Home VPN

[The Astroman]

I'd like to setup a VPN server at home for secure remote file access, server and computer management. It needs to be cross-platform (specifically Windows, Linux and iPhone OS).

Can I setup an L2TP/IPsec VPN with a DynDNS system behind a NAT and access it from behind another NAT?

 

[Geoff]

Yup. I did just that, I setup a VPN on a home computer running Server 2008 which was behind a Linksys router and Comcast cable modem with NAT. You just need to either forward the ports, or put your computer in the DMZ of the router, setup a DynDNS account with DynDNS Updater on the server, configure the server a bit with users, file sharing, etc., and then setup the VPN service on the server. I was able to connect to the VPN from work on my Mac behind a SonicWall and cable modem running NAT, from my Windows 7 and XP machines from work, and on my iPhone 3G running over the cellular network. Keep in mind though that the iPhone only supports one type of VPN authentication, I don't have one anymore so I can't remember which one it is. Unless the newer updates added more VPN support.

 

[The Astroman]

I setup a VPN on a home computer running Server 2008

How easy is Server 2008 to install, as I have no experience with any Microsoft Server products?
EDIT: my college's MSDN-AA license only allows me to download Web Server 2008, does this still have VPN capabilities? What's an alternative to Microsoft OS? Because there is no way I'm going to buy Microsoft Server as it's very expensive.

I was able to connect to the VPN from work on my Mac behind a SonicWall and cable modem running NAT, from my Windows 7 and XP machines from work, and on my iPhone 3G running over the cellular network.

Interesting - so you're saying you were able to access the VPN from BEHIND a NAT? Do we owe that to Server 2k8?
Is it an L2TP/IPsec type VPN?

Keep in mind though that the iPhone only supports one type of VPN authentication, I don't have one anymore so I can't remember which one it is.

You're saying you have NO authentication method for your VPN?
The iPhone supports MANY authentication methods, as this Apple KB shows.

Unless the newer updates added more VPN support.

FYI, iPhone OS 4.0 (due (late) summer) will feature SSL VPN capabilities.

 

[tlarkin]

I would recommend setting it up on the router level. Get a DD-WRT supported router and a lot of that stuff is built in. You may still need the client software on the client side, but it is easy.

Server 2008 is a waste of money for home usage, and unless you work for a company that has a MSDN subscription, you will most likely be obtaining an illegal copy. As the most basic server OS from MS is priced at $1,000.00 USD.

If you want to get ultra nerdy, set up ssh, with ssh keys enabled, then you can ssh into your home network with no authentication as long as you have the proper keys.

 

[The Astroman]

Are you suggesting SSH vs. VPN or SSH VPN?

 

[Geoff]

How easy is Server 2008 to install, as I have no experience with any Microsoft Server products?
EDIT: my college's MSDN-AA license only allows me to download Web Server 2008, does this still have VPN capabilities? What's an alternative to Microsoft OS? Because there is no way I'm going to buy Microsoft Server as it's very expensive.

It's pretty simple to install, but since you can not get the full version then you may not want to go that route, as I don't know for sure if your version has VPN capabilities.

Interesting - so you're saying you were able to access the VPN from BEHIND a NAT? Do we owe that to Server 2k8?
Is it an L2TP/IPsec type VPN?

The cable modem has NAT built in, at both locations. It's been a while since I've had it setup so I can't say for sure, but I believe it was L2TP/IPSec.

You're saying you have NO authentication method for your VPN?
The iPhone supports MANY authentication methods, as this Apple KB shows.

The iPhone does not support L2TP over IPSec if you use Kerberos for authentication, which lots of companies do. If you are setting this up for yourself it's not much of an issue as you can choose another type of authentication method.

I would recommend setting it up on the router level. Get a DD-WRT supported router and a lot of that stuff is built in. You may still need the client software on the client side, but it is easy.

Server 2008 is a waste of money for home usage, and unless you work for a company that has a MSDN subscription, you will most likely be obtaining an illegal copy. As the most basic server OS from MS is priced at $1,000.00 USD.

If you want to get ultra nerdy, set up ssh, with ssh keys enabled, then you can ssh into your home network with no authentication as long as you have the proper keys.

Agreed. I was able to get Server 2008 Enterprise free through my MSDNAA subscription, that's why I used that. I've never messed with setting up a VPN on a consumer level router, so I didn't even think about that.

You could buy Windows Home Server, but I don't know if that has VPN capabilities either.

 

[tlarkin]

I think Windows home server is a glorified file server....never touched it though.

You can do most things over a ssh tunnel, but I was saying for ultra geek Internet cred, ssh is the way to go. It is all command line access.

What is your higher goal here? Just remote desktop or VNC connection? VPN is ultra slow, but you can accomplish the same thing by routing a port range to each client, and then using many of the free open source remote desktop apps (be weary of encryption, some don't support it) and track it with dynamic DNS.

However, in the end, it is so much easier to just use logmein.com. I use it on work and home computers. I was at a meeting the other day (Apple training) and I was about 22 miles out of town away from work. Co-worker calls and is freaking out about a server that is running TomCat because the memory allocation is not right (according to him) so I just used logmein, to remote into my work desktop (iMac) which has ARD admin on it, and used that to access the server and fixed it from there.

 

[Geoff]

I love LogMeIn. I use ARD when I am within-district, and use LogMeIn if I were at home, conference, or just off-site in general. However the free version doesn't allow file transfers.

I remember for me, having a VPN between home and where ever I was just felt pretty cool... for the first few days. Being able to access network shares, remote access, manage my modem and router off-site, etc. I ended up taking it down simply because I didn't use it enough to warrant having a dedicated server running 24/7 with VPN capabilities.

 

[tlarkin]

I love LogMeIn. I use ARD when I am within-district, and use LogMeIn if I were at home, conference, or just off-site in general. However the free version doesn't allow file transfers.

I remember for me, having a VPN between home and where ever I was just felt pretty cool... for the first few days. Being able to access network shares, remote access, manage my modem and router off-site, etc. I ended up taking it down simply because I didn't use it enough to warrant having a dedicated server running 24/7 with VPN capabilities.

logmein free version + dropbox free version = secure file transfer and remote desktop....

 

[The Astroman]

I'd like to setup a VPN server at home for secure remote file access, server and computer management.

File access: pretty self explanatory (dunno which sort of setup is best, FTP?)
Server and computer management: WoL, shutdown, manage, update, etc.

VPN is for:
- security: I am stringent on security (borderline paranoid?!), even for personal usage.
- very powerful (as if my laptop was at home on my LAN aka I can do anything)
- experience: I've never set up a VPN before and am a keen learner
- "geek cred", why not.

I'm open to alternative suggestions.
VNC is, I have read, insecure. It's an ideal setup which would work great for my management needs, but how can I guarantee secure connection? VNC is very versatile and would work on Linux, iPhone OS, Windows, Mac OS, etc.

WoL is no problem, I already have correct ports forwarded, BIOS and NICS set up for it on the individual machines. HOWEVER, it offers NO security, as anyone could wake my PC provided they have the magic packet and my DynDNS address. I can send magic packets from any OS, including iPhone.

As for file management, I'm considering FTP cause I don't really know what else would fit the bill, but still there are security concerns, and I'm not sure FTP is the most secure. Maybe SFTP? Again, SFTP is supported by most OS, so very versatile too.

So as you can see, I could very well go without VPN - but I don't know how I could have a robust encryption of all feeds coming in and out of the gateway pertaining to the aforementioned uses. VPN creates a tunnel and encrypts data, which fits the bill. The idea is to be able to easily yet securely access all these resources without needing (if possible) 3rd party software - VNC Java Viewer in the browser, SFTP from browser, WoL from browser... Ideally, I would set up a web server with a secured web page with a link to the VNC Java Viewer, one to open SFTP for file transfer, and one which would order the server to send a WoL signal to specified computer.

 

[tlarkin]

Just google search VNC over ssh tunnel and it will give you all the options to do VNC over a secured encrypted connection.

 

[The Astroman]

Just google search VNC over ssh tunnel and it will give you all the options to do VNC over a secured encrypted connection.

Ok, so that's for VNC. Thanks I'll look into it, it looks promising!
What about file management and WoL, is there anyway I can secure access to these resources?

 

[tlarkin]

Ok, so that's for VNC. Thanks I'll look into it, it looks promising!
What about file management and WoL, is there anyway I can secure access to these resources?

www.dropbox.com gives you two free gigs of file sync space, I use it to sync documents all the time. As for larger files, well, I guess you could just either host them via HTTP or SFTP, but you'll need to set that up. FTP is not secure because it sends passwords in plain text.

WOL you will have to configure through your router and track with DYDNS.

 

[The Astroman]

www.dropbox.com gives you two free gigs of file sync space, I use it to sync documents all the time. As for larger files, well, I guess you could just either host them via HTTP or SFTP, but you'll need to set that up. FTP is not secure because it sends passwords in plain text.

WOL you will have to configure through your router and track with DYDNS.

I absolutely do not want to resort to an online web storage. SFTP is, I think the way to go.
Could I use the same SSH secure channel to vehicle the VNC AND the FTP feed?

As for WoL, is there no way to secure it? Basically, equipped with my DynDNS address and my MAC address, anyone can turn on my equipment. Is there any authentication possibility for WoL?

 

[Geoff]

www.dropbox.com gives you two free gigs of file sync space, I use it to sync documents all the time. As for larger files, well, I guess you could just either host them via HTTP or SFTP, but you'll need to set that up. FTP is not secure because it sends passwords in plain text.

WOL you will have to configure through your router and track with DYDNS.

How is that an alternative to LogMeIn's file transfer utility or accessing shared folders via a VPN? File transfers and file storage are different things.

 

[tlarkin]

How is that an alternative to LogMeIn's file transfer utility or accessing shared folders via a VPN? File transfers and file storage are different things.

it is file synchronization, so whatever you put in your dropbox is available on all computers with the client installed, instantly, and it is free. It works on every platform and is Independent of remote desktop connections. It is not quite the same thing, but it is a free alternative.

 

[The Astroman]

Data will be on a server on SCSI drives in a RAID 1 array, possibly 3.

 

[tlarkin]

Data will be on a server on SCSI drives in a RAID 1 array, possibly 3.

for your home setup? Seems like a bit much for a home setup to me, but whatever floats your boat.

 

[Geoff]

it is file synchronization, so whatever you put in your dropbox is available on all computers with the client installed, instantly, and it is free. It works on every platform and is Independent of remote desktop connections. It is not quite the same thing, but it is a free alternative.

For one who is paranoid about companies being able to see your data I'm surprised you made this suggestion, besides 2GB is hardly enough storage. For me, I don't always know what I will need off-site, so I would like to have access to everything on my shares back on the LAN.

 

[tlarkin]

For one who is paranoid about companies being able to see your data I'm surprised you made this suggestion, besides 2GB is hardly enough storage. For me, I don't always know what I will need off-site, so I would like to have access to everything on my shares back on the LAN.

All storage is going off site, it is cheaper than building data centers and storing it in-house. I don't put tax returns or anything in my dropbox.

2 gigs is plenty for me as I have no need to sync large files. Not going to copy my DVD rip collection from home to work, plus I usually carry a laptop on me when I need such things.