use the FireFox plugin FoxyProxy to selectively use the VPN proxy only for required internal company web applications. Alternatively you may write a proxy autoconfiguration file, which works for nearly every modern browser (even IE).
The best is, you may even access the company’s file server if you follow this How-To and these pictures linked in here.
Install a Windows-LoopBack adapter, creating a virtual network
interface and use this one to redirect Windows-Share traffic to the
remote file server. You will defenitly feel like you are working in the
office. Especially if you connect your InstantMessenger.
Now you can access all your files on the VPN file-server and use the company’s internal Web applications. All this without opening the door to perform network attacks and network scanning and without any license fees.
Caveat
Of course there is a restriction. You can not easily tunnel UDP! This means: No VoIP Phone! Fortunately there is a solution – linux experts will love it 
You may try it with Cygwin on your Windows box.
(nr)
