[plug] VPNs

[Craig Ringer]

Cameron Patrick wrote:

> While I'm tempted to drag out my "Open VPN is nice" form letter, I
> wouldn't really recommend it in this situation (where there are many
> clients connecting to one fixed server).  UWA use a PPTP-based VPN for
> making wireless access vaguely secure.  The server runs on Linux,
> there are Linux clients around, and I believe the configuration needed
> for modern versions of Windows to be used as a client is next to
> trivial.

I think it's worth considering that using a full IP VPN if all you need 
is (possibly read-only) access to some files may be overkill. A full VPN 
can open a network to serious security issues (especially if you have 
Windows servers or clients on your network) and may not be desirable 
when simpler solutions can do the job.

For example, I'm having good results here with simple IMAPs and HTTPs 
remote access for users. I provide them with Mozilla for their platform, 
a client certificate, and installation instructions, and things 'just 
work'. The user can access their work mailbox exactly as it appears from 
work (in fact, many users use Mozilla Mail at work too) with seen 
status, reply flags etc all maintained. I'd add LDAP address books in a 
second if Mozilla added support for them. Access to files is read only - 
they can view the shared directories they might need, and their home 
directory, over HTTPs using Apache and download files. Generally they 
just email changed files back in, and with our workflow here that works 
well. Under other circumstances I'd be looking at WebDAV clients to 
provide simple, controllable read/write access to the shared directories.

All these services run on internal hosts, but I use some iptables NAT 
rules on the gateway to permit direct access from the Internet. Note 
that you _can_ NAT or port forward SSL-protected services, the endpoint 
host just needs to know that clients will see it as 
'internethost.postnewspapers.com.au' not 'internalhost.localnet' and 
have the appropriate certificate. This generally means split services - 
a different Apache vhost for HTTPs+cert for remote access to the 
internal intranet vhost; different IMAP configurations (trivial with 
Cyrus thankfully), etc. IMHO none of it's very complicated, and it works 
well.

I'm going to be adding a pre-configured PuTTY to the CD I give to users 
soon, so that they can access an internal character terminal-based 
system as well. Again, pretty easy - an SSH key that's only allowed to 
do one thing and a pre-set configuration.

Giving home users or roaming users the ability to pierce our firewall 
gives me the screaming willies, and IMHO is a recipe for disaster unless 
you can tightly control the endpoint systems. Right, that'll happen. All 
users update their OS, virus definitions, and personal firewall 
reguarly, right? *lol* . As a result, tightly controlled individual 
services make me MUCH happer, and also simplify troubleshooting and 
configuration.

--
Craig Ringer