ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    WTF I AM DOING WRONG (VPN edition) ?

    Scheduled Pinned Locked Moved IT Discussion
    21 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      Why is DHCP coming from the "main router" instead of from your Windows server?

      Emad RE 1 Reply Last reply Reply Quote 1
      • Emad RE
        Emad R @scottalanmiller
        last edited by

        @scottalanmiller

        We dont have an Active Directory, and whats the benefit of DHCP from windows server (I reckon its situations like these...)

        Could it work with the main router, I guess cause it easier to have the DHCP on the main router, and I dont want configure clients to point to the new DHCP and I reckon DHCP on the main router is simple service that wont slow it down.

        scottalanmillerS 2 Replies Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Emad R
          last edited by

          @msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

          @scottalanmiller

          We dont have an Active Directory, and whats the benefit of DHCP from windows server (I reckon its situations like these...)

          Why do you have a Windows server at all? (Not saying that there isn't a great reason, but without AD it would be surprising to find one.) DHCP from the router is not generally considered ideal, it's not a big deal, but in situations like these where you are trying to go "all in" on Windows, but not letting Windows handle this one portion.

          If you don't have AD, though... why would you ever use Windows as a VPN aggregator? This is backwards... if you were going to split these roles you'd have the VPN on the router and DHCP on the Windows machine.

          Emad RE 1 Reply Last reply Reply Quote 2
          • scottalanmillerS
            scottalanmiller @Emad R
            last edited by

            @msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

            Could it work with the main router, I guess cause it easier to have the DHCP on the main router, and I dont want configure clients to point to the new DHCP and I reckon DHCP on the main router is simple service that wont slow it down.

            That's not how DHCP works. There is no configuration or pointing when DHCP. That's the whole point of it.

            1 Reply Last reply Reply Quote 1
            • Emad RE
              Emad R @scottalanmiller
              last edited by

              @scottalanmiller said in WTF I AM DOING WRONG (VPN edition) ?:

              If you don't have AD, though... why would you ever use Windows as a VPN aggregator? This is backwards... if you were going to split these roles you'd have the VPN on the router and DHCP on the Windows machine.

              To be honest, setting up VPN in windows server is easy and Like i said i dont know much about VPN, I tried OpenVPN but I didnt like the interface, for the client and the server.

              I need to have solution that provides a very easy client VPN setup, and Windows VPN build in client is relatively straight forward.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Emad R
                last edited by

                @msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

                I need to have solution that provides a very easy client VPN setup, and Windows VPN build in client is relatively straight forward.

                It's also not working and does not provide a good experience once connected because it is in the middle of your network and many versions of it are famously insecure.

                OpenVPN is definitely one of the "less simple" VPNs out there. Did you try to just use the VPN on your router? What router are you using, anyway?

                1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  Also, your VPN software is more than half a decade out of date. That's not something I'd want going on with a key security system.

                  Emad RE 1 Reply Last reply Reply Quote 0
                  • Emad RE
                    Emad R @scottalanmiller
                    last edited by

                    @scottalanmiller
                    OK, based in your experience, do you know other VPN setup/software/server that plays well
                    with Windows VPN client ?

                    Or better way to put it, what is the easiest VPN client that you have used ? or simple to setup and secure.

                    scottalanmillerS 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Emad R
                      last edited by

                      @msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

                      @scottalanmiller
                      OK, based in your experience, do you know other VPN setup/software/server that plays well
                      with Windows VPN client ?

                      Any IPSec should, but why do you want to use the Windows VPN client?

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Emad R
                        last edited by

                        @msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

                        Or better way to put it, what is the easiest VPN client that you have used ? or simple to setup and secure.

                        All depends on the full use case. VPN is not one size fits all. Overall the easiest has been ZeroTier.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          We need to back up, though, and figure out your needs.

                          • What is the purpose of the VPN? We generally don't recommend new VPNs today. Sometimes they are needed, but on average, they are not. This is a legacy network design. In a small network, you may easily have other options.
                          • What are the resources on your network?
                          • What interactions do VPN users need to have with non-VPN users?
                          • What is the network design?
                          Emad RE 1 Reply Last reply Reply Quote 0
                          • Emad RE
                            Emad R @scottalanmiller
                            last edited by

                            @scottalanmiller

                            Sorry for the delay, and thanks for pursuing this with me.

                            The purpose is to be for end users, whom are very I.T unskilled to connect to company resources, like NAS + and perhaps RDP to there workstation if needed.

                            Resources I reckon is only NAS + Router/Modem + 3 AP + Server with VMs on it that host useful webapps

                            No interaction needed between users it just one to one access for end users to there resources.

                            Network Design will I implement it so its FANTASTIC, I mean its HUGE, they are So WINNING right now :), but in summary everybody connects using 3 AP that is configured to be on the same network no VLans or anything, everybody is on the same subnet.

                            I am also reading on ZeroTier, but since we have server, I was thinking of using it, instead of relying on the hosted solution.

                            scottalanmillerS 3 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Emad R
                              last edited by

                              @msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

                              I am also reading on ZeroTier, but since we have server, I was thinking of using it, instead of relying on the hosted solution.

                              That's "sunk cost" thinking. Certainly consider that you own a server, but don't let that weigh too much because there are several things to consider:

                              • Windows is terrible at VPNs
                              • Your Windows is woefully outdated and you should be very wary of using it.
                              • Windows is not free so while you "already own it" today, you don't "already own it" tomorrow.
                              • You "already own" VPN on the router, OpenVPN and ZeroTier, too. So that aspect is equal to your current Windows server. You also "already own" Linux and BSD solutions for this. So even though you already own a very old Windows server, you don't own it "as much" as several other solutions.
                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Emad R
                                last edited by

                                @msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

                                Resources I reckon is only NAS + Router/Modem + 3 AP + Server with VMs on it that host useful webapps

                                So the NAS is the sole network resource? The entire business runs off of a single NAS? What kind of NAS is it? Many NAS have built in VPN options, but generally this is not as good as using your router for this.

                                NAS don't really work well over VPN. Have you considered moving to a more modern file storage model using something like NextCloud? This will be somewhat disruptive for internal users, but the earlier you eliminate technical debt, the sooner you benefit from it and the less debt you have to overcome.

                                Emad RE 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Emad R
                                  last edited by

                                  @msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

                                  It sounds like if you moved to NextCloud (I don't know that you can, just giving an example here) and provided an RDP access solution like Guacamole, you don't have any need for a VPN at all.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    Of course NextCloud and a NAS are not the same and you can't always just switch one for the other, I don't mean to imply that, but a lot of NAS are put in when NextCloud would make more sense. Understanding the use case is important. But if you want to access a NAS over VPN, it probably isn't the right use case for a NAS.

                                    1 Reply Last reply Reply Quote 0
                                    • Emad RE
                                      Emad R @scottalanmiller
                                      last edited by

                                      @scottalanmiller

                                      Hey .. okay dont kill me but this dicussion got me thinking and I think I have solved it.

                                      But it got me thinking why I am using Windows in the first place, and I searched and found 2 tools:

                                      FreeLan
                                      And SoftEther

                                      I didnt like FreeLan cause the configuration was with notepad/text editor

                                      But SoftEther Worked, very simple and great to setup (v4.20) and after connecting to the VPN using it, If I have duplicate IP address on both network, it will default to the VPN IP, for example if am connecting to VPN site, and I am connecting from work place that have the same subnet of the VPN like both 192.168.1.x it will and then I want to connect to 192.168.1.1 it will show me the VPN site... however when I did this with Windows it showed the local site.

                                      Anyway I really loved how there software download and guides are very easy to read and understand, everything is pretty much guided. I was surprised that the server software detected that I am running VM and told me to enable Promiscuous network mode.

                                      So will most probably use this and their client is easy and I reckon the VPN will be more secure

                                      https://en.wikipedia.org/wiki/SoftEther_VPN.

                                      Thanks for all the help and bashing it helped me to move away from Windows solution.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        You are seeing why the "Linksys" range is suggested to never be used. 192.168.0.0, 192.168.1.0 and 192.168.2.0 are recommended as "dead" ranges used only by non-technical home users. Never use them in a business because they will always cause VPN issues.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          ZeroTier would have solved that issue, but might have been an issue with your NAS.

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            I agree with Scott here - You shouldn't use your Windows server at all for the VPN solution.

                                            What does your Windows server do for you? If you're not using it for Active Directory, and it sounds like you're not using it for file storage either (You have a NAS), then what? An application server? Are you hosting your websites from it? Seem expensive for no reason, unless an application you purchased required the use of IIS - then I'd ask, can you get rid of that and move to a solution that is uses a free OS.

                                            As for VPN - If you really need traditional VPN, Find out if your current router/firewall can do it. If not, replace it with a EdgeRouter. They are very inexpensive and do this job great, and work with the native VPN client inside Windows PCs.

                                            C 1 Reply Last reply Reply Quote 2
                                            • 1
                                            • 2
                                            • 2 / 2
                                            • First post
                                              Last post