VPN Solutions for Small/Medium Businesses?

artbeall asks: "I work for a small company and we are looking at various commercial VPN solutions, however many seem to be too expensive for us. I am interested in what solutions other small/medium size companies are using for their VPN. Of course, we want a SECURE system that is compatible with common network gear like Cisco as well as being able to run the VPN client on Linux, Solaris, and Windows. Does anyone have suggestions or ideas?"

One word: PIX

[overlord2 (136876)]

Depending on what you mean by a 'small' company, I would look into using a Cisco PIX 506E. On CDW right now, they're ~$830. It sounds like it would meet all of your needs. I've used the PIX 506E for several smaller sites and it 'just works.'

Re:One word: PIX

[zerocool^ (112121)]

Yeah, either that, or you could tell your boss you need a Pix, buy the same thing, with the same innards, by the same company [cdw.com], and buy yourself a nice 24" LCD with the leftover $700.

30 concurrant VPN connections. Dual internet ports that can function as failover or load balancing. Built in 4-pt switch. $180. That's small business.

~Will

Re:One word: PIX

[whoever57 (658626)]

I have been struggling with QuickVPN and a RV042 recently. Basically, it works in some cases and not others.

I eventually solved the problems, but the solution involved bypassing the client side QuickVPN software. There are plenty of postings on the web about the problem and Linksys support are basically unresponsive. However, I am pretty sure I know the root cause of the problem.

On the plus side, I can't see any evidence that the tunnels that I have created using my home-brew solution are counted against th

MOD parent down as an idiot

[macdaddy (38372)]

The Cisco Pix (now ASA) product line are not even distantly related to any LinkSys on the market. Cisco does not make Linksys products. Linksys makes Linksys products. Yes, I'm well aware that Cisco bought Linksys on 3/21/03 but that does not change the fact that Cisco's and Linksys products are not in any way related, yet. There isn't a single product in either company's arsenal that crossover. I work for a Cisco Partner and I with Pixs every day.

That said I'd recommend either a Pix 501 or 506 for a

Re:One word: PIX

[Jjeff1 (636051)]

It's similar to a Pix 501, but certainly not a pix 506e. If I could pick up a pix 501 for under $200 though for my house, it seems like a good deal. A shiny green cisco logo not required for equipment in my attic.
But for any size business I don't think a pix 501 is a good choice for a VPN concentrator.

If the submittor already has a Windows network, which is likely, is there any reason not to use the PPTP already built into the Windows servers?

Re:One word: PIX

[sumdumass (711423)]

If the submittor already has a Windows network, which is likely, is there any reason not to use the PPTP already built into the Windows servers?

There are some limitations with the windows built in pptp services. This isn't even starting to mention that it is less secure (but sufficient in most cases) then a full blown IPSec using certificates.

One linitation I think we ran into is a praticle limit of about 5 or 6 conections at the same time. On ours, It would either drop conections to allow more then that

Re:One word: PIX

[NeonSpirit (530024)]

Be carefull with any Cisco PIX devices, whilst they work well and run the same code accross the product range (mostly) licensing and maintenance can be a pain. Funtionality is also dependant upon product, i.e. Failover is not available at the bottom end.

Maintenance is especcaly irritating when it comes to the Cisco VPN client, you cannot obtain a legitimate copy from the Cisco website, without a maintenence agreement. And there are fairly frequent updates.

Re:One word: PIX

[nologin (256407)]

If you are going to try to go with Cisco for VPN, I'd recommend going with an ISR (Integrated Services Router) before going with a PIX. You can get a good 830 series (for a really small setup) or an 1811/1812 for the same price as the PIX 506E, but it offers a lot more features. Firewall, VPN, IPS, built-in switch, router, and wireless (on the 1811/1812). It can't all be bad.

Oh, and to answer the cross-platform question, there are VPN clients for Windows, Solaris, Linux and Mac OS X.

Try Hamachi.

[Futurepower(R) (558542)]

I've been trying Hamachi [hamachi.cc]. It seems to work as advertised. It makes a connection between a computer behind a hardware and software firewall with a cable ISP and another computer behind a hardware and software firewall with a DSL ISP. Both hardware firewalls have NAT (Network Address Translation. I know not everyone who reads Slashdot works with this.)

However, the cable ISP is Comcast. Comcast, in this area, seems to throttle or stop anything besides HTTP traffic.

Other Issues: Hamachi setup time. Insecurity.

[Futurepower(R) (558542)]

Other issues:

Hamachi setup: The setup time for Hamachi is exactly what they say: A few minutes. The interface is a bit quirky, and the documentaton is limited.

Anyone using Hamachi may want to run it as a service; see this explanation from Cyberonica [cyberonica.com].

Insecurity: Hamachi uses a very sensible technique for getting around firewalls and NAT. So does Skype VOIP [skype.com]. Of course, that means firewalls and NAT are not really protecting us.

In no way am I saying that Hamachi itself is insecure. I don't think t

OpenVPN requires you to have access to the router.

[Futurepower(R) (558542)]

Note that OpenVPN requires that you have access to the router to open a port.

Hamachi works when you don't have access to the router. In some cases in which the router in administered by someone who won't give you access, Hamachi can work where OpenVPN won't.

Openvpn

[by Anonymous Coward]

Why not use openvpn ? We run this on Linux, Openbsd and Windows.

OpenVPN behind a NAT?

[Futurepower(R) (558542)]

We looked at OpenVPN [openvpn.net]. It looked like a lot of work to get it to function behind a NAT firewall. A google search restricted to the OpenVPN web site [google.com] brings up many, many questions, and not many answers [telindus.be].

Anyone have experience?

More about OpenVPN behind a NAT firewall.

[Futurepower(R) (558542)]

We tried a Google search that eliminates mailing list messages [google.com], which mostly seem to be answered in a very limited way.

As you can see, there are very few documents that mention NAT firewalls.

In some ways OpenVPN appears to be a typical Open Source project. Documentation is often more work than writing the program, and most Open Source developers don't want to do the documentation, and don't want anyone else to do it, because of perceived loss of credit.

Re:More about OpenVPN behind a NAT firewall.

[dwater (72834)]

You might want to try contacting the author to see if he is available for consultation. My company hired him to build our prototype system - his rates are very reasonable, and obviously he is the authority since he wrote it.

Re:OpenVPN behind a NAT?

[arivanov (12034)]

Bollocks.

It works fine behind a NAT in either UDP or TCP mode. Have always worked. I run it for road warrior access for a 3rd year now after switching over from an IPSEC/PPTP solution.

If you use OpenVPN 2.0+ you can push options and manage everything from the server just like on a commercial VPN product. The only missing bit is the firewall management so you need to get a decent third party firewall.

A measly 320£ worth Via C3 running OpenVPN can deliver 200+ clients with an aggregate client bandwidth of 50MBit+. The comparable Cisco device is a higher end PIX or a 3000 series concentrator which costs 5 times that.

In addition to that with OpenVPN you can build a proper VPN infrastructure with failover, dynamic load balancing between tunnels, balancing between links, DDNS targets on either end, QoS to allow VOIP links in that, etc. With most IPSEC based solutions (including Cisco) you cannot get even close to that.

Re:OpenVPN behind a NAT?

[JamesTRexx (675890)]

I have set up a new firewall at home last weekend using FreeBSD, PF, and OpenVPN. I haven't used PF and OpenVPN before and it took maybe one afternoon to set it all up so it's not that hard. (no, not a simple home version, but one involving crossing a firewall at work, and on my side separate networks for internal, dmz, and wireless) I'd say give it a shot and just build two test machines, especially because you can monitor realtime what PF is doing by using tcpdump on the pflog0 interface.

Re:OpenVPN behind a NAT?

[Wudbaer (48473)]

I can confirm that it works fine with multiple clients behind a NAT firewall (which more often than not totally fucks up commercial IPSec-based VPN clients). I mean - it's basically SSL, so there is no reason why it shouldn't. Setup was a breeze, reliability in my book is very good. OpenVPN is much much better than the Watchguard MuVPN solution I replaced by it (basically a souped-up OpenSWAN with the SafeNet Soft Remote Client). Also clients are available for all mainstream platforms, which is also always

IPCOP

[mcamino (970752)]

Hey. We run a medium sized ISP out of wilmington, delaware and we have hads GREAT luck using IPCOP and Linksys BEFSX41 endpoints. The linksys routers are easy to setup and configure and they can be bought cheaply on ebay or any staples or compusa. IPCOP is completely linux based , The setup is more idiot proof then a windows install, and it has a web based admin which rivals standard stand-alone routers. Ipcop can run on tons of hardware configurations. We personally run it with 5 Network cards and it handles the VAST MAJORITY OUR OUR ROUTING needs. did i mention ipcop is free? Give it a try.

Re:IPCOP

[mmurphy000 (556983)]

Agreed. I use IPCop to link five regional offices. Net-to-net VPN with IPCop is great. "Road-warrior" IPCop with Windows clients is tough to get set up, which is why some people run OpenVPN in concert with IPCop, or use client-side hardware as the parent poster does.

For offices ranging from 5-35 employees, I use old 200-400MHz Dell desktops with ~128MB RAM and 4-8GB hard drives as the IPCop routers.

Re: IPCOP -- I Second That

[InitZero (14837)]

I have used IPCop for many, many months. With
the OpenVPN addon, it makes a sweet RoadWarrior
setup. The OpenVPN GUI is even easy enough for
our executives to use.

For us and our 30-something employees, it cost
us nothing to put IPCop online. It ran for a
year on a P-III/700mHz/256M Dell. We recently
upgraded the RAM to 768M so we could make better
use of the Squid cache.

You can get an IPCop server online with VPN in
under an hour. As long as you have a computer
in the spare parts closet, IPCop is far less
expensive than any other solution.

Matt

PPTP

[mnmn (145599)]

Since its a small company, I assume you use a windows2000 or 2003 domain. Use an OpenBSD box that redirects PPTP connections to the windows server.

Sure there are superior systems but they dont necessarily 'fit' into the small business wintel setup. If youre running an all Linux network, you wouldnt be asking this question and you sure as hell wouldnt look around for commercial offerings.

If your users are OK with typing in an extra password, use OpenBSD's own SSH or ipsec based VPN, and L2TP on the client wi

Cisco VPN 3000

[anderiv (176875)]

At work (~90 employees...I guess that would qualify as medium-sized??) we use a Cisco VPN 3000 Concentrator. It's been rock-solid for us for two years now, and I'd highly recommend it. If you want to go the VPN-client route, cisco has official clients for Mac, Windows and Linux, but the box is also compatible with the PPTP vpn clients that come with most modern operating systems and it's also fully IPsec compatible. So...for example, if you wanted to, you could set up a linux gateway at home that would connect to your work VPN and establish a LANLAN VPN link.

If this proves to be too expensive, you ought to look ag OpenVPN. It's quite stable at this point, and they have clients for Windows, Mac and Linux as well. You'll have to have some amount of knowledge of linux networking/firewalling to get it set up right, but there's plenty of documentation out there to guide you.

Re:Cisco VPN 3000

[_RiZ_ (26333)]

Finally someone with some good advice. I would forget about anything which is considered consumer products. We use a whole host of Cisco 3000 series VPN devices for all sizes of small and large branch offices. We use from the 3002 to the 3030. I have to say, they are ultra reliable, very secure, very well supported by Cisco and the associated community of Cisco users, and has clients for major OS's. Its a win win situation if you ask me. You do have to shell out a little more than the guy who was reco

Re:Cisco VPN 3000

[dago (25724)]

Er, no the client is also 64 bits - I am using it on my amd64 (gentoo) without any problems. Same for the solaris client, it's 32 & 64 bits.

DIY VPN

[strredwolf (532)]

I've set up a PPTP VPN using a Ubuntu 5.10 server and PoPToP. All you need is to port forward the PPTP port to the set-up server.

Windows has the client native to the system. Linux can compile PPP and the PPTP client, and w/kernel 2.6.15+ you don't need to patch the kernel to get MPPE encrypton/compression. Solaris, alas, needs some patching. I googled this:

http://mcarpenter.free.fr/Dev/pptp.php [mcarpenter.free.fr]

All works fairly well.

Poptop

[PAPPP (546666)]

If you want good integration with windows (read: PPTP), and want to keep it on a nice cheap *nix box, try Poptop [poptop.org]. Runs on most any *nix, entirely compatible with the builtin PPTP support in recent versions of windows. I've been running it for my own purposes (admittedly not on a "small business" scale, only one or two users) for years on a modest linux box and it hasnt given me any trouble connecting from WinXP or linux clients.

Re:Poptop

[Firehawke (50498)]

Just one problem with this.. it seems like using it with the Microsoft client will pretty much restrict you to MS-CHAP v2, which is horrendously broken (as described on the poptop website: wildly insecure. It looks more easily broken than WEP, and WEP is pretty damn easy (apples and oranges, but still..)

OpenVPN looks to be about the only really good choice at the free level. If I'm wrong, I'd love to know about it, though.

OpenVPN

[peacefinder (469349)]

Go to openvpn.net. It's very straightforward to get a multiuser openvpn server up, using pre-shared keys or certificates. It's free, it's simple, it's multiplatform, and it's sufficiently secure for business purposes.

(However, if by "compatible with common network gear" you mean you need to host a VPN endpoint on a Cisco box, then OpenVPN probably won't work. If you can pass the connection through a firewall to a DMZ server, though, it should work fine.)

If you want a completely free solution, use OpenVPN hosted on an OpenBSD (or other free OS) firewall.

Re:OpenVPN

[jamesh (87723)]

I second that. Dead easy to set up, and does almost everything you could want.

The one and only 'gotcha' I found, is in situations where PTMU isn't working right and you are using compression on the tunnel packets. The MTU of the tunnel thinks it's 1500, but it should really be 1500 less the tunnel overhead. A ping shows that a 1500 byte packet gets though, but only because it's easily compressible data. When you start moving actual data around suddenly connections hang for no readily obvious reason. It coul

OpenVPN rawks the Casbah

[Xenophon Fenderson, (1469)]

I really like OpenVPN [openvpn.net]. It works as a client or a server on Windows, Linux, FreeBSD, Mac OS X, and other operating systems, and it is pretty easy to install, configure, and run. I just followed the how-to [openvpn.net]. It operates over UDP or TCP, you can tunnel it through HTTP or SOCKS proxies, and the server can use any cipher or hash available in the OpenSSL library. PPTP is ubiquitous, but it has serious flaws [schneier.com]. IPSEC is supposed to be standard, but interoperability is a configuration nightmare (especially if you try to do something complex, like use X.509 certificates, or something non-standard, like authenticate users against RADIUS). Firewall/NAT traversal can present serious challenges in some cases as well, as some firewalls can't handle non-TCP/UDP protocols. CIPE requires special support in the operating system kernel [sites.inka.de] and only works on Linux and Windows, and tunneling TCP over TCP (when running PPP over SSH) is a really bad idea [sites.inka.de].

I'm using OpenVPN to tie routers running OpenWRT (Linux) [openwrt.org], routers running FreeBSD, and workstations/laptops running Windows, FreeBSD, and Mac OS X together. It works flawlessly.

Re:OpenVPN rawks the Casbah

[bryanc (142005)]

OpenVPN is great. We've tried the PPTP thing, but there is a tendancy for users to dink with settings that end up with unwanted traffic on our network (e.g. default route goes through the vpn).

OpenVPN puts all of this in a config file even on windows. Distribute the config and installation package and you're done. Need more security? Distribute the key files as well.

Re:OpenVPN rawks the Casbah

[BeagleBoi (87688)]

You do realise that that Schneier article about flaws in Microsoft's PPTP is eight years old, right?

Microsoft released a patch/upgrade (DUN 1.3) for Windows 95, Windows 98 and Windows NT 3.51 which Schneier agreed [schneier.com] fixed most of the problems.

My Experience

[by Anonymous Coward]

Maybe I'm just an idiot, but OpenVPN was difficult to sort out in the beginning. There really needs to be a quick setup guide that'll get you running in under 10 minutes. If not that, then maybe a GUI solution that's better than what currently is in place, especially for Windows installations. If this was done, I can imagine that OpenVPN would gain much more wide acceptance.

I've heard people have much success with Linksys VPN routers. But Cisco VPNs will always be a sure bet.

You might be an idiot...

[SanityInAnarchy (655584)]

There are currently easy-to-find howtos that take 10-15 minutes to set up a simple VPN, and they are clearly marked on the OpenVPN website. The Windows client, while it doesn't have a GUI, it is a service, which makes it fairly simple to enable/disable with a GUI, or just leave on all the time. Config files can be copied from one client to another, only a couple of lines need be changed -- and it's possible to avoid even that.

Re:My Experience

[Alioth (221270)]

I don't know when you tried it, but when I did (recently) there was a 'quick setup guide' and it took me less than 10 minutes to set up with a simple pre-shared key.

Re:My Experience

[sumdumass (711423)]

I tried this about 2 years ago. 10 minutes was just about the compile time. I finaly got it working after about two weeks and thought about using another solution if it ever went down. I don't support that site anymore and have no clue what they are using now. Things must have realy changed in the last year or so.

Re:My Experience

[Alioth (221270)]

I guess they must have; not only did I set it up within 10 minutes, I instructed someone how to set it up who had never set up a VPN before in around 10 minutes. The example that comes with OpenVPN is just about ready to go for a simple preshared key setup - just substitute your own information where necessary.

Re:My Experience

[youngerpants (255314)]

I have very recently (last week) set up an OpenVPN service for one of my clients on an Ubuntu box.

http://www.itsatechworld.com/2006/01/29/how-to-con figure-openvpn/ [itsatechworld.com]

That site has a very easy to understand howto with plenty of client and server examples. After a day of trawling through the OpenVPN documents, this howto was a breath of fresh air.

Astaro

[dracocat (554744)]

I have definately become a fan of Astaro [astaro.com]. It is not free, but in my opinion very reasonable, and worth the cost in time savings. It works with the built-in windows client, and the thing pretty much installs and sets itself up. They have a free 30-day full featured demo, and the entire thing is free for "home use".

Did I mention I have become a huge fan? or was it already obvious?

*shrug*

[Theatetus (521747)]

Small company? Then either openswan or PPTP on a commodity server. No need to take sledgehammers to a cockroach.

I usually don't cry dupe, but....

[numbski (515011)]

DUPE.

http://slashdot.org/comments.pl?sid=182998&cid=151 23283 [slashdot.org]

I know, I know, that one said "distributed". Sheesh. My answer remains the same. OpenVPN, like 90% of the answers here. :P

I'm not being cynical. I'm just tired. :D

M$oft.

[ikejam (821818)]

MS ISA Server.

HEY I'm just providing an alternative.

I use a Netscreen25 and Netgear ProSafe FVL328

[Yoweigh116 (185130)]

I'm the systems admin (domain admin. donning asbestos suit.) for a small/medium busines in New Orleans. We use one Netscreen25 [netscreen.com] in our main office downtown. That gives us granular control over individual users' security policies if desired, but I'm in the process of moving them all to a single policy to ease administration. The box can maintain 125 concurent tunnels. It can do quite a bit of other craziness as well, but I haven't worked here long enough to get deep into it. Too much other stuff to do. Not ab

Hamachi

[marcushnk (90744)]

Hamachi is pretty much what you're looking for.

Or if you like to stuff around, OpenVPN.

Home office users, NATs, and multiple users

[WuphonsReach (684551)]

One of the big issues with VPN technologies is the NAT routers that protect home offices. The corporate office side is easy, just punch the appropriate holes in the firewall and the remote clients can easily connect to the network.

Where things fall apart is that you have multiple laptop users who are behind their own NAT routers at their homes. You need to use VPN software on the laptops (not on the NAT routers) because you only want their work machines connecting in. That's easy enough, until you run into a situation where you have 2 or 3 users who get together and collaborate frequently behind a single NAT router.

It seems like PPTP (maybe SSL?) was better suited for situations where you might have multiple users VPN'ing in from the same source IP address (hidden behind a NAT router, such as an ad-hoc meeting in someone's house or multiple users meeting in a coffee shop). All of my readings on IPSec indicated that IPSec can't handle that particular usage style.

snapgears!

[alta (1263)]

Cyberguard bought snapgear, but they still sell the same products. These are great little boxes that we used to set up a 7 office network across the state of alabama across whatever networks were cheapest (cable, dsl, T1)

We had 530s in each of the hub offices and a 575 in the main office. (Still have the 575, have since closed all the branches) I still have the 530s and I refuse to sell them because they are such nice little boxes. I'm going to take one home and make it vpn back to here.

racoon ISAKMP daemon

[Jizzbug (101250)]

racoon is a very good Internet Security Association Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) daemon. It is used to auto-negotiate keys for IPsec sessions.

At work we have three VPN concentrators built using Linux and racoon. Two are configured as normal tunnel-mode concentrators, using fully-qualified usernames on the endpoints for authentication. One of these is for employees, the other is for customers. We are able to use any commodity VPN endpoint device which supports IKE identifiers (for example, Netgear FVS114).

We also have a third concentrator which is configured to use Xauth and /etc/passwd for authentication. This concentrator allows the Cisco VPN Client software to connect into the network for Road Warrior style access (also does much better with NAT traversal than tunnel-mode IPsec).

It's a pretty kick ass setup, actually. In particular, you don't have to have a Linux/BSD box or other PC at every endpoint location, just lil' IPsec-enabled gateways/routers (Netgear FVS114 is the best I've found so far, even other Netgears like FVS318 devices suck or are broken).

How small?

[WhiteWolf666 (145211)]

Are we talking 5-10 man offices, over a DSL line?

Get a WRT54G. Run DD-WRT. Use either the PPTP server or OpenVPN.

Done and done.

Of course, your WRT54G won't handle more than 10 users or so; you'll want to switch to a dedicated box or router for that. But you can't beat it in terms of cost/avaliability-- you can get this sucker up and running in 5 minutes flat, pick one up from bestbuy for ~$50, and there are no moving parts whatsoever.

For a very small office, its great. For a series of small offices in a larger company, its okay too. We use this sort of segmented VPN in our offices because of bandwidth reasons; we don't have enough uplink at any given location to really setup a better solution, and we can't financially justify purchasing more than 1 Mbit/s of uplink anywhere.

Citrix Access Gateway

[PFactor (135319)]

Citrix bought a company called Net6 a couple of years ago. Net6 made an SSL VPN "appliance", which runs a hardened Linux OS. Citrix rebranding it as the "Citrix Access Gateway", or CAG.

The 1st iteration was not so good because they rushed the rebranding and integration stuff. The 2nd and 3rd iterations were OK.

The latest revision is quite good. It supports around 2000 concurrent users, has easy to use yet powerful access controls and integrates nicely with Citrix's Presentation Server 4 product.

The cost is pretty good: the box is $2500 and licenses retail for around $100/concurrent user. If you have 100 users and your highest expected concurrent remote access count is 25, your cost would be $2500 + 25 x 100 = $5,000. If you buy 2 boxes (they have a built-in failover mechanism for redundancy), the cost would be $7500.

I work for a major healthcare provider and we're replacing Cisco VPN concentrators with the CAG. We bought 4 CAGs and are using Citrix's Advanced Access Control (AAC) product to integrate the CAGs with our internal portals (AAC makes the cost go up pretty high, though). We have around 40,000 users and our max concurrent remote users is currently around 4,000.

Check it out: http://www.citrix.com/English/ps2/products/product .asp?contentID=15005 [citrix.com]

And no, I'm not the CEO of Citrix in disguise. I just believe in their products; we've saved a ton of $$$ using them!