[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Macs & VPNs

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Macs & VPNs
From: Martin Gautier <martin.gautier@xxxxxxxxxxxxx>
Date: Thu, 25 Oct 2018 12:57:49 +0100
Content-language: en-GB
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dclug.org.uk; s=1538993161; h=Sender:Content-Type:Content-Transfer-Encoding :Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Subject :References:In-Reply-To:Date:To:From:MIME-Version:Message-Id:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner:List-Archive; bh=KNQQBJ6IVh+IsGQjAfd9Hyi+0jL/HkfzO7rtIjPkZg4=; b=AwcRaV4WxNMhu+qEBV7r8JqcgO 9jC9a+peRQggZ4bXo17ynMMXCNTSC9IVRlNtonqhrhRT8zZtDk1+KjJH6Mf52BaPXUxP36JooO5mW hW7XygYTrryPDZhDEmiCT+4/hS7B2hh5JdVfyyQzceGrXMZjW6/ZiUtkvRBWO+mFUDf4=;
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt; d=myrnham.co.uk; i=martin.gautier@xxxxxxxxxxxxx; s=mailjet; h=message-id:mime-version:from:to:subject:date:list-unsubscribe:in-reply-to: references:x-csa-complaints:x-mj-mid:x-mj-smtpguid:x-report-abuse-to: content-type:content-transfer-encoding:content-language; bh=WQ2QW2yzt03izlb9arGzB9W7y8jbhuQBuzgwnDGtL1s=; b=O0nC76M3NJG09QtHbW94fJqREVcDArr36ch/YSOLqWoN9Zu4+Hu2G1xfK qxN7tIy+u1yni2LYysyI3VK4FHRIili0GuS9L8XDWel1Xstgzqf1J9V4/d7F 61NXexO6yMX/jNeWTnOxM8d5xztupgMWkDcmmhvijOGu1n4AhmWjKE=



On 17/09/18 15:53, mr meowski wrote:

On 17/09/18 09:52, Martin Gautier wrote:

Hi all

Any hardware recommendations for setting up VPN client access for remote
MacOS users to access my Samba server gratefully received.

I'm looking for a (DrayTek?) router with VPN support that will work with
Apple's list of supported VPN protocols (L2TP?)

Remote MacOS users <--> Internet <--> Router <--> LAN <--> Samba server

I'd also want to use the router as a firewall and port forward IMAP

TIA

Nope, but with your permission I'd like to do that annoying thing that
people do on the internet when you ask for help with one thing and they
promptly tell you that that's not what you actually want at all?

But let me check a few things first. You're planning on doing some good
ol' file server work with this presumably - your remote Macs want access
to the SMB/CIFS machine inside the office/remote site. Are the Macs
under your control? Can you install software or ask for software to be
installed/configured on them? Asking because you will find this much
easier if you don't work within Mac constraints: i.e., don't reconfigure
your systems to support typical Apple brain damage (like L2TP nonsense),
instead configure the Macs to be grown up computers and talk to already
perfectly working systems. Windows/Linux/UNIX are ready for this sort of
actual work, Macs need babysitting and third party software to make them
behave themselves. However, as a sysadmin I'm very used to not
necessarily having a choice which is why I'm asking if you control the
Mac clients as well. Also are the Macs static systems somewhere in
another office or do they roam about with the users?

Is this a long term thing by the way or a quick job to briefly support a
bunch of contractors? Asking to see how much money/effort you want to
put in.

Does the SMB server location not already have a perfectly good
router/modem in place? Unless you're specifically having issues with
your ADSL line and want to replace it anyway, why are you doing this?

Unless your existing ADSL router isn't performant enough leave it in
place and save your money. Put the router into dumb modem mode and put a
proper dedicated machine (costs about the same as the replacement
Draytek and has a million times the functionality) running
pfsense/opnsense/linux/whatever behind it for your master gateway
appliance. Long term this will save you so much time and effort and give
you dramatically better tools to work with.

You probably want your setup to look more like this in the end:

Macs <-> VPN <-> WWW <-> Office VPN <-> VLAN <-> File Server

Have you decided how to control the Macs after you've brought them into
your internal network over the VPN transport? Do you want them routed
directly into the internal network where they'll have unfettered access?
I'd expect not. You'll want to drop them into a VLAN instead presumably
and control them tightly. The dedicated box will shine here with
firewalls per VLAN, rate limiting and throttling/QoS, logging, traffic
graphs, configurable alerts, etc. Yes, a Draytek (and they make nice
stuff, I've used them a lot) can sort of do most of this at a push and
if this isn't a big 'proper' job that needs to provide a really good ROI
and ongoing increased core functionality you could just bang one in,
setup a half arsed openvpn on it and forward a port or two and you're
done. This is NOT how I or anyone sane would do it though.

This was supposed to be questioning rather than prescriptive, but I've
probably shown by usual thinking I guess: put in a dedicated gateway
appliance running a proper OS, demote the ADSL router to a dumb modem
and treat it as the enemy, keeping it outside the perimeter. Do
everything important on the appliance, touch your internal systems and
the external clients as little as possible.

The one word answer to all of this was "OpenVPN" all along. Forget L2TP
(insecure, needs to be doubled up with another protocol for encryption,
inefficient, slow, awkward). Run proper OpenVPN on the appliance, not
whatever crappy outdated half-arsed implementation Draytek ship on their
units. All clients install OpenVPN software (it's available for
literally everything and even the Mac version actually works -
Tunnelblick is a nice Mac client). Certs are issued (and critically,
revoked) from the appliance.

However, since I last rambled on about how awesome VPNs are just a
couple of weeks ago personally I happen to have largely switched all my
personal stuff over to the first big development in the space for years:
Wireguard.

https://www.wireguard.com

  From a sysadmins perspective this is pure gold. Wireguard + Mosh on a
mobile client is the best thing since sliced bread especially if you're
the sort of person who SSH's to remote boxes a lot when you're out and
about. Near instant reconnection times even when your phone/laptop is
roaming between wifi points and cell networks without those frustrating
15 second restarts the OpenVPN loves so much. NO restarting the damn
OpenVPN client or network subsystem when it inevitably goes south after
too many reconnects and decides not to work. No hang ups or DNS leaking.
Super easy to tear up and down. Roadwarrior, site to site or even
multi-site VPN meshes are simple. No extra software (nearly) built into
the Linux kernel. Clients already available for everything including
MacOS. I still have all my OpenVPN stuff in place as well, but it's
future is looking bleak because the future is Wireguard and it's already
here.

Ok, so meant to ask helpful questions and instead have ended up just
telling you what to do instead. My posts never seem to end up how I
meant them to go when I started...

Cheers

As always, a nice detailed summary.

In the end, I've gone with a Draytek modem, psfsense appliance andOpenVPN. Seems to be running fine. The pfsense VPN wizard was very useful.

I'll have a play with Wireguard when I have some down time, it looksinteresting. pfsense with Wireguard bundled in an appliance would beawesome.


Thanks.

--
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] Macs & VPNs
- From: mr meowski

Prev by Date: Re: [LUG] Plymouth LUG meeting / #freenode live
Next by Date: [LUG] Using File Browser in Ubuntu
Previous by thread: Re: [LUG] Plymouth LUG meeting / #freenode live
Next by thread: Re: [LUG] Macs & VPNs
Index(es):
- Date
- Thread