[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 17/09/18 09:52, Martin Gautier wrote: > Hi all > > Any hardware recommendations for setting up VPN client access for remote > MacOS users to access my Samba server gratefully received. > > I'm looking for a (DrayTek?) router with VPN support that will work with > Apple's list of supported VPN protocols (L2TP?) > > Remote MacOS users <--> Internet <--> Router <--> LAN <--> Samba server > > I'd also want to use the router as a firewall and port forward IMAP > > TIA > Nope, but with your permission I'd like to do that annoying thing that people do on the internet when you ask for help with one thing and they promptly tell you that that's not what you actually want at all? But let me check a few things first. You're planning on doing some good ol' file server work with this presumably - your remote Macs want access to the SMB/CIFS machine inside the office/remote site. Are the Macs under your control? Can you install software or ask for software to be installed/configured on them? Asking because you will find this much easier if you don't work within Mac constraints: i.e., don't reconfigure your systems to support typical Apple brain damage (like L2TP nonsense), instead configure the Macs to be grown up computers and talk to already perfectly working systems. Windows/Linux/UNIX are ready for this sort of actual work, Macs need babysitting and third party software to make them behave themselves. However, as a sysadmin I'm very used to not necessarily having a choice which is why I'm asking if you control the Mac clients as well. Also are the Macs static systems somewhere in another office or do they roam about with the users? Is this a long term thing by the way or a quick job to briefly support a bunch of contractors? Asking to see how much money/effort you want to put in. Does the SMB server location not already have a perfectly good router/modem in place? Unless you're specifically having issues with your ADSL line and want to replace it anyway, why are you doing this? Unless your existing ADSL router isn't performant enough leave it in place and save your money. Put the router into dumb modem mode and put a proper dedicated machine (costs about the same as the replacement Draytek and has a million times the functionality) running pfsense/opnsense/linux/whatever behind it for your master gateway appliance. Long term this will save you so much time and effort and give you dramatically better tools to work with. You probably want your setup to look more like this in the end: Macs <-> VPN <-> WWW <-> Office VPN <-> VLAN <-> File Server Have you decided how to control the Macs after you've brought them into your internal network over the VPN transport? Do you want them routed directly into the internal network where they'll have unfettered access? I'd expect not. You'll want to drop them into a VLAN instead presumably and control them tightly. The dedicated box will shine here with firewalls per VLAN, rate limiting and throttling/QoS, logging, traffic graphs, configurable alerts, etc. Yes, a Draytek (and they make nice stuff, I've used them a lot) can sort of do most of this at a push and if this isn't a big 'proper' job that needs to provide a really good ROI and ongoing increased core functionality you could just bang one in, setup a half arsed openvpn on it and forward a port or two and you're done. This is NOT how I or anyone sane would do it though. This was supposed to be questioning rather than prescriptive, but I've probably shown by usual thinking I guess: put in a dedicated gateway appliance running a proper OS, demote the ADSL router to a dumb modem and treat it as the enemy, keeping it outside the perimeter. Do everything important on the appliance, touch your internal systems and the external clients as little as possible. The one word answer to all of this was "OpenVPN" all along. Forget L2TP (insecure, needs to be doubled up with another protocol for encryption, inefficient, slow, awkward). Run proper OpenVPN on the appliance, not whatever crappy outdated half-arsed implementation Draytek ship on their units. All clients install OpenVPN software (it's available for literally everything and even the Mac version actually works - Tunnelblick is a nice Mac client). Certs are issued (and critically, revoked) from the appliance. However, since I last rambled on about how awesome VPNs are just a couple of weeks ago personally I happen to have largely switched all my personal stuff over to the first big development in the space for years: Wireguard. https://www.wireguard.com From a sysadmins perspective this is pure gold. Wireguard + Mosh on a mobile client is the best thing since sliced bread especially if you're the sort of person who SSH's to remote boxes a lot when you're out and about. Near instant reconnection times even when your phone/laptop is roaming between wifi points and cell networks without those frustrating 15 second restarts the OpenVPN loves so much. NO restarting the damn OpenVPN client or network subsystem when it inevitably goes south after too many reconnects and decides not to work. No hang ups or DNS leaking. Super easy to tear up and down. Roadwarrior, site to site or even multi-site VPN meshes are simple. No extra software (nearly) built into the Linux kernel. Clients already available for everything including MacOS. I still have all my OpenVPN stuff in place as well, but it's future is looking bleak because the future is Wireguard and it's already here. Ok, so meant to ask helpful questions and instead have ended up just telling you what to do instead. My posts never seem to end up how I meant them to go when I started... Cheers -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq