VPN Solutions for Distributed Installations?

merreborn asks: "I work for a very small software company (10 employees) that's developing a Point of Sale solution for a small retail chain (~20 stores in several states) on the other side of the country. We're going to be shipping Debian systems with our software installed to these locations -- all of which are connected to the Internet via consumer-grade DSL, and inevitably behind some sort of NAT box. Our office is similarly connected, and we've got a couple of dedicated, co-located servers off-site with static IPs. We'd like to be able to access these systems remotely for maintenance from the office -- what would that entail? Which VPN solutions are best suited to this situation these days (IPSec, PPTP, vtun, ssh, ssl/OpenVPN)? Are there any detailed, current books on the subject? (O'reilly's VPN book is 6 years old now)"

Quick breakdown of obvious options

Basically there are three groups of VPN "solutions" these days: IPSec, PPTP, and everything else.

I use IPSec pretty extensively. If you're dealing with inter-Linux-server communications where each end has a static IP address, IPSec is hard to beat. It's simple and pretty easy.

PPTP is mainly a Microsoft thing. Not applicable here obviously.

"Everything else" breaks down into application-specific protocols for specific applications. This is what I would recommend. Go take a look at OpenVPN. When you don't know the remote IP address, it's a great way to go. You give it a static IP address (I use 10.2.0.0/16 for this) via OpenVPN, and you can log in quickly and easily. OpenVPN has a plethora of options which make it very useful for unknown remote networks. The most useful ones are its decent support for TCP/IP (so you set your colo'd server's OpenVPN to listen on TCP/IP port 80), and the ability to use arbitrary ports (TCP/IP isn't the best protocol for a VPN application; UDP is better - set it to port 53, and that'll get past most over-anal firewalls).

Have fun

OpenVPN

[dimss]

I would recommend OpenVPN because I have some experience with it. OpenVPN is very reliable solution when you have to connect several remote sites to single L2 (ethernet) segment.

We use Intel-based Linux server at our datacenter as VPN server. It runs several instances of OpenVPN on different UDP ports (OpenVPN can use TCP as well) for different customers. Endpoints are Asus WL-500g Deluxe routers with OpenWRT Linux and OpenVPN installed. Maximum throughput is 3Mbps with blowfish encryption and authentication (limited by 200 MHz CPU). These devices are small, silent, inexpensive and reliable enough. Endpoints are connected using various types of Internet access -- DSL, Cable, LAN, WiFi etc. Some customers have ~70 endpoints without problems.

If you insist on using Debian computers as VPN endpoints, do not use harddisks!!! They will die. Use IDE flash, for example. Use fanless CPU and PSU if possible.

Made in Japan - The Teriyaki Experience

[viewtouch]

This Canadian customer of ours has about 80 restaurants and has fully deployed our Linux & X Window System POS solution in all of its restaurants all across Canada. HQ enjoys an open VPN link with each of them and all data from the restaurants, including credit/debit cards is remotely synchronized with the storage system at their Toronto HQ. The company's IT staff is actually just one person, Doug deLeeuw. The company is increasing its units by about 25% this year. When you have the kind of control that this company has you find something like that much easier to undertake and you're much more likely to succeed. I doubt that there's another restaurant organization in the world with this kind of advanced POS deployment, not to mention that one person did it all by himself. Perhaps in another five to ten years you'll be able to read about it in a book.