Want to Setup a Home VPN

[wuench]

PFSenses VPN page gives a good explanation of VPN options.  If you go with IPSec you can use the built in OS VPN client on Android, IPhone, Windows, etc.  Pretty much any client will support IPSEC natively.  OpenVPN is an SSL VPN and you need to load software on some clients (as mentioned, you do not need PFSense to run OpenVPN, that can be loaded on DDWRT or a Linux/Windows server).
 
https://www.pfsense.org/about-pfsense/features.html#vpn
 
 
One other thing to consider is access from a client perspective.  SSL is pretty much going to be open outbound no matter where you are, a company, hotel, etc.  They usually allow you to access HTTPS/SSL websites so port 443 is opened.  It is more difficult to restrict, mostly you may just see your tunnel timeout a lot due to inactivity.   IPSEC or SSH is not always opened outbound to the internet for security reasons and all they need to do is block the ports.  I would say most companies of a reasonable size block IPSEC and many block SSH by default as well.
 
I really wish SSLExplorer/Adito hadn't gotten bought out, it was a really great solution as a free open source SSL VPN with a Java based client, no software to install.  But unfortunately it is no longer maintained.  OpenVPN is probably the best SSL VPN option available these days.

 

[video321]

Blocked ports was the reason I didn't consider IPSec. In fact I run my service (whether SSH or VPN) over a well known open port which will never be blocked. My current VPN server runs 2 instances - one over UDP and one over TCP - with UDP being preferred.

 

[tmbrown97]

I have VPN access to all my clients - ranging from SonicWall software, Cisco, PPTP, IPSec - just depends on what devices they have available.  I'm sure PPTP isn't the best, but I do love that it's built into every OS without adding any software - I even use my iPhone to VPN into the office to run thing if I'm away.
 
Sonicwall makes a good appliance, but pricey... I just replaced a 12-year old sonicwall for a customer - not because it died, but because sonicwall stopped supporting it and they have a mandatory check-in during bootup or VPN features don't work - and they changed the IP of their "check in" server - pretty crappy practice IMO, but the thing was flawless for 12 years and for always-on connections it's pretty solid and requires no end user effort.
 
In my own house, I threw in a Netgear UTM about 3.5 years ago because I was in a rush to put something in to replace the Cisco router I was giving back to the company I was leaving.  It serves its purpose well - I can remote in and all that, but it cost way more than a bunch of other options that I'm now much more comfortable with (and it's noisy and big) - I use a lot of Mikrotik routerboards - the RB450G is dirt cheap and can do anything you could ever dream of - including DNS in your home, custom DHCP options (great for playing with VOIP phones) and just about anything else.  Or even the Ubiquiti EdgeRouter Lite - one of which I'm connected to pretty much 24/7.
 
I do think the key is above with the folk talking about restrictions - if you want to VPN in from your work network, you need to find out what that network will allow; SSL is most likely to work.  In my experience, IPSec is least likely to work because it isn't always NAT friendly.  If you want to always connect through your android phone or using your phone as a hotspot to eliminate network restrictions, that'll open a lot more doors.  I've used OpenVPN a little - more because it seems to be the standard VOIP phones have built in - it's a lot more work to set up and less dynamic from what I've seen so far.  But - there do seem to be clients available for just about every device finally.  Good or bad, I do still fall back on PPTP quite a bit because as long as I know my credentials, I can set it up on any device in a flash to get things done so it's saved me many times.

 

[fcwilt]

Work2Play,
 
These low (or lower) cost devices you mention. Do they offer UTM and, if so, what are the annual costs for keeping the "threat" data up to date?
 
Thanks.

 

[pete_c]

You can also DIY something like this today right at home....with whatever you want....(my project here years ago was a cost cutting effort to wean off the use of SecuriID VPN monthly costs).
 
https://vpn.ual.com/

 

[video321]

BSR-
 
As you can see, you have options
 
You really need to figure out what support you have on each device you need to connect from and what port restrictions each solution may have. That will start to limit your choices more to where you can make a decision. IPsec and PPTP will work out of the box on your phone over 4G, but chances are they both will be blocked over a WiFi connection. SSH and SSL can be setup on any port you wish so there are no restrictions there. However, SSH on your phone will require rooting to proxy those tunnels. SSL... well, with a newer Android phone (such as yours) you have a lot of flexibility.

 

[BraveSirRobbin]

OK, again, MANY THANKS for the detailed replies.  I think I'm getting somewhere. 
 
I should have been more specific with my connectivity desires as video321 stated above, so here it is.
 
I have three android phones in my family.  I would like to run the following applications on these phones to Internet appliances such as an Axis Camera/Server, and Elk M1 Gold.  I would like to do this by running Android applications myKeypad Pro and IPCamViewer.  I would like to do this without 'opening' unsecured/encrypted ports in my current firewall router.
 
I would also like to run TeamViewer on my phone, but I understand correctly that is already a secured/encrypted connection.
 
I would ALSO like to connect to the above camera appliances via work computers.  I also want to be able to connect to my HomeSeer and SageTV servers as well.  I do this via a web browser (Firefox mainly).  Again, I would like to do this without 'opening' ports in my current firewall router.
 
I would like to connect via these work computers without having to load any additional software on these computers (I"m in many different work locations).
 
I don't care about 'extending' or connecting between networks for a secure connection as for example a home to a small office.
 
I don't care about connecting securely to any file server for file transfers (via ftp, etc...).
 
I want something that can be easily configured without needing a degree in IT.
 
I really don't want to rely on the cloud having to 'phone home' to work, or have to update subscriptions. 
 
Having file content ratings, and malware/anti-virus protection might be good, but not at a huge increased cost (of the actual unit or the renewal subscriptions) unless of course someone can convince me that this is all worthwhile.
 
I DO like the price of the Mikrotik Routerboard Work2Play posted above.  Will that handle my above requirements?
 
I would rather not go with tomato or dd-wrt and have to install that on a 'hacked' router.
 
I guess I'm starting to steer away from the SonicWall with the more replies to this thread suggesting other alternatives.
 
Again, I really  really appreciate these informative responses.

 

[video321]

The router board will more than handle your requirements, but so will just installing an app on any 24/7 PC. You don't need a dedicated appliance for your needs. Don't jump into the hardware before figuring out the software...

I run the same apps as you.... Elk M1, IPCamviewer, Vera, multiple server access, etc. With SSH or SSL everything is accessed over a single tunneled port. SSH is actually harder to maintain because of the way tunnels are setup over IPs and ports. An SSL VPN makes full network access easier with no connection issues with a new device on the LAN.

 

[pete_c]

I DO like the price of the Mikrotik Routerboard Work2Play posted above.  Will that handle my above requirements?

 
Very nice devices.
 
DIY'ing your router / firewall would be a learning experience; not difficult at all.
 
Here my very first utilized autonomous firewall was a SOHO Sonicwall.  It worked fine for me after a bit of mods / tweaking.
 
That said the more I did at home and the more devices I added to my network made me install Smoothwall (well in the early 2000's).
 
That Smoothwall box ran on a few different CPUs over the years and started with an Intel 400Mhz device (old SQL server).  For a time was into the smaller footprint thing and went to an overclocked AMD in a Netier embedded terminal PC with three network interfaces running from a CF Drive.  Worked fine.
 
Most of the combo off the shelf SOHO devices; IE: switch and router or switch, AP and router utilize tiny CPUs, little memory that you purchase today are really OK for a few devices on the home network; but really they are cheap and basically functional junk.
 
My last DIY PFSense firewall I went to a core duo mITX commercial board with two built in Gb NICs and added 4 Intel Gb NICs.
 
It is using an IGo Logic Motherboard.  (purchased in bulk as the BCM mITX boards).
 
http://www.igologic.com/#!industrial-motherboards/c1o0l
 
http://cocoontech.com/forums/blog/29/entry-415-from-anyone-using-pfsense-as-a-firewall/
 
Not sure what the total throughput would be though on this device.
 
Play first.  Note this a recommendation to utilize PFSense (but its only my opinion based on only months of using it).
 
Install PFSense on any old box you have sitting around and throw a couple of extra NICs on the device.  Note that PFSense is free. 
 
Personally I did donate to their forum website.

 

[fcwilt]

I would strongly suggest whatever solution you settle on includes UTM.
 
Firewalls are fine for keeping people from breaking in but the biggest threat is users on the inside and that's where UTM comes to play.

 

[tmbrown97]

Frederick - I actually don't use the UTM features - so if those are things you wish for, then it's best to check the reviews and stick with reputable ones - that's where I probably would go Sonicwall.  Or I might roll my own... another application I came across recently was Kerio - I really liked how powerful and easy to use it is - and met some installers who buy small fanless PC's and build their own little appliance to run them off - they're pretty slick.
 
The Mikrotik/Routerboards have nearly unlimited flexibility, however don't pass the test as far as being fairly easy to manage - they're made for networking exports and though they have a GUI, it's a no-BS, get straight to the point GUI for editing values - there are no descriptors or wizards or anything... BUT there's a lot of info available online.  I like the features like NTP, Custom DHCP, Custom DNS, etc - they come in handy a lot when doing VOIP, and hardly any other routers give you that without going to Cisco CLI.
 
Re: IPSec if that turns out to seem like an option - I just want to point out that unless you replace your primary router with this new endpoint, it likely won't work as a second appliance behind your primary - because IPSec often falls apart when double-natted (when both ends go through NAT).
 
What I've gathered from this is that the determining factor is going to be any limitations caused by your work network - so you need to know if they block any ports (or sometimes block everything and push all traffic through a proxy server) - if they do block just about everything, then SSL VPN will likely be the way to go.  If they are fairly un-restrictive on the outbound, then SSH, SSL, PPTP - would all work... PPTP would not require installing any software but would require a connection to be set up; I think SSL can work without installing a single thing or really leaving much of a trace.
 
And just a comment for all the "build your own" thinkers... depending on where you live - this can seem a lot less appealing... for instance, I live in a place where power costs are astronomical, and we don't have basements or even an extra square foot of space for equipment - our wiring closets are usually a too-small recessed box in the master bedroom closet (how all new homes out here are built) so you need to pack your necessary features into something extremely small and with minimal power consumption; that's why buying something new and purpose-built can actually sound better than repurposing that old stack of spare parts.  FWIW, I'm quite jealous of you guys with nice wiring closets or equipment rooms or especially basements - they give a lot more flexibility.

 

[fcwilt]

Frederick - I actually don't use the UTM features

 
You're a brave soul and/or a lucky one!

 

[BraveSirRobbin]

One reason I did not want to 'roll my own' is mainly because I know ZERO Linux (there I admitted it, whew, glad I got that off my chest)!
 
Again, maybe it's something I should look into, though I'm just to busy with life to take on a science project at this moment.
 
I guess there is really no DIY solution that will not involve some digging and testing.  Problem is, where to start for my simple needs. 
 
I do like the idea of just putting Open BSD on a computer, load pfSense, and start there; but, I'm not sure what to even download!
 
I guess I'm going to be into some bucks to get something like SonicWall if I don't want to put in the research, or, go cheaper and put in the development time.

 

[pete_c]

Relating to PFSense; its plug n play.
 
You download the ISO, boot up and install it.
 
There are only a few prompts to get you to a default setup.  From there you utilize the webgui. 
 
The default "off the shelf" configuration will provide you with the basics. 
 
You do not need to know Linux to configure it as all of the configurations are in the GUI.
 
I used a sort of media case for my PFSense firewall.  It is a small footprint case which allowed me to stack two dual Intel NIC cards.
 
That said I use these cases for my carpc's which are really tiny.  Using one of these for my Homeseer 3 Wintel server (mostly off these days).
 

 

[BraveSirRobbin]

OOOOOOOOhhhhhhh, OK, pfSense INCLUDE the operating system.  OK, I'll give it a try.  You think a crappy old 266 processor (old AMD machine) is to slow for this to test?
 
Sorry for being vane Pete, but can you give me a link for the exact ISO to download?
 
Thanks again for your help!!!