Remote access to servers should be secure. I guess we all agree on that.
Still there sometimes is no way around potentially insecure services like Remote Desktop or VNC. Or maybe you have servers that are not publicly accessible, because they are hidden behind a second firewall.

In order to both secure potentially insecure services and allow access to otherwise inaccessible servers you can use a Virtual Private Network, or VPN.

First of all I want to say that I think there are too many different implementations of VPNs out there. Windows seems to favor PPTP as it’s way to connect to VPNs. Aside from that there is L2TP, IPSec, OpenVPN and, if you want to count it as VPN, tunneling through SSH. And possibly a few more nobody really cares about.
Thus, when being given the opportunity to use such an encrypted connection the first question has to be what kind of VPN it actually is, because there is no one-size-fits-all configuration.
With IPSec being part of IPv6, and not just glued on top as in IPv4, there is hope, albeit little, that maybe, and just maybe, IPSec may establish itself as “the one VPN solution”.

So, having this situation in our data center, both of using Remote Desktop and VNC, and having servers behind a second firewall, thus being inaccessible from the Internet, I have decided to switch our remote access to OpenVPN.
Why OpenVPN? Because it is easy to set up on the server and on the (Linux, Windows apparently needs some work here) client and since it works through either UDP or TCP setting up rules in the firewall is quite easy too.

The biggest problem I have actually had when setting up the whole thing was getting Windows to connect to it. Since Windows does not have native OpenVPN support I had to look for a client. In order to make things as easy as possible this client was supposed to be as easy as setting up a connection using NetworkManager. Problem was, I couldn’t find any OpenVPN GUI for Windows that included connection setup.
Given that Windows is usually said to be easier for users to manage than Linux this was quite disappointing.

In the end I went with the official OpenVPN GUI and created a config file with generic names for certificate and key files, in order for it to be re-usable without the necessity to edit the configuration file for every client.

After all that was done I could successfully connect my Windows VM to our datacenter VPN.
Now I just have to roll this out company wide…

Thank you!
Dennis Wronka

Advertisements