Ask Slashdot: VPN Solution To Connect Mixed-Environment Households?

New submitter RavenLrD20k writes: I am a programmer by trade with a significant amount of training as a Network Administrator (AAS in Computer Networking). I have no problem with how to build three or four separate networks in each location and make them route over the internet. My weakness is in trying to setup a VPN for a secured two-way connection between location A and location B, both mixed OS environments, with the requirement that all of the internet traffic on B gets routed through A first. I've already looked at some boxed solutions, such as LogMeIn Hamachi, but there hasn't been much in the way of mixed environment support. This is a complicated one, so keep reading for more on what RavenLrD20k is trying to accomplish.

Some background: Due to recent events it's become necessary for me to have remote access to all of my Parents' computers which are about 4 hours away(location B) from my home location(location A). This is to facilitate me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites (I'm already going to be upgrading their 2 systems to Windows 7 Ultimate on my dime for this purpose). The ISP for Location B also seems to be blocking the Desktop Sharing ports as this method has completely stopped working for us without notice, and router configs have been verified as forwarding the necessary ports. Location B also has 2 grandchildren that will have a Windows 7 Home Edition Laptop (for MS Office based classwork), a Linux Mint Machine (to start, he has full reign to do whatever he wants to this machine after initial setup with the understanding that if he "breaks" it, he fixes it), and several BeagleBone or R-Pi machines for my Son's experiments while he's visiting for the summer.

Location A has two networks. First is the one with the public IP that I run my Linux servers and physically connected Desktop on. This network also has a wireless interface that allows gaming machines and phones on the North side of the house to connect to. Network two is behind the NAT and runs a dual-band wireless connection for devices on the south side. I would rather not have this second network get internet access through the VPN but through the traditional means.

Location A has a 150/30 cable connection with a 2TB cap. Location B has a 20Mb/s symmetrical uncapped Fiber connection. I also have a VPS "in the cloud" running CentOS which has a 1Gbps Inbound 20Mbps(1Gbps burstable) Outbound connection which may be repurposed for this if necessary. I figure this to be common sense but I would prefer that the the connection between the locations be routed as opposed to bridged as to avoid the issues that come with sending broadcast packets over the internet.

As I said, I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry. On top of this I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default. I want everyone to have complete open access to the full internet (this too is to help educate my son in smart browsing/chatting and encourage "you break it, you fix it").

Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.

Networking is hard

[ArcadeMan]

Let's go shopping!

Re:Networking is hard

I love these "Ask Slashdot" questions because everyone insults the OP for not knowing how to do something with computers.

Re:Networking is hard

The only reason why I found the OP funny is, in his own words "significant amount of training as a Network Administrator".

Even network admins without significant amounts of training know the simplest fix for this is 2 cheap routers running openvpn with the second one set to route all outbound traffic through the tunnel. This has NOTHING to do with the operating systems.

Or, just use something that lets you support your parents, like teamviewer, that works across platforms, and can install as a service, and access anytime remotely. Many products out there that work on linux/mac/windows.

Tracking your kids internet while he is away seems something better accomplished with something on his device. If you are that worried about his internet habits, while he is at Grandma's you should be worried when he is off wifi, at friends, etc.

Re:Networking is hard

[pnutjam]

Instead of 2 cheap routers, I would use pfsense. It will do everything he is asking for. It will do captive portal, so I can cap bandwidth per user or device. It will give him logs and show per device usage. If he configures it, he can filter with several different plug-ins.

It will also act as an openvpn client or server.

Re:Networking is hard

Dear Slashdot, How do I fix my car? I have knowledge of cars because I drive one everyday. I know there are volumes of text dealing my specific repair, even an actual factory manual. However, I'm a self entitled Gen-X'er and want you to walk me through the entire process, holding my hand. I am too proud to pay a mechanic to fix the car, even though he can do it one day. I'd rather waste even more money, time and resources doing it myself. Except I don't know how to do it myself. I know that people have gone through years of training to do these types of repairs, but I feel like I can do it myself because I AM SO SMRT.

Re:Networking is hard

[ArcadeMan]

+1 Funny.

Re:Networking is hard

I wouldn't. Time and electricity is both more expensive than hardware. I would just buy a couple of Mikrotik routers, because what he is describing can be setup in less than 5 minutes using RouterOS.

Honestly the guy sounds like a complete dumbass. Just run ovpn or IPsec from one Mikrotik CPE router to another. Set the default route via the ovpn/ipsec tunnel on the connection end he wants captive, and add a deny rule from the local lan to the cable modem interface to prevent traffic getting out to the internet when the vpn isn't up.

Re:Networking is hard

[pnutjam]

I've done pfsense and routerOS, pfsense is way easier and the documentation is clearer. If you do it right, with an embedded box, electricity is a wash. If you throw it on a virtual server you are already running, you probably come out ahead.

Re:Networking is hard

[fieldstone]

If you're after filtering rather than tracking, OpenDNS has worked well for me in the past, can be installed on the router at location B, and has built-in filtering categories. Also, it's free (but you'll need to make an account to use the filtering). I concur on TeamViewer. I use it to support several hundred clients and it's very reliable, as long as your parents don't close it or uninstall it because they don't know what it is.

Open VPN or use SSH with the Linux Machine

[CajunArson]

I recommend either an OpenVPN tunnel with appropriate routing (multi-OS capable) or just use the Linux machines already at the site as tunnel servers using SSH as a VPN (relatively recent versions of SSH required).

Re:Open VPN or use SSH with the Linux Machine

[szy]

OpenVPN +1.

Set up the OpenVPN server on any machine in location A, the client on router on location B, make the gateway push the routes for your son's computer (and his phone and the raspberry pi's and whatever else is desired) via the VPN. Leave the rest of the traffic alone in order not to avoid the additional latency. You might want to put your son's devices into a separate subnet.

Once all is set up, it's easy to maintain.

Re:Open VPN or use SSH with the Linux Machine

[Spazmania]

Clearly a job for openvpn. Split tunnel when you don't want to control Internet access. No split tunnel when you do.

Re:Open VPN or use SSH with the Linux Machine

[MeNeXT]

OpenVPN. +1

Mac, Windows, Linux, FreeBSD...

Look at bridging using TAP. Works with same subnet. Set server to push IPs to the secondary network. Leave all other traffic to go out on the respective ISPs network. You can also setup remote TUN connect which will allow you to connect remotely on either side and see both. You can run as many instances and/or subnets as you wish as long as you map the routes.

Re:Open VPN or use SSH with the Linux Machine

[Hoban+Washburne]

Agree completely, I did the exact same thing with my parents home network: was going to set up OpenVPN for my parents home network for exactly the same reason as the OP - found OpenSSH was more than sufficient via tunneling and ssh keypairs, works with everything and the only requirements are having a router that can do port-forwarding to an alternate (not default) ssh port, your choice of dynamic dns and whatever old desktop or r-pi as a linux server to do the ssh-server and local logging. My only wish is for a KVM over IP device that is actually affordable, then I would never need to be there at all unless the network is completely dark. One thing I would not do, is route anything from one net to the other - best to leave them independent and have everything local.

Openvpn

[JonathanP.Bennett]

If I'm understanding the requirements, you will want to use openvpn. It has support for Windows and anything running Linux, all sorts of routing options to play with, etc.

Re:Openvpn

This is the answer. It can do basically anything you want and it can do it securely and provide stability.

Future openssl bugs not withstanding...

Re:Openvpn

[swb]

Understanding the requirements is the hard part.

I find so many people overexplain their weird irrelevant details that it's hard to make out just what they're trying to do.

Re:Openvpn

[whitelabrat]

^ That

Re:Openvpn

[jisom]

I 2nd Openvpn. Though I don't think it is something you'd have to have on all the time. Set up the router at Loc. B with Openvpn so you can log in. Set up static DHCP addresses for all devices. You can then connect from A or work or wherever to check logs or allow/block a specific device. I'd use personally OpenWRT for the router's os. Set it up so that you son's devices are routed through a log of some sort before leaving to the outside.

Re:Openvpn

If they knew which details were and were not relevant they wouldn't need to Ask Slashdot

Re:Openvpn

Or TINC ?

Re:Openvpn

[davidshewitt]

I second this recommendation. I use OpenVPN for this purpose as well. You can either configure each individual client at location A to connect to your OpenVPN network or you can set it up on the router at location A (assuming you can OpenWRT/DD-WRT,etc firmware on it).

Re:Openvpn

especially when all you want them to do is reboot the damn router.

Associate of Science in Networking...

[__aaclcg7560]

If he can't figure out how to set up VPN in an mixed environment, he should go back to school to get his bachelor's degree. A BS in networking is always valuable, especially in doing consultant work.

Re:Associate of Science in Networking...

[MachineShedFred]

I could see this being an Ask Slashdot 15 years ago when IPSec was a new idea, but c'mon - there are devices you can buy for $100 that have a fucking web wizard to set up IPSec tunnels between them.

No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.

Re:Associate of Science in Networking...

[i.r.id10t]

Our networking track here at the college I work for is focused on Cisco and Windows AD stuff... and people who really don't care to *get into it* and learn on their own come out with a bare minimum of knowledge...

That said, I still don't know why a VPN is needed... set up a simple linux box at the parents' house, have a non-standard port on their router forward to said linux box. Add something so that you can grab the current public IP - a wget on a webpage fired by a cron job, one of the free subdomain dynamic dns services, whatever. When you need to do a remote desktop session, just use a SSH tunnel with port forwarding.

Re:Associate of Science in Networking...

No, I had an AAS in Networking years and years ago and was well beyond this level of ability even then. It's not the degree level.

Re:Associate of Science in Networking...

[drinkypoo]

Maybe he's just trying to be cheap. Last time I messed with Linux IPSEC I got mad because the documentation was ugh. It's a PITA to even figure out which implementation of what you're supposed to use because of all the outdated docs people left lying around on the web.

Re:Associate of Science in Networking...

[i.r.id10t]

It really comes down to the course work, the individual instructors, and what the student makes of it. I've had very curious students do all sorts of very high level things... while their classmates struggle with basic concepts.

Re:Associate of Science in Networking...

[bill_mcgonigle]

No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.

Both of those sources will mislead you into thinking IPSec is a good solution that's not a giant pain in the ass in the real world and appropriate for this kind of install.

pfSense and OpenVPN, as everybody has been saying, is appropriate, solid, and on the easier end of the scale.

His requirements are 99% like mine, and that solution works great. My parents' pfSense box is in their basement, nailed up next to the FiOS demarc, and it works great.

Re:Associate of Science in Networking...

[JamesTRexx]

First thing I was wondering about is what constitutes a "significant amount of training as network administrator" if you have to ask a question like this.
Or is an AAS so basic they don't even teach portforwarding has an option to use alternative ports? (don't ever use the standard remote desktop ports in the first place)
Having had to teach basic network troubleshoting skills to guys fresh out of school already made me doubt the level of education nowadays.

Re:Associate of Science in Networking...

[I4ko]

There were Linksys models in 2003 doing that for less than 150 bucks in 2003 money.. BEFSX41, some guys are still selling them on Amazon. They suffered from stability problems due to insentient power supply bricks - some were 6 volts, some were 9, 12, or 19 volts. I've built a 30+ point VPN to a central location with a Cisco 17xx, don't remember in the central location ,but even if it was a 26xx it is dirt cheap as overstock send hand hardware these days. What I would do these days is get a good router that can run DD-WRT and use OpenVPN, a small box to run Pfsense again with OpenVPN or IPsec, or get a Mikrotik router and use their proprietary solutions. Heck, even two IPv6 tunnels from your place and form their place to HE and proper firewalls and you are in business.

Re:Associate of Science in Networking...

[I4ko]

Cisco had wonderful IPsec support in 2003. If you had access to it, you can't complain.

Re:Associate of Science in Networking...

[__aaclcg7560]

I went back to school after the dot com crash to learn computer programming.* The networking track was still the money major at the time (i.e., if you want to make boatloads of money, take this major). You know it's getting absurd when a Vietnamese couple in their 70's who can barely speak English think they can get high paying job after graduation. When health care became the new money major, the network classes got cancelled due to a lack of demand.

* Yes, I got an A.S. in computer programming; no, I'm not a programmer because I went into I.T. support. But I do have an Network+ certification and studied for the CCNA on-and-off.

Re:Associate of Science in Networking...

[pnutjam]

bingo, don't screw around with the ipsec garbage that's out there. Use openVPN and call it done. Monitoring / usage control is a different beast and can be easily handled on an appropriate router, which can be virtualized on an appropriate setup if necessary, or run on dedicated hardware. Something like pfsense supports logging and all sorts of filtering.

Re:Associate of Science in Networking...

It really comes down to the course work, the individual instructors, and what the student makes of it. I've had very curious students do all sorts of very high level things... while their classmates struggle with basic concepts.

When I had to take a FORTRAN course in college I picked up on it so fast that I was tutoring other students in a course I hadn't even complete yet. It was ridiculous how many people couldn't get the grasp of IF THEN or basic loops.

Re:Associate of Science in Networking...

No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.

Both of those sources will mislead you into thinking IPSec is a good solution that's not a giant pain in the ass in the real world and appropriate for this kind of install.

You can get Juniper Netscreen SSG5's and a ton of other slightly old enterprise networking equipment off ebay for pennies on the dollar. Not only does it use IPSec, it has a webpage and documentation.

The question was asked by a retard who couldn't tie his shoes if he was given an instructional manual and training.

WTF has this world come to.

Re:Associate of Science in Networking...

Setting up IPsec ought to be easy, particularly when using simple pre-shared keys. I have done this successfully using many different implementations. Sad to say my experience tells me it isn't in fact easy but it's not impossible either.

1. Openswan or Freeswan. Died years ago, but used to have the advantage of really owning the whole process although the disadvantage of owning it in a way that meant you had to configure everything to their config file format which is different to everything else and not something most distributions were keen to adopt.
2. racoon. Ultimately this is just the IKE daemon. To use racoon you wind up having to configure racoon in its way AND you have to configure the policy database in another way ultimately by using setkey to tell the kernel what to do. Fedora has some support for getting the SPD set up correctly but then it also wants to completely own the racoon config. I've had better luck writing the racoon config myself and then writing an alternate ifup script to get fedora's networking stack (the static server one, not the funky desktop one) to setup the SPD. Oh, and the version of racoon that ships with Fedora has a bug (&& instead of & was used) which causes it to think it should do NAT traversal and then realize it shouldn't and therefore completely fail to do anything. It's fixed in the latest version. So you need to build and compile the next upstream version.
3. Mikrotik RouterOS (on RouterBoard hardware). Has its own very unique way of configuring it but it works really well. Ultimately uses racoon and setkey although they are good about not shipping a buggy racoon.
4. Cisco PIX. Very strange way of configuring. It's trying to be Cisco IOS but it really isn't. Does interoperate well with Mikrotik though.
5. Windows. Again, has its own way of configuring things but you can absolutely set up the SPD and get the IKE daemon doing the right thing and it will interoperate quite well. Have successfully done it with both a RouterBoard and a Linux box running racoon. Only really useful when your Windows box has a public IP (i.e. say you have a remote web server on VPS hosting and you want a secure channel to admin it).

Ultimately if I were going to buy some hardware to set up site-to-site VPN I'd buy two RouterBoard and use IPsec with a pre-shared key. You can use OpenVPN on Mikrotik but I don't know why you'd bother when the IPsec config is straightforward and way more efficient over the wire.

But, yes, you aren't wrong. Getting IPsec to work correctly requires not only a good amount of networking experience but can be a real pain to debug. You will need tcpdump and/or Wireshark and a good understanding of how to enable logging on the IKE daemon you're using to figure out what is going wrong. Once you get it working though, nothing is more reliable nor more efficient. IPsec ESP is a very thin wrapper around IP packets.

Re:Associate of Science in Networking...

Because a VPN is extremely more secure than your solution. Yes, your solution will work, but is also a decent hacking target.

Re:Associate of Science in Networking...

[RavenLrD20k]

If I wanted an enterprise level overkill solution, I'd have grabbed a couple of Cisco 1800's for <$200 off eBay with the necessary modules and configured the proprietary VPN through IOS like I learned in college (this route is still not off the table either, just not preferred). Your SSG5's are going for about the same price on ebay and would require me to learn a system I'm not immediately familiar with, which wouldn't be a problem if I needed this to work in my own lab only. Just because I'm not current on consumer and open source options doesn't mean I don't know my shit on the enterprise level. I specifically asked this question because I'm trying to AVOID enterprise equipment in a home environment, retard (to show you the same courtesy as you have shown me)!

I want a solution that I can either use my equipment on hand, or be able to buy/build for less than $200 that my dad would be able to troubleshoot through a web interface and know WTF he's looking at in the event something goes south when I'm not immediately available. Any solution I go with I am going to have to take a vacation week to walk him through troubleshooting and he doesn't do well with command line.

Capped cable?

Sorry i have nothing to bring to this except a potentially odd question but capped cable?? Really? I thought capped landlines were something relegated to the 90s

Re:Capped cable?

[RavenLrD20k]

It's Cox. Top tier used to be soft-capped at 400 Gigs which my household alone was pegging every month until they decided to raise all their caps. Now it's a 2TB cap that we barely use a quarter of. Until this situation arose, I had been considering dropping service down a tier and saving about $50 a month. Unfortunately the only other option I have for broadband (besides satellite) is 6Mbps DSL hard-capped @ 200 Gigs... though they can't tell me if I'm close enough to the CO or not.

Re:Capped cable?

[McGruber]

I've noticed that AT&T has started capping their DSL service. The bastards have very misleading advertising -- their tv advertisements say things like connect your mobile devices to DSL at home to "Save on Mobile Data".... but then the same advertisement says, in very fine print, that "Data overage and other charges apply".

Re:Capped cable?

Technically you are saving... if they charge $10/50GB that's only $0.20/GB, as opposed to $10-20/GB on mobile data overages ;)

PFSense

Check out PFSense. It will let you handle the VPN routing at the border where it belongs.It is also a really nice firewall and router in general!

Seriously?

It's so funny when people come on a say they have this or that whatever training and lots of experience yet they can't set up a simple system like this. It's child's play and technically I have no training in networking (CS major here but only on paper, school taught me nothing new).

Man, the days watching those packet radio frames slowly flow over JNOS 25 years ago really helped me understand how networking actually works. Not some school/training bullshit.

I'm available to set up your little baby network. $100/hour but I can guarantee it will be finished in 2.

Chrome Remote Destkop

What's wrong with Chrome Remote Desktop?

I'll ignore your insane / paranoid need to monitor every move your son makes ("but only for a little while, so it's fine!")

Re:Chrome Remote Destkop

[RavenLrD20k]

If he's going to be using my or my Parents' network resources and the government says I'm responsible for what he does until he's 18, you bet your ass I'm going to do checks to make sure he isn't doing anything that will warrant a visit from the Feds. Beyond that, he has a pretty good amount of freedom and leeway on the web.

That said, I'll have to look into CRD to see if it'll work given the apparent constraints that my Parents' ISP has placed on the connection. Windows Remote Assistance was working for a while and that is primarily what we used whenever they needed some quick work or a tutorial on something they wanted to do with the computer... Unfortunately it just stopped working all of a sudden. We figured out that their ISP had started blocking ports; upon contact the ISP made it clear they weren't going to be helpful in opening them up for us. This is the reason for the desire of a VPN where every machine on my Parents' network will look like they exist on my local NAT so I can easily just point the RDP Client or SSH session to a known IP address and have the full access I need. Using RDP would also eliminate the need for someone to actually have to be at a desktop while I did maintenance. To facilitate this more, I plan on setting my parents' computers to respond to WoL packets as well.

Re:Chrome Remote Destkop

[Teun]

If you can't trust the little runt, get a different son.
Seriously!

Re: Chrome Remote Destkop

Neorouter does most of everything you want. It's free and easy.

Re:Chrome Remote Destkop

[pnutjam]

I did some extensive pfsense openVPN work awhile back. It has since been replaced by a "managed" solution and I was gifted the old gear. If you want some inexpensive Alix equipment, hit me up. They handle pfsense and openvpn very well.

Re:Chrome Remote Destkop

[ashpool7]

The suggestion in here to use OpenVPN or use a site-to-site router connection with DD-WRT using OpenVPN is the best bet. You could configure a small APU/ALIX machine to do this work if you didn't want to use DD-WRT.

Re:Chrome Remote Destkop

Yeah, I don't understand this whole "I gotta control my kids" thing. When I was 8, I was the admin at home. If the computer needed to get fixed, I did it. I remember scolding my parents for improperly doing stuff on the computer. This was the early 90s. This also reeks of parents who have their 12 year old children babysitted during the day. When I was 9, I was taking care of a new born, when I was 11, I was taking care of a 2 year old and a new born. I was driving a tractor that I couldn't even reach the petals from the seat. I had a hard time seeing over the stearing wheel while standing.

Maybe these parents shouldn't be parents if they can't teach their children how to be responsible.

Re:Chrome Remote Destkop

I will 2ed the PFsence with openVPN option, it works great, you can even load it onto an old laptop with ESXI and create multiple VLANS and Virtual PFsence boxes to segregate the traffic, assuming you have a switch that can do Vlans

Consider TeamViewer instead.

You could consider TeamViewer instead of setting up a VPN. (Versions available for Windows, Mac and Linux...)

Re:Consider TeamViewer instead.

[pfleming]

I had trouble getting TeamViewer running on a Debian box. It wasn't worth the time to figure out what was wrong as it worked on a Windows machine.

Re:Consider TeamViewer instead.

I assume you're running 64-bit Debian. Did you try installing the 32-bit version of Teamviewer? I couldn't get the 64-bit version working on Debian, but the 32-bit version installed fine, although you may have to enable something for your install to pull in 32-bit packages from the repositories (for dependencies), can't quite remember what though.

Once I got it running it does run quite nicely.

Routers with VPN

[DogDude]

Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

http://www.cisco.com/c/en/us/p...

Re:Routers with VPN

[harr2969]

I agree - site to site VPN at the router level seems ideal for this challenge.

Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

And yes, you could spend a lot of money for small business routers, or you could buy routers compatible with (or pre-installed with) firmware such as DD-WRT which will allow you almost all the same functions for much cheaper, but require a little more elbow grease to get working.

http://www.dd-wrt.com/wiki/ind...

Re:Routers with VPN

[iamgnat]

Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each. http://www.cisco.com/c/en/us/p...

Ubiquiti has a small router with enterprise level features for less than $100. A site to site VPN and VLAN support are just a few of it's features and all you need to solve this problem.

I'm still running a Juniper SRX-210 at home, but I've been happy with the UniFi APs and EdgeSwitches I have from Ubiquiti so this little router is definitely on the short list when the time comes.

Re:Routers with VPN

Think you can do this with an ASUS router out of the box. Or at the very least with the rmerlin flash firmware and using OpenVPN.

In fact this is NOT a bad idea for me and my parents and my wifes grandparents... I could hop on his computer and remote admin it easy. Instead of 'click on this' crap I play now with setting up chrome remote desktop.

Re:Routers with VPN

IMHO this is the correct answer but it is so very buried in useless advice.

Re:Routers with VPN

[ahodgson]

Mikrotik has cheap ones too, that work great.

http://routerboard.com/RB750GL.

Re:Routers with VPN

[scsirob]

Can't agree more. Ubiquity has some nice and easy, open gear available. To make matters more interesting, they have added deep(ish) packet inspection which allows you to see general traffic per client. So if you want to see what your son is doing without actually wiretapping his traffic, Ubiquity will tell you he spent GB on Youtube, GB on Facebook etc.

The router supports both site-to-site as well as single client VPN, so no problem dialling in from remote and get access to any and all networks in your cloud.

Re:Routers with VPN

[pnutjam]

I always counsel people to stay away from SOHO equipment. It's not worth the hassle when you can get mikrotik, ubiquiti, or pfsense for the same or less. If you do go with a big name consumer router, at least make sure it supports openwrt.

Re:Routers with VPN

Ubiquiti EdgeRouter Lite. $100, a million packets per second, built in OpenVPN and Ipsec.
https://www.ubnt.com/edgemax/edgerouter-lite/

We use them with all our small business clients, Cisco's got nothing on these.

Re:Routers with VPN

But Mikrotik and Ubiquiti are big name brands for anyone who isn't a total moron. While they don't make any what I would call core routers (and I wouldn't count their CCR, though it is a nice product), I would and do use Mikrotik over Cisco at any level they have a product offering, and above that a CARP cluster on NetBSD or OpenBSD will outperform every Cisco and Juniper product out there for routing/$.

These old guard companies: Cisco and Juniper are only still around due to conservative CYA in big companies. They aren't more reliable, and they just don't have the performance per buck of NetBSD on Xeons.

Re:Routers with VPN

The EdgeRouter Lite is *very* good.

Do you have a UAP-AC? I have one, and it has been nothing but trouble. For every client that's not a MacBook, the 802.11ac performance is no higher than 802.11n. (The AC performance for the MacBook is every bit as fast as I would expect from 802.11ac gear.)

Re:Routers with VPN

[sribe]

Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

Yes. But stay away from the Cisco/Linksys small business routers.

Re:Routers with VPN

I just read this: OpenVPN Firmware implementations

It says the Mikrotik OpenVPN implementation doesn't support UDP, and tunneling via TCP incurs in a huge performance penalty so I would advise against it.

Try to look for any cheap router that supports VPN via IPSec (IKEv1/IKEv2). People complain about IPSec because they don't know it but it's actually extremely easy to setup, it might be a bit more time-consuming than OpenVPN but if you value performance above all this should be the way to go. If you go with OpenVPN instead at least make sure the implementation you go with actually supports tunneling via UDP.

Missing info

How much control do you have over the gateways? Also, how do you plan on giving different machines different service?

I wouldn't bother with the routing (some) traffic over the VPN just for a bit of introspection; you can do that on the other gateway just as well, provided you have enough control to run your own software on it. A recent openwrt-capable box with plenty ram and flash could support proxies for logging and whatnot else.

And, of course, have you contacted the ISP about the blocking?

Vyos+DMVPN

http://blog.ine.com/2008/08/02/dmvpn-explained/

OpenVPN

[JeremyR]

If "mixed environment" only means that there are hosts running various OS's at both locations, it's fairly irrelevant.

Anyway, I am using OpenVPN for what appears to be a similar scenario--routing traffic between a relative's and my house. I don't have Internet traffic from one site being routed through the other, although the VPN certainly could be configured that way.

I will also echo the previous recommendation for PFSense, which I am using on one side of the VPN (running on a fairly inexpensive ALIX board). On the other side, I'm using an Ubiquiti EdgeRouter Lite. I can heartily recommend either one, but particularly the EdgeRouter which can't be beat for its ~$100 street price.

Really?!

I have a BS in Networking! I work in HR and I network ALL the time!

Sweet! I am gonna apply to those high paid networking jobs now!

TeamViewer or LogMeIn?

[mlts]

I might be totally off base, but I wonder about a program like TeamViewer or LogMeIn. If the security trade-off is acceptable, that might be an alternative to trying to create VPNs.

Re:TeamViewer or LogMeIn?

TeamViewer free tier would perfectly suit his needs.

Re:TeamViewer or LogMeIn?

[leonbev]

Yeah... it all he needs is remote desktop access to (primarily) a few Windows systems for patching things and snooping on your kid, just installing TeamViewer on them would be a lot easier than setting up a VPN. Once you have that, you could just put PuTTY on one of the remote Windows boxes to log into the Raspberry Pi project boxes if needed.

Of course, I guess that you could always do something fancier liking run VNC servers on different ports for each system and port forward those through the firewall for remote access, and use something like like NoIP to give them a fixed hostname to access. That's kind of old school at this point, though.

Re:TeamViewer or LogMeIn?

[postbigbang]

I find it's interesting that the L2/L3 responses are so much different than the potential LogMeIn or GoToMyPC/etc ideas.

The software person's visage of new hardware is that it potentially opens up too many ports. The hardware people will look at the software VNC-like ideas as potentially untrustworthy.

VNC/RDC/RDP are super-simple for civilians to install and maintain, and all can be removed from memory when not in use, so as to reduce attack profile.

Just my 2c worth.

banana pi with openvpn

You could use a raspberry pi if 100Mbit network is enough for you.

VPN + Proxy

VPN virtual appliance or dual homed box to handle the VPNs at each site.
Set up a proxy server and configure firewall rules that enforce traffic passing only through the proxy.

If your goal is to make things simple, this isn't

[klubar]

If your goal is to make things simple, this isn't the answer. You're going to end up with lots of "sort of works together" software, all of which will need patching and will occasionally just stop working.

For not many dollars, and a lot less time investment you can use something like logmein remote which will give you nearly always reliable, and secure remote access to the machines. You can even set it up so no one needs to be at the remote machines for you to log in. As long as the machine is booted, you'll be set.

I've used logmein (paid) and it's nearly flawless.

As for monitoring all the URLs your son accesses, you could probably set up a proxy server on the local machine that emails you the URLs daily. But the option of routing the traffic back to your machine via a VPN is just a solution looking for a problem. If^h^hwhen something goes down, you'll be busy rebooting ever bit of hardware along the way.

Good (or just practical) engineers remember... keep it simple stupid.

Have you tried TeamViewer?

[Chirs]

For your main goal of being able to log into your parents' machines, have you tried TeamViewer?

As for setting up VPN, I think you should be able to do it relatively inexpensively with something like a couple of consumer-grade routers running DD-WRT. The one at location B is set up as a VPN client, and the one at location A is set up as a VPN server. You might want to set up address ranges for DHCP at location B such that they're part of the network at location A but not assigned at location A. That way you can avoid needing to do NAT at location B as well as location A.

OpenVPN +1

OpenVPN is a very robust and open solution.

Best scenario is to set up a Firewall/VPN device at each location on an old desktop computer (preferably no more than 3-4 years old) , using one of the following open firewall distros: VyOS, pfSense, Untangle. Configure a full mesh of tunnels using OpenVPN (it comes built into these FW distros.) The fact that it is a mixed environment doesn't matter, IP is IP, the VPN will pass the traffic regardless. ...and ignore the comments about a BS, degrees are overrated.

old solution...

[IT.luddite]

Haven't had to do this in years (approximately 15 yrs actually) but when I did, I used FreeS/WAN to hook up a bunch of networks over the internet running on smoothwall. Everything else is routing tables. Man, what a trip down memory lane.

security appiance

I use a checkpoint security appliance for a similar setup. It costs a few bucks but it's easy. There where other brands that seemed just as good, brand didn't seem to be a major issue. Check the lists of features and maybe talk to a sales person at a place that sells them and then it's pretty easy.

TeamView FTW

I do almost all my friend/family support with TeamViewer. Mac and Windows without any issues at all. And since TeamViewer can use port 80 and 443 your ISP won't be blocking it. I just set their computer for unattended access and setup an account to login them through.

Now for the issue of watching you son's internet traffic. Be prepared for him to learn how to bypass things...that's what kids do ya know.

Re:TeamView FTW

[RavenLrD20k]

Be prepared for him to learn how to bypass things...that's what kids do ya know.

Fully prepared and expecting it. He likes to figure out how things work like I used to. If he takes interest in trying to bypass the security it'll escalate like a chess game. So far he's more interested in building and programming electronic projects than getting online much. It can often be a battle of wills to even get him to use the internet to find his own answers when he's stuck.

Re:TeamView FTW

[ashpool7]

Easiest solution for your son: plug directly into the modem while you're not there...

Re: TeamView FTW

What? Incoming Port 80 and 443 are specifically blocked for most residential users in my country. This would be bad if team viewer ran on ports 80 and 443, but they don't. Unless you meant the opposite of what you said.

Re: TeamView FTW

Escalate as a chess game? He breaks one rule and Internet access lost for ever.

Re:TeamView FTW

[RavenLrD20k]

Not quite so easy.

Modem with 4 connect points is outside the house next to the Power Meter which is double locked, one for the service key and a padlock for our access to the connect points which my dad has the key for. There's an ethernet line on one of the connect points that comes out of there and goes into the basement where it goes into a locked closet with a thick metal door and deadbolt. Inside this room the cable comes into a large locked metal breaker box flush mounted in the wall just for this purpose; again, only my dad and I have the keys to this box. Inside this box is where we set up the wireless router, with the antennae removed from the unit itself and connected outside the room using extension cables with BNC connectors. All the physical connections in the house have to come into this box.

Diverting the outside connection to a server locked in the room and another line going back into the box to the router would be trivial to set up. I also have a lockable metal box with powered ventilation that a desktop workstation could fit in nicely with plenty of room to breathe (acquired from the local RadioShack when they were selling off their fixtures after the bankruptcy). Though based on most of the responses here I'm probably going to find some cheap routers (sub $100) that can run DD-WRT and OpenVPN to replace the one there and keep it inside the locked box. As far as wireless, I'll likely set up an AP or 2 on the main floor instead of the current setup that's not working very well outside the basement (for obvious reasons). Now that it's my dime going into this, my dad is more willing to let me have reign on the network and how things are set up.

Re:TeamView FTW

[dave420]

You are assuming he won't be able to get past your security without you noticing, which judging by your "Ask Slashdot" question, seems a poor assumption. My money is on him getting past your security and you not even realising.

tinc

[taoboy]

I use tinc for precisely this. One tinc on a public-facing server, then any computer in any location connects to it to form a network with the others. A bit tedious to configure, but it works well with both Linux and Windows hosts.

Simple answer - MikroTik

Hi,
Just buy MikroTik and you will setup this in a hour or so.
I have similar setup with my parents house, my two brothers where each lives in different country, all private LAN's are interconnected, with ability to select exit output gateway by my brothers or me with few clicks, where routing decision is made based on IP src, destination, etc. They can exit in any country where someone from family lives. Setup is based on PPTP or SSTP tunnels and at top of tunnels MPLS with VPLS is running which allows to everyon of us to switch on-demand to everyones L2 network and use DLNA. So my brother can watch movies from my NAS in another country. Works well over 6 months without single failure. Restarts, power failure and everything is back online without any tinkering. Only downside - you need to have reasonable internet connection to work flawlesly, because often your upstream is your brother downstream :)
And everything with hardware cost ~80$ each (RB951G-2HnD). What you want more :)

computer programming is not a trade

it's more like indentured service.

go wipro

Mikrotik

It may be reasonable to get Mikrotik RouterBoards for each location (this model being my favorite for home use: http://routerboard.com/RB2011UiAS-2HnD-IN) and set up a system of IPSec tunnels between locations. You can then change routes for where you want traffic to go. We use this solution for several of our larger multi-location clients and it works excellently. Can't praise Mikrotik enough vs. the competitors. No software required on any of the endpoints with this method.

Re:Mikrotik

[AaronW]

I agree that the MicroTik routers are powerful. I have been using one for several years. My biggest complaint with it is the confusing documentation or documentation that's out of date. I had a hard time figuring out things like traffic management (QoS and shaping) though now that it's working it's quite powerful. I also have had a lot of confusion on how to set up the firewall so I can VPN in with various operating systems. The only one I've gotten to work from Android is PPTP, though I would love to use IPSec instead due to all the weaknesses in PPTP. Windows is even worse, following all the suggestions I have yet to be able to connect via Windows.

Re:Mikrotik

[ahodgson]

Use OpenVPN; the Mikrotiks support it although setup is easier from the command-line than their gui.

The client for Windows works well.

Re:Mikrotik

MikroTiks also don't support OpenVPN over UDP. And TCP is bad in a sense that if you're trying to route anything over TCP, the latency/jitter gets a lot (a lot!) worse.
And TCP over TCP suffers from bandwidth limitation problems. Come on Mikrotik, it's been like 12 years already since we've first suggested you should implement OpenVPN standard UDP mode!

MikroTik RouterOS

[Binky+The+Oracle]

I'm not super-network talented, but I recently used two Mikrotik RB951s to set up a permanent VPN tunnel between two houses for much the same reason. I didn't need the additional routing to make all traffic send through point A, but I know we use that setup at work for our remote workers. My arrangement ended up being traffic from each house going out it's own connection, but with a permanent IPSEC tunnel between the two for server synchronization and tech support purposes. The Mikrotiks are fantastic little boxes and an amazing value. There are multiple 951 models, and you may prefer one of the non-wifi Mikrotik products if you don't need the radio (though having a 1w radio has been nice also!)

pfsense

[powerlord]

pfsense routers using OpenVPN connection between the two locations (probably location B acting as a Client to location A server, with it set up to route all traffic through the tunnel to A).

Likewise you could also just set up an OpenVPN server at location B and use an OpenVPN client to connect from a machine on "A" to the "B" network for when you need to work on things there (but then you won't have the traffic routing from "B" through "A" before it hits the Internet).

Personally I used a small fanless box from NetGate (that came pre-installed w/pfSense and 6 NICs) to run our SoHo office of ~10 devices on the computer network + another 15 phones on a second network feeding into a second NIC. Load balanced WAN connections from two different providers, and OpenVPN server for remote connections for fixing things at home, and all the bells and usual bells and whistles (for me at least).

Tor and VNC/SSH/RDP/whatever service on the client

Use Tor and the hidden service options to get access to the client devices. This circumvents the ISP snooping and dropping desktop sharing.

BTW are you living in a country withouf netneutrality? Otherwise sue.

VPN Solution or Connectivity Solution

Have you considered using SSH tunnels to communicate with each site? You could run SSH servers on each network, open up ports on the upstream firewalls and get your connectivity that way?

You could also bind RDP to a port that is known to be open (http/https?) and set up dual factor authentication.

Setting up VPNs on any standard home router isn't that hard. Where you may run into problems is when IPs change. You may consider setting up DynDNS accounts for ease of use and setting up OpenVPN connections.

Since you didn't mention anything about the subnets behind the endpoints, openvpn will probably be your best/easiest route.

This should give you some ideas:
https://www.dd-wrt.com/wiki/in...

LAN to LAN VLAN

[maz2331]

I second many of the above suggestions. pfSense isn't a bad solution, OpenVPN will work, and little Cisco VPN routers are good too. I'd personally just put a Juniper SSG-5 on each end, for the simple reason that they are available on eBay for around 50 bucks each and are relatively easy to configure.

AutoSSH

[fwarren]

If you have one Linux system there with an account you have access to AND an server on your end that you can SSH into your set. On your server you need an account for them to log into which has their autossh users public key in the authorized_hosts file.

You want an excutable file named /etc/network/if-up.d/reverse-ssh

# Ensures that autossh keeps trying to connect
AUTOSSH_GATETIME=0
su -c "autossh -f -N -R *:$8000:localhost:22 -R *:$8001:localhost:5900 pozer@myserver.com -oLogLevel=error -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" root

I have autossh run as root and log into the account pozer on myserver.com. At that point you have a computer on your network with port 8000 opened to their Linux box and 8001 available for vnc. I set the looged in users X destkop to autorun run "x11vnc -shared -forever" export their desktop over vnc. I also install UltraVNC on the windows PCs.

If you had a windows PC at 192.168.1.50 you could add "-R *:8002:192.168.1.50:5900" to the above autossh command so you can reacn it with "vncviewer myserver:8002"

If you dont know the IP address till later you can set up a forward tunnel by remoting into their server over ssh. ssh remote@myserver -p 8000 -L *:8002:192.168.1.50:5900"

As long as there is a reverse tunnel you can use to create a connection back to their linux machine you can open up and access any port on their network. you can use vnserver to run a headless desktop in the background on their linux mint PC.

I use NeoRouter for that

[ebbe11]

Works on Windows, Linux (that's where I run my NeoRouter server) and Android. They have a free (beer) version that I used for a couple of year. I'm on the paid version now. http://neorouter.com/

IPCop might work

If you have any low power/old machines lying around you can certainly get the A to B IPSEC VPN set up with IPCop pretty easily and cheaply, and IPCop has lots of other stuff like URL filters if you want. It also makes a good OpenVPN server for road warrior type access.
I'm sure there are other, better ways in 2015, but I have used IPCop for years and years now.

Nat alternate ports

well for one thing you can use rdp on nonstandard ports to get remote access. I'd probably just use a ssh tunnel , forwarded internally, to accomplish the remote administration. It's simple when you know what to do but can be tricky to figure out on your own. From there I'd likely use a local pfsense router to filter traffic accordingly. No need to make it all one big network

pfSense

Sounds like you want a couple of pfSense firewalls -- one at each location.

1) OpenVPN between the sites.

2) Sites can even be on different subnets, just need to configure the firewall rules to allow traffic to pass. This will allow you to remote into systems at site B.

3) Configure each computer to route through the network - WAN (local ISP) or VPN (back to Site A).

4) Setup DHCP with MAC Static mappings - this will allow you the ability to later disable any/all/restrict Internet access to devices as necessary.

5) Install some time monitoring software (PCs - TimeBoss, for example. You probably won't use the limiting features, just the capability to take/and send screenshots of activity to yourself. For the Linux - probably need to install some screen shot software and create a cron job to take a screenshot and email the result).

You could do some of this with some routers with DD-WRT, but you'll have finer control with a couple of pfSense rigs -- you can get some HP T5740 Thin Clients with pfSense and three 1GB NICs for around $100/ea on eBay.

Maintenance server

Instead of routing all of B's traffic through A, why not install a dedicated box at B for monitoring and maintenance purposes? You can route all of B's traffic through this box and log/limit it, as well as use this box to remote desktop/ssh/whatever into the other machines at B.

Then you've reduced your problem to simply needing to VPN or ssh tunnel from A into this one box at B, which I will leave as an exercise for the reader.

Re:Maintenance server

[Nimloth]

This ^
This is much smarter than routing traffic from your son's computer at B through A to get to the internet. Save the extra latency and fault point.

Splashtop and Sophos UTM

[TheCow]

I have a similar situation for remote access, but my parents are 12 hours away.

I use Splashtop with the remote access feature (paid feature). No approval to access the machine is required.

I use Sophos UTM(next gen firewall, formerly Astaros(sp?)) for Web filtering, spam and anti-virus protection in my home as I was tired of trying to tie solutions together to make them work and SPAM was really starting to get bad. As you are doing this for personal use, you can get their Home use virtual license for free and run it on an old computer with esxi. Since it is a full fledged firewall you can also setup VPN connections if you want to. As you are covering multiple house holds you will need a user in each household to get a separate license for home use. Or you could purchase their appliances. With this you can create web filter rules with time based restriction, user based restrictions, ip address restrictions etc...

Splashtop Remote desktop solution:
http://www.splashtop.com/

Sophos UTM home use:
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

IPv6

[nyet]

Get some IPv6 endpoints (and subnets) from he tunnelbroken and set up some basic ipv6 linux firewalls at both ends. Ditch all the crazy NAT/VPN crap and just go 100% peer to peer.

Re:IPv6

[nyet]

err tunnelbroker

http://tunnelbroker.net/

PFsense could do all of what you want

[interestingthoughts]

Using a PFsense with multiple nics you could set up numerous networks and control routing between the networks at that point. Also pfsense can fully intergrate openvpn into the Scheme and has a firewall and filtering to be able to tell where everyone in the network is going. It also allows for port forwarding for you Linux box. did I mention all of this is done through a GUI interface. Software can be downloaded at: https://www.pfsense.org/

OpenVPN

[MoZ-RedShirt]

OpenVPN does exactly what you need. You can link your locations with a site-to-site tunnel and include the nets on both sides.

https://openvpn.net/index.php/...

You can set one of the VPN gateways as the default gateway for the other net and OpenVPN runs on all sorts of hardware including WLAN routers and iOS devices.

OpenBSD has what everything you need, built-in....

This is trivially simple with OpenBSD if you control pc hardware on both ends acting as your router/firewall, even for default routing packets through a tunnel. Alix makes inexpensive, high quality hardware that is OpenBSD compatible.

For Location A: /etc/ipsec.conf:
location_a = "10.0.0.0/24, 72.82.92.102"
location_b = "192.168.1.0/24, 102.92.82.72"
ike esp from {$location_a} to {$location_b} peer 72.82.92.102 psk MyPreSharedKey /etc/hostname.gif0
10.11.12.1 10.11.12.2 netmask 0xffffffff up
giftunnel 72.82.92.102 102.92.82.72

For Location B: /etc/ipsec.conf:
location_a = "10.0.0.0/24, 72.82.92.102"
location_b = "192.168.1.0/24, 102.92.82.72"
ike esp from {$location_b} to {$location_a} peer 102.92.82.72 psk MyPreSharedKey /etc/hostname.gif0
10.11.12.2 10.11.12.1 netmask 0xffffffff up
giftunnel 102.92.82.72 72.82.92.102

Set a static route in location B for 72.82.92.102 to your ISP's router, then set your default route to 10.11.12.1 in location B's router.

auth hmac-sha2-256 enc aes will be your default transform, which is fine.

The rest is openbsd's pf.conf semantics (which is *the* bleeding edge of PF development) and a few OS tweaks to sysctl.conf and rc.conf.local.
net.inet.ip.forwarding=1
net.inet.ip.redirect=0
net.inet.ipcomp.enable=1 /etc/rc.conf.local
isakmpd_flags="-K"
ipsec=YES

pfSense gateway at each site

I would put a pfSense Gateway at each site to talk to the other sites, with the the Gateway at Site A having an extra couple of network cards for the Gateway and other subnets. Build your hardware based on traffic load, a couple of Raspberries should be find.

Ignore the Mixed environment, and feel safe knowing you are tunneling traffic for all the devices, computers, iPads, Phones XBox etc over your Site A connection and can monitor and log traffic to your hearts content.

Keep in mind if your son is smart, it doesn't take more than an email address to setup some of the free trial VPS, and ssh into them to tunnel a SOCKS Proxy out and create his own unmonitored tunnel through your tunnel to go to whatever websites he chooses to go to.

Just saying if you build better mouse traps you breed smarter mice.

OpenWRT

Hi,

I have put together a system which does exactly that. I did it by putting openwrt on two routers, one at each location. I needed to add the tun/tap driver module. This module allows a programmer to send a complete packet from userspace and inject it like it was coming from a network adapter. It has two ends, an interface for the network side, called tap0 or tun0, and a file handle for the program side (something like /dev/tun/0). I then use brctr to add the tun0 to the list of bridged adapters. There are two programs. One is a server at site A that accepts a connection from site B. Site A has a static IP. It takes the packets from the remote and pushes them through the bridge. I use the tap0 interface so that the ethernet layer is still intact in the packet which allows the bridge to do it's routing magic. The B side is a client program which does the same thing, except it automatically makes the connection to site A when the router boots. I modified the A side to run through inetd. The B side runs the connecting client at startup. Router A has IP address 172.16.0.1, while router B has IP address of 172.16.1.1. The netmask is 255.255.0.0 so that broadcasts will go across the network. Each router manages it's own DHCP, and gives itself as the default route. The router uses it's own range of 172.16.X.2 - 254 for leases. You probably don't need to route all internet traffic through A, as you could always log into B and block traffic there. To have the DHCP work correctly, the program that connects the two routers has to block all DHCP traffic from transferring over the link. BTW, the link is a simple TCP connection that resets on error.

I understand the issues that can arrive by sending ethernet packets over tcp (with the timeout problems for retries), but I really have not experienced any problems in this realm.

The end result is a bridged level 2 network, but each with it's own IP configuration.

If you are interested in this type of solution, or for more details, try me at gmail, jkevinm.66.

one thing at a time

[nine-times]

In your desciption, you have lots of different random things you're trying to do, and it'd take me some time to parse it out, and then I'd have questions.

But you say, "I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry." Ok, so my first question would be, do you really want VPN for that? It might be easier to go with some kind of remote-control service or MDM. LogMeIn comes to mind as something that does not require someone to send an invitation, though it's not free anymore. Speaking of LogMeIn, you could also look into their Hamachi service as a VPN. (For the record, I have no affiliation with LogMeIn).

You could set up routers on each site that are capable of creating a VPN tunnel, and then just create a VPN tunnel between them. I think DD-WRT supports this, if you can't find anything else to do the job, and Buffalo makes routers with it pre-installed. I haven't used them, but I'd bet I could get something working with that. On the other hand, the reason I've never done that is that site-to-site VPN tunnels can be just finicky enough that I wouldn't bother with them unless I need a constant ongoing connection between two locations for a serious purpose, and when I do need that, I get professional gear. As a result, I can't verify the reliability of VPN for any consumer level gear.

I would also wonder, if the ISP is blocking "desktop sharing ports", might they also be blocking common VPN ports? Can you just change the "desktop sharing ports"? Maybe you can do a NAT on the firewall to redirect the ports, and then you don't need to reconfigure the desktops to use different ports.

WHY????

"Due to recent events" and "(hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A)" just screams someone trying to perform a technical solution to a human relationship problem. Why would the people in Location B (4 hours away) ever want their internet traffic routed through Location A?

I see this crap all the time at work....We want to do X,Y,Z. That's all fine and good but lets start with what the problem is....X,Y,Z may not be the best solution for your problem.

Open VPN+2

I use it extensively. *single port* so easier to get through a NAT, works with Synology Raids too, Android, Windows, Linux the lot. Encrypted.

I've done this with several client sattelite sites

As others have said, easiest and most foolproof way is pfsense box. I prefer these ALIX boxes but you could do it for "free" with a couple old PCs or any number of old routers that can run pfsense.

http://store.netgate.com/Netgate-m1n1wall-2D13-Black-P216.aspx

VPN

There are two issues here:

1. Unrestricted traffic flow between machines for administrative purposes

2. Content filtering/restrictions for a child.

#1 is easy in theory, just use a VPN router type product. I do this a lot professionally and I would say most of the solutions out there would be painful for a novice. You also have some fun challenges in that the 20 meg cable modem side is going to have dynamic addressing most likely. That detonates the ability of using anything from Ubiquiti or using anything vyatta or based on SWAN as they don't support aggressive mode IKE. You can do main mode and certificates but it's a bloodbath.

Above recommendation was to use DD-WRT. Ive tried and it's been ok at times and painful at times. The only device I had that it was "good" on was a wrt-54g. The other platforms I tried it on had poor sucess and many features were broken. You can try that (good luck) or use pfsense on an intel platform box. Pfsense was ok, but I certainly experienced more latency with it than a commercial firewall.

My recommendation would be to use ebay to buy two netscreen/Juniper firewalls, one a SSG-5 and the other a SSG-140. You can google "netscreen route based VPN". These are older enterprise firewalls but should be fine for personal use. There is plenty of documentation out there on how these things work and they provide the most functionality/least pain of anything Ive worked with.

#2 is difficult. If you install something on the machine it always seems to cause problems. Something at the network level is not going to be feasable for a home environment. You could try pfsense or dans guardian or something less than enterpeise but again it's not great.

Re:VPN

[pnutjam]

pfsense, properly configured, can stand against any commercial product. For dynamic IP's, openVPN works great. I have used both mikrotik and pfsense and configured them such that you plug them into any network and they immediately tunnel home with a OpenVPN. Don't bother with swan or the other ipsec or pptp solutions.

OpenVPN

[bleh-of-the-huns]

I have 3 VPS and 2 mixed networks. All of them can communicate with each other over different subnets

Make one of the VPS servers your master OpenVPN server
Connect all the other VPS, or network gateways to the Master as clients.

Make sure you advertise the routes using server side client config directives (usually in $path/openvpn/ccd/$name_of_certificate)

Problem solved.

Can even go a little more advanced, setup a vps in another country, and use static routes to make it appear like you are local when you hit certain websites (say BBC iplayer..)....

You don't want to send all traffic through the VPN

The VPN would be the bottleneck screwing bandwidth for the remote side. Not to mention creating an unnecessary SPOF.

Instead you should create a mgmt network across the vpn.
Setup server at the remote location running both your monitoring software and vpn server (openvpn). Manage the monitoring software by connecting with openvpn client. Manage others computers the same way.

Alternative remote desktop solution

[swillden]

It sounds like the motivation for the change isn't that remote desktop didn't work well, but that it has stopped working, so you don't have a good way to remotely administer their machines. If so, rather than setting up a VPN, a remote desktop that does work would would do the job.

Chrome Remote Desktop (a Chrome browser extension from Google) does this quite handily. You can set up one-time remote sessions, where someone on the other end has to give you an invitation for each connection, or you can set up persistent connections which you can use any time. It's cross-platform (Windows, Mac, Linux).

I haven't looked into the underlying network protocols in detail, but I understand it uses libjingle, which implements ICE for NAT traversal (https://tools.ietf.org/html/rfc5245). What I do know is that I've used it in many bizarre network configurations and it's been flawless... if both hosts can reach the net, they can reach one another.

Re:Alternative remote desktop solution

[SirSpammenot]

"Chrome Remote Desktop (a Chrome browser extension from Google) ... you can set up persistent connections which you can use any time."

Where the hell is THAT documented? Seriously: I would look at it once.... Having Chrome always running might sound like a great idea until you NEED it, but unless it also works on Chrome Desktop (ie: Chrome books, Chrome Boxes, etc) it is of questionable use for supporting grandpa and 8yr old Susie.

Re:Alternative remote desktop solution

[swillden]

At least for Linux there's a command-line tool that keeps the server always running. That's what I use. Not sure about Windows or Mac. As for Chrome Desktop, Chrome is always running; works fine.

In any case, the questioner indicated that he's previously used a RD solution that required some action on the remote end to initiate it, and that worked (though perhaps less than ideal). So even if you have to have someone at the remote end start Chrome, or even initiate a per-connection invitation, I expect it's still workable for his use case.

Sonicwall

Just buy sonicwalls for each location. Site to Site VPN and they support crazy configs like these.
You can either spend the money on the right solution, or spend the time (which is money) in frustration and cobbling other junk together. Your choice.

Keep it simple

[kosmosik]

In my opinion you are making this issue more complicated than it really is. You really don't need site-to-site VPNs and custom routing to accomplish your goals.

If I understand you correctly your goals are:

1) To have remote access to machines (Linux, Windows, others) in few remote networks.

Just set up VPN server in each of these remote networks. OpenVPN is probably a good way to go. It would run on any Linux machine, Windows machine (if you dare), even on some routers (f.e. DD-WRT compatible). If these networks are behind dynamic IPs you will also need somekind of dynamic DNS service.

Having VPN server running in all locations you just login to it and access whatever machine in that network remotely. For Windows machines DameWare is probably not a bad idea. It is commercial software but you only need to pay for one license - the license is for an operator (you), not for client machines. You could also use VNC - why not? For Linux machines SSH is a no brainer. And other devices (like printers, networking gear, etc.) probably have HTTP interface anyway.

Also you wrote: "me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites". Well are you aware that you DO NOT need to log in to Windows systems to apply patches and security updates? It just happens automatically. Just turn on Windows Update.

And since it looks like you are required to take 4hr trips to fix your parents computers that makes you basically their administrator - DO NOT give them administrator rights on their machines. Set them up with quite secure configuration - no admin rights, antivirus software running and set to automatic, backup running and set to automatic, updates running and set to automatic. If you do so I hardly see a need to physicaly access their machines (modulo hardware failures).

2) You have described your second goal in such convulted way with buts/ifs and so on that I need to cite this mess: "I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default.".

So basically you want to:
* monitor your sons network usage
* enforce policies on your son (like no Internet after eight since you were bad)
* enforce password usage (or other form of authentication) on your users since you don't want to allow your son to use their grandpas computers while they are not around physically guarding the machines

Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.

That means that you are contradictiong yourself by saying that you dont want to have any firewall or blocking - you do.

How you are claiming that you have any training in network administration is beyond my understanding.

Re:Keep it simple

[spauldo]

Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.

Um, what?

He's not setting up a corporate network, and he's not protecting vital data. Hardcore security isn't required (and can still be had, at some inconvenience to the users, using things like this, for instance), If he's got a UNIX-based firewall that can run cron scripts, that's all he needs.

Try this:
1) Put grandparents' machines on static IPs (or set their IPs on the DHCP server, if whatever's serving DHCP supports it).
2) Have grandparents put a password on their Windows boxes and set the screensaver to lock after a few minutes.
3) Set up a cron script to turn off internet access for all IPs except the grandparents' machines at a certain time, then turn it back on in the morning.
4) Disable the cron script and disable internet access altogether if the kids are grounded.
5) Use the firewall logs to see what the kids are doing. A little scripting can generate reports for you, if you want.

If only one kid is grounded, it's a bit trickier, but still doable. A kid could unplug the cable or turn off one of the grandparents' machines and take the IP, but that would be best dealt with as a social issue (i.e. beat the kid's ass if he does).

I use a similar setup here and it works like a charm. I use OpenBSD for the firewall, but Linux and pfSense have the same capability.

Re:Keep it simple

[kosmosik]

> that's all he needs

No it is not. You have contradicted yourself in your post. You have described a solution which from begining is flawed. Then you described that flaw (the kid could just change his IP to grandparents machine or even MAC if you would go for MAC based filtering). So you have basically posted a solution that is not a solution at all if you wish to make things working without beating the child.

Re:Keep it simple

[spauldo]

I assume you don't have kids. Or work in security, for that matter.

This is standard industry practice. You weigh your security needs (very little, based on the original question) and base your policy on those. If you catch someone circumventing your policy, you take action (for parents, you punish the child; for companies, you discipline the employee).

What this setup does is make it non-trivial for the children to circumvent the basic security setup. It also makes it dead easy to find someone who is circumventing the security setup - the child's internet usage will look different than their grandparents'. There will be no accidental circumvention of the security policy. The real problem, from a parental point of view, is that the child is deliberately disobeying - and that's a parent issue, not a technical one.

Think about it; if you really want to secure your house, you'll build it out of steel deep underground. Locks can be easily circumvented; I could probably break into the average house in less than ten minutes, and I'm no locksmith (or burglar, for that matter). But for some reason, you don't find people living in buried steel vaults. Banks, on the other hand, do use buried steel vaults; their security need is greater than the average household.

Re:Keep it simple

[kosmosik]

> I assume you don't have kids. Or work in security, for that matter.

So you have lots of kids and work in security and it didn't occur to you that it would be easier and more effective to just take kids laptop and lock it up somewhere?

Hardware VPN device

[musicon]

You could do all of this through software (openVPN, etc.), but honestly life is too short to go through all the effort required as well as making sure it all works and stays updated. I'm getting too old for this crap and just need something that works in the least amount of time and effort required.

I'd recommend you look at something like the Meraki MX64/MX64W at all three locations, it will do all of the necessary tunneling and filtering you need (with the advanced security license), as well as allow you to monitor what is happening on the network.

Additionally, it's all cloud managed so you can view and configure the device from anywhere.

I deploy these at work for our remote offices, and just purchased a similar setup at home (an MX64 and two MR18). I can filter what my kids get to as well as easily support remote backups and administration at my parents home.

Re:Hardware VPN device

[kosmosik]

So in hardware VPN device VPN related stuff is being done in their ROM or maybe there are physical gears doing the VPN stuff...?

Re:Hardware VPN device

[DavidRawling]

Is this like the other Meraki stuff where you have to pay Cisco licensing each year to be able to continue to use and manage the hardware (without paying the license it's a brick)? If so it may not be the best solution (also consider - to manage the device you have to have it connected to the cloud, so if that connection goes away or gets flakey, you're SOL).

Plus you have the delightful experience of buying new hardware rather than continuing to use existing stuff if you don't want to pay the danegeld any more.

For those reasons I can't recommend Meraki kit (unless I'm wrong and it's changed) - try the Ubiquiti or Microtik kit instead, or Sophos Home Edition, or frankly anything else that doesn't have continuing payment requirements.

Re:Hardware VPN device

I would agree, based on what he is describing, meraki would be a budget breaker for the tasks that he wants to do, your talking about over $1000 in hardware and then Cisco Licensing fees every year....

Re:Hardware VPN device

[musicon]

Yes, there is an annual cost for support on the device. However, it's minimal (~$70/year) and the ability to manage and monitor from anywhere is nice. I'm actually not sure what functionality is lost without maintenance, but I assume it's like most of their other products in that you stop receiving updates but it continues working fine with the last installed version.

Or...TeamViewer ?

[obarthelemy]

TeamViewer is similar to remote desktop, and quite good. It's free for personal use. You might want to try that, or simply changing Remote Desktop's ports, before launching into complicated stuff, mister Network Admin.

Sophos UTM Home License.

[PishiGorbeh]

I'm not sure if anyone has posted this option, sorry didn't read all of the comments. Sophos UTM with a home license. All you need it some low end dedicated hardware at each location and super easy to setup, Site to site, routing and all.

Is VPN the right solution or is it overkill....

[David_Hart]

Yes, you could go through the trouble of setting up VPN, etc. and it would work. But VPN connections can be tricky if you don't know what you are doing.

Personally, I've been using Teamviewer (Free for private use) for remote control. They have Windows, MAC, UNIX, and mobile clients. You do have to know the password on the client that you are connecting to and I believe that you can set it to a permanent one, but I've never needed to. I just get my Dad to read the 4 or 5 digit random number back to me. I believe that you can set it up to be always-on if you buy a license.

https://www.teamviewer.com/en/...

As for monitoring your kid's Internet access, it isn't going to work. He'll quickly find out that Grandpa's computer has access to everything... (grin)

The easiest thing to do is install a monitoring program on his computer and buy a 802.11ac router for home and a router for grandpa that has built-in Parental Controls. You could then check the program logs on your kid's computer and the logs on the router.

Unless you really have your heart set on learning how to configure VPNs and understand IP networking, it's just not worth it for Remote Control and Parental Monitoring.

However, if you also plan to use the link for backups between their home and yours then it might make sense as backup services like Carbonite can be costly. In that case, the Meraki solution proposed by a previous commenter would be a good place to start.

Softether

[Youssef+Adnan]

I'm surprised no one mentioned Softether https://www.softether.org/ - with multi-protocol support and site-to-site capability, it should be able to cover all your needs. Setup a server in the cloud - DigitalOcean is a cheap and excellent host - with Softether. Setup another softether client in your household on an old machine and set the two to do a site-to-site. From the digital ocean installation, ensure that the gateway is whatever you like to be (another VPN to work, perhaps?) and you're all set.

Zerotier FTW

Since I've tried https://www.zerotier.com I don't even want to look at anything else. Works everywhere, on any configuration, don't need to configure anything other than the virtual networks you want to make. It's really impressive how easy it works and how well it works behind companies' firewalls (without their tech support actually knowing I'm using it).

Simplest to maintain

[davidwr]

It will cost you some bucks, but the simplest-to-maintain connection would be a dedicated machine at the far end to act as a firewall that forces all traffic through a VPN, and some box at your end to receive the VPN's traffic and route it wherever it needs to go.

Doing it this way means there is no special software to install on the clients and nothing will "break" when Windows 10 or Raspberry Pi's next OS revision comes out.

For appliances like these, I would recommend you consider one of the specialized distributions that are built with this kind of thing - and the security that goes with them - in mind. A decade ago I would've said OpenBSD but there may be something better out there now.

Wrong solution

[Harlequin80]

You don't need to route the traffic from their network to yours. You are making this way way way more difficult than it needs to be. Setup a router at the grandparents end which has everything running through it. Set it up with a squid proxy and all the traffic will be loggable there.

Next configure that route to be a vpn server and you connect into it whenever you want. Once connected you can read the logs and check your sons internet habits and you can access the rest of the network to fix their machines.

Unless I am missing something there is nothing in your spec that actually requires a site to site connection. Christ you could probably get away with a few non standard port forwards and just ssh directly into your sons laptop.

Two ways...

[PhunkySchtuff]

There are two ways of doing this.

One is to look for alternative remote desktop software that does work. I've had success with TeamViewer - YMMV.

Two is to put in a lan-to-lan VPN at each site and configure your routing appropriately - either go with something like DD-WRT or get something that will do it out of the box like a Ubiquity EdgeRouter Lite ($100 and it has 3x gigabit ports and enough horsepower to route at an appreciable fraction of that rate)

https://www.ubnt.com/edgemax/e...

OpenWRT routers

Use OpenWRT routers at each end and use IPSEC tunnels. As long as one end has a static IP, that can be the one that the others always 'dial in' to.

PFSense all the way

I think it's the best open source firewall platform with the added value of packages. HassSeattle

NetBSD IPsec

[manu0601]

This is a job fo IPsec tunnels. OpenVPN could also do the job. Linux, FreeBSD and OpenBSD has been cited. NetBSD can do it too. IMO NetBSD may have the path of least resistance but that is personal opinion.

Networking 101?

[darkonc]

You can pay a couple hundred bucks for a pre-built solution, or you can build a pair of OpenBSD routers to do the job. You can either use a pair of old machines that you've been too lazy to send for recycling, or you can buy a pair of Raspberry PIs with a second (USB) ethernet connector, for a low power solution. VPN them together, and set the default route for the router at network 'A" to be through network 'B'. Problem solved. People have suggested both IPsec and OpenVPN to build the tunnel. . Just make sure that both networks don't use the ubiquitous 192.168.1.0/24 network, or you'll be in routing hell trying to talk back and forth.

My question is: If you know what you're doing, why wasn't this the obvious solution for you before you posted?

As for needing enough CPU power, don't worry.. Back in the '90s, UBC Comp Sci was using a bunch of 30MZ pentiums to route between 10Megabit networks (mostly thicknet, with some thinnet). The reason why they used 30Mz machines??? The supplier ran out of 25Mz machines. .. So I figure that just about anything that runs over 300Mz would be overkill for your particular problem -- and anything less is probably no longer supported in many of the current distros.

Site to Site VPN ?

[nehumanuscrede]

Easily achieved with Cisco hardware ( read that enterprise class ) but can't swear to it via PfSense. Talking a beefy and / or $$$ router though for the speeds you quoted in the Cisco world.

PfSense will do a few flavors of VPN, but I've never tried to get it working with any sort of logic to flag which traffic should bring the tunnel up and which should go out unencrypted.

However this link is informational:

https://doc.pfsense.org/index....

Since it's a mixed environment, it would probably be best to do it at the router level.

OpenSSH + PortForwarding + RemoteDesktop

To manage my Mom's computer at Location MOM from Location ME:

1. WRT54G router at location MOM running Linux and OpenSSH server
2. On each computer at Location MOM: RealVNC installed or a login with Remote Desktop access
3. From location ME, use SSH to port-forward port 3389 (RDC) or 5900 (VNC) to my computer
4. Remote Desktop into localhost:XXXX

Example:
>> ssh routerlogin@myMomsRouterIpAddress -L 10000:momscomputername:3389
Remote desktop to localhost:10000

I use Cygwin for the SSH stuff on my desktop at location ME.

I could also just statically expose the ports for each computer at location MOM via the router UI and skip all the SSH forwarding but I don't think exposing Remote Desktop to the entire internet is smart/secure for a generally unmonitored network.

Re:OpenSSH + PortForwarding + RemoteDesktop

I've also got a dynamic IP address service setup on the WRT54G so that I can type something like 'mymom.dyndns.org' instead of having to know my mom's specific IP address.

Re:OpenSSH + PortForwarding + RemoteDesktop

[dahlellama]

X2go would be another option. It will do the X forwarding to a very nice client. I use it to remote into my Linux systems at home then RDP from there. http://wiki.x2go.org/

How I did it for my parents

I used OpenWRT with OpenVPN on TP-Link Archer C7s Which are an AC1750 (2.4ghz and 5ghz) WiFi Router available for less than $100 on Amazon.

The only thing that does not appear to work on OpenWRT is the hardware NAT which is not likely to be any problem for a home network connected to current Cable Modem speeds under 100Mb/s.

This allowed us to create dedicated virtual links and to map access so that only those networks accessing across OpenVPN had local network privleges. Use DDNS (like on Afraid.org) to connect the OpenWRT routers each other so even if the ISP changes the DHCP IP addresses on reboot and you are good to go.

There are also lots of resources free on the routers after the OpenWRT install to add lots of added OpenWRT packages.

Site to Site

Site to site VPN.

As to how you do this there are very very many ways to do it. Take your pick.

VPN Managed Solutions

[Sitxu]

Take a look,

https://goo.gl/kRhdMh

http://saima.info/products-3/v...

Seriously? Come on this isn't even a hard one

[mlwmohawk]

You need two raspberry PI2B computers, dynamic dns, and openvpn.

Dynamc DNS service to tack B side ip addresses
OpenVPN to create the VPN
Leave the VPN on all the time using the raspberryPIs
ip route add 192.168.2.0/24 via 192.168.1.100

(assumes your A side raspberrypi is .100, and your net is 192.168.1.0 and their net is .2.0)

If you can't port-forward VPN through your ISP, you can fool it by "router hole punching"

Sophos UTM Home Edition

[icuk]

Go download: https://www.sophos.com/en-us/p... You'll have a free licence for 50 ip addresses per side. Beauty is.. its linux; supports more hardware options than pfsense. I use this to do exactly what you're wanting to do. I built small cheap computers($250 a pop from newegg, tri nic'd) to be the "FW", installed the UTM box to every family household that needed one and setup site-to-site VPN between them. Works perfectly and it easy to manage.

Teamviewer

/thread

Sheesh.

Re:Tor and VNC/SSH/RDP/whatever service on the cli

Many ISPs block ports that are abused by default, protecting idiots from themselves. Most ISPs allow unblocking on request.

Cisco SOHO routers will do it

[Drewdad]

Cisco devices have a feature called VTI - virtual tunnel interface. Basically it's an IPSec-protected GRE tunnel, but it looks like just another interface on the router.

Then you just set up your routing rules. Policy-based routing will allow you make decisions based on the source IP.

This stuff works great in a SOHO environment. Doesn't scale well, though.

Get a NAS ...

[nbvb]

Get a small NAS, such as a QNAP or Synology.

They both have OpenVPN built in, so use that. Then you have a NAS for centralized backups (because if you're managing remotely you want to make sure they're stuff is backed up, right?) and your VPN connectivity.

Win win situation. If you get creative, you can even cross-replicate the NAS's so you have a true offsite backup.

Re:Get a NAS ...

[nbvb]

THEIR, not they're. Stupid autocorrect.

softether or pertino

Softether can be run on windows and linux and one server can provide openvpn, l2tp, sstp and has a nice gui server manager you can run on a windows machine you have access to.
pertino is another idea, this is a software defined network that can link all those locations together. It might not have enough admin options for the whole family to keep chill.
Softether.net and pertino.com

Screen Connect

[dahlellama]

From what I understand of your requirements, you want to be able to remote into Mixed OS systems to do technical support more then the need for a VPN. In that case I would recommend Screen Connect. It works like it uses SSL and has client initiated connections and persistent clients. Since it is a piece of installed software it can be installed anywhere you need it. It is a little pricey at $375 for a single persistent self-hosted solution. The licence includes one year of software updates and support. On top of it, if you do not want to renew after the year is up you can continue to use it without additional cost. https://www.screenconnect.com/

Re:AutoSSH - alternate ports

Agreed - you'll also want to take it a step further by changing the port you're using. Per the OP:

    "The ISP for Location B also seems to be blocking the Desktop Sharing ports as this method has completely stopped working for us without notice"

I've encountered this myself with SSH - if I funnel too much traffic through my suckcast connection, they start blocking port 22. Calling their support line ends in frustration due to their support reps having 0 knowledge of what the network engineering teams do there. I've found that turning off my modem overnight, to obtain a new IP address the next morning seems to clear it up. On a side note, I wonder if it affects the next customer who leases that IP? ;)

I've been experimenting with SSLH to mask my ssh traffic over port 443 and it seems to be working well for me. This may be an option for you.

OpenVPN IMO

Come on, OpenVPN isn't all that hard! There's like a billion issues around IPsec and OpenVPN sidesteps them all. It's also multi-platform so IMO it seems to be exactly fitting into your environment. Just give it a try.

Business class broadband service with static IP

Pay a little more for business class broadband service with at least one assignable static IP per site. That will make all of the difference and the ISP will be obligated to support your needs. They won't block ports, throttle you, or change terms of service on a whim.

Everything you are trying to do would be MUCH easier with static IP's. Once that is done, look into old Cisco 1800 series routers (like 1841 for $99 on ebay) or ASA 5500 series firewalls. There is a lot of documentation for VPN's with Cisco on Youtube. For free, PFSense could work nicely also.

If you want to monitor sons internet habits, enable Netflow on Cisco router and get a free software from ManageEngine or Solarwinds to collect flow data from router.

       

You're Overthinking

[Thumper_SVX]

I know this is old now, but honestly you're overthinking this.

First, as others have mentioned here you can use TeamViewer to do remote desktop support, and it's free. No need to upgrade to Windows 7 Ultimate or anything else for that matter. I've used it on OSX, Windows and Linux and it works like a champ. I've supported family and friends... and even had a commercial license for TeamViewer for a while because it really is so easy to use and maintain that I found it invaluable. I don't do that job any more, but I still maintain TeamViewer on my computers in my house so I can get into them and manage/maintain them while I'm on a business trip. Same on my son's laptop so if he has a problem I can support him remotely.

Now of course comes to your son. Don't. Seriously... kids are going to be kids, and they're going to work around any controls you put on a computer. The only thing you are LEGALLY required to do is to control what he has access to at YOUR home. Once he's off your network, anything he does is the responsibility of the party that owns the network he's using. Yes, he should be held responsible by you as a parent, but legally there's nothing forcing you to do this. Plus, kids are going to find workarounds regardless; my son is 15 so you can imagine the battles I've had with him over the years. As it stands now, I manage his Internet access at home using a Sonicwall TZ-215 firewall that has Gateway Anti-Virus and some content controls turned on. Honestly, I don't block porn... he's 15... but I do block some categories I personally find distasteful; hate speech and the like. If he needs something for a particular essay he's doing for school that's blocked, he can ask me to unblock it and he does. This way there's mutual trust going on, which to be honest is the RIGHT way to parent.

I also don't check the logs to see where he's going on the web. Just so long as he's not doing anything illegal (and yes, I do block bittorrent for that reason) that could get me in legal hot water I don't particularly concern myself with it. I check his laptop for malware and to make sure updates are in place periodically, but beyond that I don't see the need to get overly stressed about it. Besides, we have an understanding that if he does anything bad that gets his computer malware that's going to be too much trouble to clean up (like more than 30 minutes of work on my part) then his machine gets re-imaged and he gets to reinstall everything, restore his own files etc. I make him responsible for his backups as well.

Is my system perfect? No, but it works. And right now I have a 15 year old boy who may or may not go on porn sites occasionally (I really don't care), plays games occasionally... but generally is a well-behaved kid when it comes to technology.

I guess what I don't get about your requirements; if your primary reason for the site B connection is supporting your parents, then why backhaul all the Internet traffic across your own network? With a decent managed firewall you can do all the controls you like, and there are web-managed options as well. Some of them even support OpenVPN natively or some IPSec variant that you can create a virtual private network for managing stuff. If you really want content controls on your parents network then you really need to review what you're trying to accomplish here. You don't have to get something as fancy as a Sonicwall, there are plenty of other cheaper options but that is certainly one.

I do have a VPN as well as my TeamViewer connections... honestly SSH is easier to manage my Linux boxes than TeamViewer most of the time because I don't need a GUI. As a result, all my Linux boxes partake in an OpenVPN network against a hub system hosted on Linode (where my web server is also hosted). I have the OpenVPN client on my laptops so when I'm out and about I can join the network and SSH to any of the systems no matter where I am (I keep a HOSTS file with all the IP's). Bonus; I can host my own mail server on my home box without using the storage on the L