Want to Setup a Home VPN

BraveSirRobbin

BraveSirRobbin

Moderator
Fellow Cocooners:
 
I want to (finally) setup a home VPN so I don't have to open (via port forwarding in the firewall/router) ports to access my cameras, home security, and home automation systems here at my house.
 
I know a LOT of forum members would like to do this, but (like me) have no idea where to start or the best methodology (while trying to keep costs reasonable for a homeowner) to deploy.
 
I determined I would like to do this with an appliance (non-PC/software) method using either a SonicWAll TZ105 or Linksys LRT214 product.  I'm not stating this is the 'best' product, just the ones I selected during my research.
 
The main feature I'm looking for is connectivity for my Android devices, and access via work computers.  I know I'm probably going to have to install Open VPN on the Android phones, but I'm not sure about access via Windows 7 computers at work.  Hopefully, I don't have to 'add' any software, though that's not an impossibility.
 
I've also tried to investigate Open VPN clients, and found out that there is a plethora of options that is a bit mind boggling.
 
So, I know we have a LOT of experts in this area, and I would like to tap on their experience and get some good advice rather than just blindly order one of these devices, then find I'm going down the wrong path! ;)
 
Here is what I plan on doing.
 
I currently have your typical home setup with a cable modem, then Linksys firewall/router, then separate Ubiquiti wireless unit (for extended wireless range) at my home.  I have various appliances (Elk, Axis Cameras, etc...) plus a HomeSeer computer that I would like remote access to.
 
Presently these ports are port forwarded via the Linksys firewall/router.  I use DNS.ORG that updates via my Linksys firewall/router to point to my home IP (since I don't have a hard IP).
 
I am thinking that the best way to do this with one of the VPN products mentioned above is to place it behind my present firewall/router (on the LAN side), then connect the switches, appliances, etc  to that VPN box's LAN ports.
 
I am also thinking the best methodology to deploy is to create SSL connections for the VPN box.
 
My questions are:
 
Is this VPN hardware box method the best strategy to deploy?  I would like to keep the costs under $250.
 
Is the connectivity of the VPN box described above the best method to use?
 
Assuming the VPN box method is a good one, is the SSL feature the practice of choice for my needs?
 
Where/what do I download for the best VPN client (both for the Android phones and a client PC running Windows 7)?
 
Am I going down the wrong path all-together?  Is so, what other 'path' should I start out on?
 
I do plan on doing a How-To on my journey so other members can benefit from my stumbling on the best VPN to deploy for the home, as I know there are members that are in my exact same situation.
 
I tried to be detailed in my description of my quest, but please let me know if more information is needed.  Thanks also for the great advice that I know I can count on in this forum (which is what makes CocoonTech the number one forum out there)!!! :)
 
Best regards,
 
BSR
 
 
 
The choices are endless today.
 
I played with this and that over the years and would experiment some. 
 
Last business trip; well it was a couple of weeks timeframe; did a bunch of stuff with HS from the UK.
 
I picked an entity on my network at home that I considered the "center of the home universe"; whatever that box was.
 
I made sure that from the box I could get to any of the rest of the devices on the network.
 
This methodology is just one of many that I played with.  Easy to do and set up.  You can create a key / exchange thing keeping the encryption key on your Android device.
 
Initally your create an SSH port tunnel and utilize that to get to your "center of the universe machine" .
 
Googling there are discussions relating to openvpn versus SSH tunneling....
 
I've setup both on my firewall. I find SSH tunneling more convenient than openvpn. So the question is which one is much safer when you're at a public hotspot doing online banking through your home network?
Click to expand...
It always depends on the circumstances.. obviously.

But look at it this way, OpenVPN is GPL and bloated.. OpenSSH is liberal and light.

Both support OSI level 2/3 tunnelling.. both utilize OpenSSL.

Pick the one you feel is right.
Click to expand...
OpenSSH is truly amazing due to its lightweight and ease of configuring.
Click to expand...
I too would have to go with OpenSSH tunneling, in fact I dropped OpenVPN tunneling in favour of implicit SSH tunnels instead about 4.3ish.

I do have a great howto with OpenBSD/OpenVPN/AuthPF if you really care to try (it's a bit dated), just tried uploading and could not, i can send them to you if you like, let me know.
Click to expand...
 
Personally use both.  That said in the above endeavor used only an SSH tunnel and it worked just fine for me.
 
I would suggest to try them both and see for yourself what you are most comfortable with.
 
Hi Pete;
 
Thanks for the reply.
 
You stated:  I picked an entity on my network at home that I considered the "center of the home universe"; whatever that box was.
 
So, should I use one of the two suggested boxes (SonicWall or Linksys units) and have that as my 'center', or are you stating to just link to a PC inside your LAN and connect to that?  I would like to connect some of my home appliances using already established programs on my Android devices.  For instance, use myKeypad Pro for connecting to the Elk panel, IPCamViewer for connecting to the cameras, etc...  If I understand the way an openSSH tunnel connection would work, I would establish one from my Android phone to the VPN device using OpenVPN on the Android, then I would use the 'internal' LAN IP addresses (currently in the 192.168.1.x subnet in my home LAN) for connecting to the appliances.
 
First glance at open SSH with my phones led me to this selection from Google Play Store.
 
So, I would install that on my Android phones, then connect to the VPN appliance of my choice (SonicWall or Linksys described above)?
 
Then, I would have to install openSSH on my other computers that I wish to connect from?
 
Sorry for such basic questions, but the more I dig into this, the more options there seems to be.
 
The "center of the universe" can be anything on your network. 
 
Then, I would have to install openSSH on my other computers that I wish to connect from?
Click to expand...
 
No; once you have established an SSH tunnel then you will have access to everything.  You can add more layers of security inside your network and even to the first point of entry at your firewall if you want.
 
It would be SSH.  OpenVPN is similar but different. 
 
 
So, I would install that on my Android phones, then connect to the VPN appliance of my choice (SonicWall or Linksys described above)?
Click to expand...
 
Yup.
I would test it out and see what you like the best.  You cannot break anything.  Just undo what you configure when you are done testing.
 
There are typically 3 types of VPNs.  
 
The traditional VPN is an IPSEC VPN which is usually setup in the OS on the client and you get a normal network interface on your internal network.   These are typically fixed/static vs. dynamic and they can be a little daunting with the number of options/settings.  Most of the time when you see "VPN Support" mentioned for a device they are talking about an IPSEC VPN.
 
The other types are are software VPNs tunneling the traffic over SSL or sometimes SSH.  OpenVPN is an example of an SSL VPN.   They rely on software clients or drivers being installed on the client device and are more typically used for dynamic connections like remote access to specific services.  So that means that the client must be able to run software for that particular client.  There is no standard for the software, so you usually need to run the same software/platform on each side.  For example Cisco WebVPN client for a Cisco AnyConnect software VPN solution, etc.    There are options like SSL Explorer/Adito also where you can just download a java client and not have to install software but they may or may not work on mobile platforms.
 
A VPN is basically 2 things, encryption and some way to trust the client whether it be the source IP, or an additional layer of authentication, client cert, etc.   That being said.  If your services are already authenticated (i.e. a web server with username/password) and all you are missing is encryption.  You can just use something like stunnel to do the encryption for you on the server side and a browser on the client side.
 
Coming in the near future are IPv6 tunneled VPNs (IPSEC is built into IPv6).   But since IPv6 isn't widespread yet on the internet these may be hit or miss depending on your location/device.
 
Just to throw out an option - many very cheap routers can also run DD-WRT.  That's an open source router operating system that is very feature rich, including lots of VPN choices.  It also offers other features not available on most sub $1000 (or at least $500) devices, and will run on router hardware you can buy for $50-100.
 
It does require a bit of network knowledge and research to set up, so it may not be for those looking for a turn-key solution (but this is a very DIY forum). But it absolutely will give you more features for less money than any out of the box solution (well, there are actually a few manufacturers that are pre-loading it out of the box). 
 
Basically you buy the amount of router you need for wireless/routing performance, and it adds the features, so basically you buy based on speed of CPU vs. speed you need, e.g. if heavy gaming, heavy video, or a very high speed connection (>50mbs) you might want a higher end router to get faster CPU and memory, but for most people 2-4 year old low end models are more than enough (just make sure it's on their supported list).
 
Again, definitely not a "turn key" solution... but absolutely the most bang for the buck.
 
Yes DDWRT will run OpenVPN.  But you need to be careful with putting too many services on it.  The cert you need to generate is stored in NVRAM.  I used to run OpenVPN on my router, but it was losing it's config upon reboot due to lack of free space.  
 
@BSR
 
Let's give it a try ...want to test both?
 
1 - Is your Android phone rooted?  Can you run and install JuiceSSH?
2 -
 
Pete, unfortunately I have a Samsung Galaxy S4 where the bootloader is locked and, with this latest Android update, is VERY hard to root (believe me, I've looked into it).
 
I have Juice Pro installed and running on my phone.
 
Is Juice Pro an SSH client?  I understand there is a JuiceSSHPro.  I don't think you need to root your phone to install it.
 
SonicWall has the required Android compatible client app for use with the TZ series (and other) firewalls.
 
Simple to setup and works just fine.
 
SonicWall also offers site-to-site VPN which I use between my home and daughters home so I can get into her network and help with problems.
 
There you go BSR test if you want both:
 
SSH
 
1 - create a test user name on your firewall
2 - configure your router's SSH to utilize port 222
3 - allow external access on your firewall to port 222
4 - find out what your internet address is
5 - configure your Android SSH client to access your internet IP and SSH to port 222
6 - login and check it out.  Logout
7 - disable the rule and / or access to port 222
 
VPN - SonicWall
 
1 - download SonicWall VPN client here: (Sonic Wall mobile connect)
http://www.sonicwall.com/us/en/products/Mobile-Connect-Android.html
 
2 - configure your SonicWall VPN
https://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=132&dl=1
 
3 - you should be good to go.
 
Let us know how it goes.
 
Hey BSR... don't forget I have the SSH tutorial here on CT.
 
I ran SSH tunnels on a DD-WRT router for quite a while, but after wanting to upgrade to a much beefier router/firewall I've since dropped SSH. A nice feature with the newer Android OS is support for OpenVPN without requiring root. My previous phone was rooted running separate SSH and proxy apps, along with a firewall too. Now I'm running pfSense with embedded OpenVPN and it gives me much more granular control over clients/VLANs/port and IP restrictions all within the GUI. Plus I don't need to worry about making sure I have all the tunnels setup that I would need for each device when dealing with SSH. You can always install the VPN server on your home/work server.
 
In both cases, remote access is always configured with a secured password/key. In fact, my current VPN setup requires a key and it's password along with a user/name password combo for authentication. Setting up encryption and keys isn't really that difficult... especially when you have us here to help you! There are some pretty competent network/sys admins on this board.
 
PFSense is very reasonably priced (well free).  I am using it today for all sorts of things.  I think too that there are PFSense "appliances" being sold today if you wanted to go in that direction.  It is the ultimate in firewalls.  Today I have some 6 network interfaces to mostly play.  I can though load balance and failover on one side these days.
 
PFSense-VPN.jpg
 
PFSense-VPN-2.jpg
 
You must log in or register to reply here.

Similar threads

BraveSirRobbin
Needing Remote Access Advice
Replies
6
Views
312
BraveSirRobbin
BraveSirRobbin
J
Putty like program for Android?
Replies
2
Views
269
electron
electron
I
Raspberry Pi questions
Replies
5
Views
373
NormandyHA
NormandyHA
M
HAI Omnistat RC-80 replacement?
Replies
6
Views
183
michae1a1ee
M
electron
Looking for touch screen product/solution suggestions
Replies
11
Views
292
BraveSirRobbin
BraveSirRobbin
Back
Top