Search This Blog

Saturday, December 1, 2012

The Quest For Hassle-Free VPN, Part 1: From There To Here

In the years since I started working for ARC, one of my seemingly unending quests has been to establish a virtual private networking infrastructure to manage the now-200+ PCs spread out over 11 sites. This has proved to be a major undertaking, given that all those sites have been on their own non-static-IP broadband services until earlier this year - not a total show-stopper with services such as DynDNS, but certainly added a potentially significant point of failure if one were to try and set up site-to-site VPN.

My quest for the perfect VPN option has had a few driving requirements:

  1. Someone else manages the server - Since I am a one person IT shop, I have always tried to steer clear of using infrastructure components that involved having to manage a server internally. That is a major reason I went with SAManage as my Incident/Asset management platform.
  2. No port forwarding needed - Again, if I had to open and manage ports on 11 routers, and change them every time I added or moved a client, it would be overly cumbersome. However, recently I have eased up on that for purposes of a few staff members using RDP to get to their work PCs from home.
  3. CHEAP - We're a non-profit. Ipso facto.
  4. Simple to set up and manage - Another derivative motivation based on the fact that I am doing this solo, I have tried to adhere to the KISS principle, in the event that someone else had to come in and take over if I were ever incapacitated.
  5. Works with RDP and Windows UNC - The initiative to set up a VPN is largely based on a need to establish an infrastructure management foundation. The two components I rely on most are remote access using VNC/RDP, and remote management using BatchPatch.
  6. Has an unobtrusive client presence (ideally runs as a service) - I don't want the system tray drawing attention to itself. Ideally, from the end user perspective, I want no evidence that there is a VPN connection on the PC at all. The fewer things people can click on, accidentally or otherwise, the better.
In my search for this ideal solution I have tried:
  1. Hamachi (the early years before LogMeIn bought it) - This was a great option for small networks, but at the time I was trying to steer clear of having to pay.
  2. Neorouter (April 2010 to February 2012) - This was a great service - the first one I thought was stable and robust enough to make it worth the time to install on every agency PC and manage with an internal server. And it was FREE! I used it for almost 2 years, and then they changed some aspect of the networking protocol that caused it to stop working with older versions of the client (which did not automatically update themselves or allow for a remote command line update). I also discovered during an attempt to move the server component that it was far from straightforward to migrate. There were several days of agonizing over how I would remediate this as I struggled to repair the service, but I finally resigned myself to abandoning it and looking for another option.
  3. Comodo Unite (formerly EasyVPN) (5 minutes in February 2012) - It was free, it worked much like Hamachi, and seemed easy enough to install. However, I became suspicious of the very fact that it was free, and my suspicions were validated when I ran into a snag and tried to get some support on it. Several emails, no response. An enterprise with a free product has no motivation to direct support resources on that product. Moving on.
  4. Hamachi (February to November, 2012) - Having become frustrated with dead ends, and knowing of LogMeIn's acquisition of Hamachi (but being wary of earlier price points for their services), I decided one day to again check it out. I was ecstatic to discover that their annual subscription for the VPN service had become very reasonable. For $120 a year, I could have a 255 client network. Not only that, but they had a few options for topology, client distribution, and several ways to manage those end points via a very convenient web interface. SOLD! For awhile... until the fateful week of November 19th, 2012, when LogMeIn did a wholesale change of their IP space from 5.x.x.x to 25.x.x.x and effectively knocked a large number of very pissed off customers off line. My own network did not fare as bad as some, but I decided that I wasn't going to continue relying on a vendor who conducted themselves so unprofessionally.
And so the search continues.

I have looked for a minute or two at... 
  • OpenVPN - prohibitive per-client licensing, complicated configuration
  • SecurityKISS - OpenVPN variant with bandwidth volume-based pricing, but open-ended potential for high bandwidth consumption
  • FreeLAN - prohibitively tedious SSL CA certificate distribution requirement
  • LAN  Bridger - just didn't work as expected
None of them really met the criteria of easy management and cost effectiveness, and frankly at this point my faith in the stability or reliability of a vendor's infrastructure is seriously bruised.

Having exhausted my search, and having burned literally hundreds of hours researching, testing, deploying, and re-deploying clients, I came to the conclusion that it was time to revisit the option of rolling my own in-house VPN solution. I decided it was time to give Windows Server RRAS a go, in spite of the potentially steep learning curve involved.

And so begins my journey of blood, sweat, and tears... Coming Soon: Part 2 - Deploying an all-Microsoft VPN solution from scratch with no prior RRAS configuration or SSL deployment experience.

No comments:

Post a Comment