• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Which distro for a VPN firewall?

Fardringle

Fardringle

Diamond Member
One of my client offices has been running their network based on a cheap 4 port Linksys router. This has actually worked OK for them as they don't really use much Internet bandwidth and all of their internal traffic goes through a pair of 16 port switches.

Anyway, a few of the office employees are going to start working from home in the near future. Up until now I have been having any remote users connect to their designated office computers using VNC if they need to access the network while not in the office. This works OK but isn't ideal since it means they have to have a dedicated computer in the office as well as one at home and I have to set up port forwarding separately for each individual person that will be connecting from outside the office.

I'd like to make things more efficient (and hopefully more secure as well) by having remote users connect to the network using VPN and then run their applications directly on their home computers but saving the data on the Small Business 2003 server in the office so that I can back it up daily. The boss doesn't want to spend any money on this as he just bought several new computers for the office and his "computer budget" is tapped out for a while. I do have a spare Celeron 2Ghz computer that was just replaced that I can use as a Linux firewall.

My question is this: is there a Linux distro that will not only act as a solid Internet firewall (I know there are several of these) but will also allow users to connect through VPN and authenticate on the Windows SBS 2003 network so that their home computers will have rights to access shared resources on the network?

I suppose I could just open the ports on the firewall use IPSEC passthrough and let the SBS server do the VPN authentication, but I would need a Linux firewall that will allow as many as 10 simultaneous VPN tunnels to be open. The Linksys router they have now will let me do this but only for two tunnels at a time. They won't be using more than 2 or 3 at a time most of the time but there are situations where they may need as many as 10 so I'd like to be prepared ahead of time. 🙂



To make a somewhat long post short:

I need a Linux distro that will act as an Internet firewall and that will either act as a VPN server and authenticate to Active Directory on a SBS 2003 server, or that will allow me to forward ports directly to the SBS 2003 server and use IPSEC passthrough for up to 10 simultaneous VPN connections.
 
For VPN I assume that you want to use PPTP?

Personally I like OpenVPN. It's idea is that your going to do network tunnelling via HTTPS. It's nice because it's open and supported under different OSes and it's nearly impossible for people to block. When your traveling sometimes it's hard to establish a PPTP connection and sometimes people will actually block VPN and try to charge people extra to allow that sort of stuff. With OpenVPN it works as long as your able to access the web. It'll work even over a http proxy.

There is a LDAP plugin for OpenVPN, but I don't know about Active Directory. From a end user's standpoint on Windows what would happen is that you install the OpenVPN program then give them a file that has the authentication stuff to allow them to connect. The file contains ip address information and the SSL/TLS certs needed to connect and any other configuration information needed.

I donno. I just like OpenVPN, I guess.

Of course with PPTP it's nice because all Windows OSes support it out of the box. That's what is used at my work.


Any Linux distro can work for you. It just depends on how much effort you want to put into it. If I had time and total control over everything I'd like to use Debian + Shorewall Firewall + OpenVPN. I'd setup different networks.. the LAN client stuff, a DMZ LAN for internet servers, a virtual network for VPN, and external network/internet connection. Then probably setup ntop for network statistics over a web interface. If I needed it to be easy for laymen to use setup I'd use Webmin and use it's plugins for handling user accounts and openvpn and other such things. Then as I needed different things I'd add them. For example if I was worried about innapropriate websites from being mistakenly clicked on I'd block web access and setup Dan's gaurdian for filtering. Something like that.

Other people just simply _love_ OpenBSD. All pretty much the same software except fro the firewall which is superior in OpenBSD as far as configuration and administration is concerned.


But it sounds like you want to have something that is all pre-configured and possibly has commercial support options.

The three I am most familar with are Clarkconnect, IPcop, and Smoothwall. I used IPcop for a while, but had bad experiances with it as it seemed inefficient and slow at advanced configurations. (now I use shorewall firewall and Debian and haven't looked back).

So it's mostly Clarkconnect vs Smoothwall. Both have no-cost versions and commercial support options. Obviously the commercial support version has more features that aim it torwards more larger corporate networks.
I've never used either but have looked at them closely and otherwise they seem fine.

Clarkconnect is targetting the SOHO market. This server is something you'd setup for a home office. Features web interface, file sharing, email filtering/virus scanning, web proxy, and other such normal everyday office networking software in one server.

It features PPTP and IPSEC filewall support. I didn't see any sort of Active Directory support, but I assume you could configure Samba to link to your AD and automaticly add users to the system then configure through the web interface which has access to what. Not to sure.

Smoothwall, in comparision, does advertise Active Directory integration (as well as Novel eDirectory and OpenLDAP support). For VPN stuff it advertises support for PPTP, L2TP, and IPsec. It has support for setting up a PKI infrastructure and other happy things that will make it easy to handle who and what is able to connect and disable users and other such things.

For AD integration and how that works, I don't know. You'd probably want to talk to them.

I got most of this stuff from here:
http://www.smoothwall.net/products/comparison.gpl.php

However this stuff is only supported in their commercial offerings. You'd probably want advanced firewall v2 and that's going to be 300 dollars or so, I am guessing. Their prices are in Euros in their online store.

Now all of these features and such are done using mostly open source software. So what your buying is support.

If you don't need the support, then most of this can be done on your own using Debian or Fedora or whatever. But I think for this sort of stuff it's worth the cost.

The only downside is that you'll have a lot of extra features your not going to use, and this isn't very good thing to have as far as security is concerned.

Hope that helps.

 
OP could also install something like dd-wrt or openwrt on his linksys router, depending on what linksys router he has. They both include support for OpenVPN (and probably PPTP, maybe L2TP/IPSEC). I use dd-wrt at home and at a few remote office locations for work. They have always worked great at the offices, but for some reason my home one has issues getting dhcp information. I have always heard that the White Russian version of OpenWRT was much more reliable and stable than dd-wrt, and now their much anticipated Kamikaze version has been released as stable/final/whatever so I think personally I'm going to give OpenWRT a try.

As for i386 hardware, OpenWRT does actually have an i386 port, but I would probably go with pfsense.
 
How much minimum internet seed required to connect a computer to another computer through VPN? I want to connect my computer to another computer through VPN. How much minimum internet seed required to connect a computer to another computer through VPN? 1Mbps is ok?
 
OpenVPN supports active directory. We have the 'commercial version' of openvpn. Which costs 5.00 per concurrent user per lifetime. Plus it has a nice webgui hooked into our LDAP server.

Monowall, IPCop, etc should meet your needs.
 
I use openvpn at home and have it setup at work to vpn into my home network. Sometimes I want to test stuff at home in a vm (more disk space at home). It's a pita to setup though but once you got it going it's nice.
 
sanjeevani said:
How much minimum internet seed required to connect a computer to another computer through VPN? I want to connect my computer to another computer through VPN. How much minimum internet seed required to connect a computer to another computer through VPN? 1Mbps is ok?
Click to expand...
Hey, look, a necrophiliac! 😱

(Please don't bump really old threads.)

That said, 1Mbps should be OK for most things. It largely depends on what you're pushing over the network.

Once, when my DSL went down, I connected to a VPN through a 56K modem. It was just barely OK, to connect to Outlook and such, some of the time. I finally discovered that my bittorrent client on another computer was still running! :$ I think without that it would have been barely OK most of the time.
 
RedSquirrel said:
I use openvpn at home and have it setup at work to vpn into my home network. Sometimes I want to test stuff at home in a vm (more disk space at home). It's a pita to setup though but once you got it going it's nice.
Click to expand...

Their commercial product is dead simple to install. Just download the deb file and install it. Then you run a script and answer 3 questions. Then everything else is managed via the browser.

You get 2 concurrent users free, each additional user is 5 bucks.
 
sourceninja said:
Their commercial product is dead simple to install. Just download the deb file and install it. Then you run a script and answer 3 questions. Then everything else is managed via the browser.

You get 2 concurrent users free, each additional user is 5 bucks.
Click to expand...

They've gone commercial now? Damn. That kinda stinks. Hopefully they'll still keep and support the free version.
 
RedSquirrel said:
They've gone commercial now? Damn. That kinda stinks. Hopefully they'll still keep and support the free version.
Click to expand...

Oh yea, you can still download the free clients and it's still open source. Honestly we have wanted to donate to this project for years. Getting an improved interface is just a plus.

I call it value added open source. They build a great open source project, then the build a great tool for that project that is not open source. Sell that tool. It's a win for everyone.

We bought 20 licenses (which gives us 22 concurrent logins) as a test. The system is great, it's integrated with our ldap and deploy is dead simple. The user just goes to a URL, logs in with their novell credentials and downloads an exe. That exe installs the client, the certs, the conf, everything. If they are mac or linux they provide links to instructions and a conf file with the certs embedded in it.

It was the easiest sell I ever had to my boss. Prior to that I had to have each worker bring me their computer. Generate certs, install the client, customize the conf file for the certs, etc. Now I just email them a URL.
 
sourceninja said:
Oh yea, you can still download the free clients and it's still open source. Honestly we have wanted to donate to this project for years. Getting an improved interface is just a plus.

I call it value added open source. They build a great open source project, then the build a great tool for that project that is not open source. Sell that tool. It's a win for everyone.

We bought 20 licenses (which gives us 22 concurrent logins) as a test. The system is great, it's integrated with our ldap and deploy is dead simple. The user just goes to a URL, logs in with their novell credentials and downloads an exe. That exe installs the client, the certs, the conf, everything. If they are mac or linux they provide links to instructions and a conf file with the certs embedded in it.

It was the easiest sell I ever had to my boss. Prior to that I had to have each worker bring me their computer. Generate certs, install the client, customize the conf file for the certs, etc. Now I just email them a URL.
Click to expand...

Well that's good to hear then. I just hate when open source/free projects go commercial and stop supporting the free version or stop making them.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top