Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: VPN Solution To Connect Mixed-Environment Households?

Posted by timothy on from the second-location dept.

New submitter RavenLrD20k writes: I am a programmer by trade with a significant amount of training as a Network Administrator (AAS in Computer Networking). I have no problem with how to build three or four separate networks in each location and make them route over the internet. My weakness is in trying to setup a VPN for a secured two-way connection between location A and location B, both mixed OS environments, with the requirement that all of the internet traffic on B gets routed through A first. I've already looked at some boxed solutions, such as LogMeIn Hamachi, but there hasn't been much in the way of mixed environment support. This is a complicated one, so keep reading for more on what RavenLrD20k is trying to accomplish.

Some background: Due to recent events it's become necessary for me to have remote access to all of my Parents' computers which are about 4 hours away(location B) from my home location(location A). This is to facilitate me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites (I'm already going to be upgrading their 2 systems to Windows 7 Ultimate on my dime for this purpose). The ISP for Location B also seems to be blocking the Desktop Sharing ports as this method has completely stopped working for us without notice, and router configs have been verified as forwarding the necessary ports. Location B also has 2 grandchildren that will have a Windows 7 Home Edition Laptop (for MS Office based classwork), a Linux Mint Machine (to start, he has full reign to do whatever he wants to this machine after initial setup with the understanding that if he "breaks" it, he fixes it), and several BeagleBone or R-Pi machines for my Son's experiments while he's visiting for the summer.

Location A has two networks. First is the one with the public IP that I run my Linux servers and physically connected Desktop on. This network also has a wireless interface that allows gaming machines and phones on the North side of the house to connect to. Network two is behind the NAT and runs a dual-band wireless connection for devices on the south side. I would rather not have this second network get internet access through the VPN but through the traditional means.

Location A has a 150/30 cable connection with a 2TB cap. Location B has a 20Mb/s symmetrical uncapped Fiber connection. I also have a VPS "in the cloud" running CentOS which has a 1Gbps Inbound 20Mbps(1Gbps burstable) Outbound connection which may be repurposed for this if necessary. I figure this to be common sense but I would prefer that the the connection between the locations be routed as opposed to bridged as to avoid the issues that come with sending broadcast packets over the internet.

As I said, I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry. On top of this I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default. I want everyone to have complete open access to the full internet (this too is to help educate my son in smart browsing/chatting and encourage "you break it, you fix it").

Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.

102 of 173 comments (clear)

  1. Open VPN or use SSH with the Linux Machine by CajunArson · · Score: 3, Insightful

    I recommend either an OpenVPN tunnel with appropriate routing (multi-OS capable) or just use the Linux machines already at the site as tunnel servers using SSH as a VPN (relatively recent versions of SSH required).

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re:Open VPN or use SSH with the Linux Machine by szy · · Score: 1

      OpenVPN +1.

      Set up the OpenVPN server on any machine in location A, the client on router on location B, make the gateway push the routes for your son's computer (and his phone and the raspberry pi's and whatever else is desired) via the VPN. Leave the rest of the traffic alone in order not to avoid the additional latency. You might want to put your son's devices into a separate subnet.

      Once all is set up, it's easy to maintain.

    2. Re:Open VPN or use SSH with the Linux Machine by Spazmania · · Score: 1

      Clearly a job for openvpn. Split tunnel when you don't want to control Internet access. No split tunnel when you do.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    3. Re:Open VPN or use SSH with the Linux Machine by MeNeXT · · Score: 1

      OpenVPN. +1

      Mac, Windows, Linux, FreeBSD...

      Look at bridging using TAP. Works with same subnet. Set server to push IPs to the secondary network. Leave all other traffic to go out on the respective ISPs network. You can also setup remote TUN connect which will allow you to connect remotely on either side and see both. You can run as many instances and/or subnets as you wish as long as you map the routes.

      --
      DRM? No thanks, I'll just get it somewhere else...
    4. Re:Open VPN or use SSH with the Linux Machine by Hoban+Washburne · · Score: 1

      Agree completely, I did the exact same thing with my parents home network: was going to set up OpenVPN for my parents home network for exactly the same reason as the OP - found OpenSSH was more than sufficient via tunneling and ssh keypairs, works with everything and the only requirements are having a router that can do port-forwarding to an alternate (not default) ssh port, your choice of dynamic dns and whatever old desktop or r-pi as a linux server to do the ssh-server and local logging. My only wish is for a KVM over IP device that is actually affordable, then I would never need to be there at all unless the network is completely dark. One thing I would not do, is route anything from one net to the other - best to leave them independent and have everything local.

  2. Openvpn by JonathanP.Bennett · · Score: 4, Informative

    If I'm understanding the requirements, you will want to use openvpn. It has support for Windows and anything running Linux, all sorts of routing options to play with, etc.

    1. Re:Openvpn by swb · · Score: 2

      Understanding the requirements is the hard part.

      I find so many people overexplain their weird irrelevant details that it's hard to make out just what they're trying to do.

    2. Re:Openvpn by whitelabrat · · Score: 1

      ^ That

    3. Re:Openvpn by jisom · · Score: 1

      I 2nd Openvpn. Though I don't think it is something you'd have to have on all the time. Set up the router at Loc. B with Openvpn so you can log in. Set up static DHCP addresses for all devices. You can then connect from A or work or wherever to check logs or allow/block a specific device. I'd use personally OpenWRT for the router's os. Set it up so that you son's devices are routed through a log of some sort before leaving to the outside.

    4. Re:Openvpn by davidshewitt · · Score: 1

      I second this recommendation. I use OpenVPN for this purpose as well. You can either configure each individual client at location A to connect to your OpenVPN network or you can set it up on the router at location A (assuming you can OpenWRT/DD-WRT,etc firmware on it).

  3. Associate of Science in Networking... by __aaclcg7560 · · Score: 1

    If he can't figure out how to set up VPN in an mixed environment, he should go back to school to get his bachelor's degree. A BS in networking is always valuable, especially in doing consultant work.

    1. Re:Associate of Science in Networking... by MachineShedFred · · Score: 1

      I could see this being an Ask Slashdot 15 years ago when IPSec was a new idea, but c'mon - there are devices you can buy for $100 that have a fucking web wizard to set up IPSec tunnels between them.

      No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    2. Re:Associate of Science in Networking... by i.r.id10t · · Score: 1

      Our networking track here at the college I work for is focused on Cisco and Windows AD stuff... and people who really don't care to *get into it* and learn on their own come out with a bare minimum of knowledge...

      That said, I still don't know why a VPN is needed... set up a simple linux box at the parents' house, have a non-standard port on their router forward to said linux box. Add something so that you can grab the current public IP - a wget on a webpage fired by a cron job, one of the free subdomain dynamic dns services, whatever. When you need to do a remote desktop session, just use a SSH tunnel with port forwarding.

      --
      Don't blame me, I voted for Kodos
    3. Re:Associate of Science in Networking... by drinkypoo · · Score: 1

      Maybe he's just trying to be cheap. Last time I messed with Linux IPSEC I got mad because the documentation was ugh. It's a PITA to even figure out which implementation of what you're supposed to use because of all the outdated docs people left lying around on the web.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Associate of Science in Networking... by i.r.id10t · · Score: 1

      It really comes down to the course work, the individual instructors, and what the student makes of it. I've had very curious students do all sorts of very high level things... while their classmates struggle with basic concepts.

      --
      Don't blame me, I voted for Kodos
    5. Re:Associate of Science in Networking... by bill_mcgonigle · · Score: 5, Insightful

      No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.

      Both of those sources will mislead you into thinking IPSec is a good solution that's not a giant pain in the ass in the real world and appropriate for this kind of install.

      pfSense and OpenVPN, as everybody has been saying, is appropriate, solid, and on the easier end of the scale.

      His requirements are 99% like mine, and that solution works great. My parents' pfSense box is in their basement, nailed up next to the FiOS demarc, and it works great.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    6. Re:Associate of Science in Networking... by JamesTRexx · · Score: 1

      First thing I was wondering about is what constitutes a "significant amount of training as network administrator" if you have to ask a question like this.
      Or is an AAS so basic they don't even teach portforwarding has an option to use alternative ports? (don't ever use the standard remote desktop ports in the first place)
      Having had to teach basic network troubleshoting skills to guys fresh out of school already made me doubt the level of education nowadays.

      --
      home
    7. Re:Associate of Science in Networking... by I4ko · · Score: 1

      There were Linksys models in 2003 doing that for less than 150 bucks in 2003 money.. BEFSX41, some guys are still selling them on Amazon. They suffered from stability problems due to insentient power supply bricks - some were 6 volts, some were 9, 12, or 19 volts. I've built a 30+ point VPN to a central location with a Cisco 17xx, don't remember in the central location ,but even if it was a 26xx it is dirt cheap as overstock send hand hardware these days. What I would do these days is get a good router that can run DD-WRT and use OpenVPN, a small box to run Pfsense again with OpenVPN or IPsec, or get a Mikrotik router and use their proprietary solutions. Heck, even two IPv6 tunnels from your place and form their place to HE and proper firewalls and you are in business.

    8. Re:Associate of Science in Networking... by I4ko · · Score: 1

      Cisco had wonderful IPsec support in 2003. If you had access to it, you can't complain.

    9. Re:Associate of Science in Networking... by __aaclcg7560 · · Score: 1

      I went back to school after the dot com crash to learn computer programming.* The networking track was still the money major at the time (i.e., if you want to make boatloads of money, take this major). You know it's getting absurd when a Vietnamese couple in their 70's who can barely speak English think they can get high paying job after graduation. When health care became the new money major, the network classes got cancelled due to a lack of demand.

      * Yes, I got an A.S. in computer programming; no, I'm not a programmer because I went into I.T. support. But I do have an Network+ certification and studied for the CCNA on-and-off.

    10. Re:Associate of Science in Networking... by pnutjam · · Score: 1

      bingo, don't screw around with the ipsec garbage that's out there. Use openVPN and call it done. Monitoring / usage control is a different beast and can be easily handled on an appropriate router, which can be virtualized on an appropriate setup if necessary, or run on dedicated hardware. Something like pfsense supports logging and all sorts of filtering.

      --
      Cheap storage VM.
    11. Re:Associate of Science in Networking... by RavenLrD20k · · Score: 1

      If I wanted an enterprise level overkill solution, I'd have grabbed a couple of Cisco 1800's for <$200 off eBay with the necessary modules and configured the proprietary VPN through IOS like I learned in college (this route is still not off the table either, just not preferred). Your SSG5's are going for about the same price on ebay and would require me to learn a system I'm not immediately familiar with, which wouldn't be a problem if I needed this to work in my own lab only. Just because I'm not current on consumer and open source options doesn't mean I don't know my shit on the enterprise level. I specifically asked this question because I'm trying to AVOID enterprise equipment in a home environment, retard (to show you the same courtesy as you have shown me)!

      I want a solution that I can either use my equipment on hand, or be able to buy/build for less than $200 that my dad would be able to troubleshoot through a web interface and know WTF he's looking at in the event something goes south when I'm not immediately available. Any solution I go with I am going to have to take a vacation week to walk him through troubleshooting and he doesn't do well with command line.

  4. Routers with VPN by DogDude · · Score: 3, Informative

    Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

    http://www.cisco.com/c/en/us/p...

    --
    I don't respond to AC's.
    1. Re:Routers with VPN by harr2969 · · Score: 4, Informative

      I agree - site to site VPN at the router level seems ideal for this challenge.

      Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

      And yes, you could spend a lot of money for small business routers, or you could buy routers compatible with (or pre-installed with) firmware such as DD-WRT which will allow you almost all the same functions for much cheaper, but require a little more elbow grease to get working.

      http://www.dd-wrt.com/wiki/ind...

    2. Re:Routers with VPN by iamgnat · · Score: 3, Insightful

      Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each. http://www.cisco.com/c/en/us/p...

      Ubiquiti has a small router with enterprise level features for less than $100. A site to site VPN and VLAN support are just a few of it's features and all you need to solve this problem.

      I'm still running a Juniper SRX-210 at home, but I've been happy with the UniFi APs and EdgeSwitches I have from Ubiquiti so this little router is definitely on the short list when the time comes.

    3. Re:Routers with VPN by ahodgson · · Score: 1

      Mikrotik has cheap ones too, that work great.

      http://routerboard.com/RB750GL.

    4. Re:Routers with VPN by scsirob · · Score: 1

      Can't agree more. Ubiquity has some nice and easy, open gear available. To make matters more interesting, they have added deep(ish) packet inspection which allows you to see general traffic per client. So if you want to see what your son is doing without actually wiretapping his traffic, Ubiquity will tell you he spent GB on Youtube, GB on Facebook etc.

      The router supports both site-to-site as well as single client VPN, so no problem dialling in from remote and get access to any and all networks in your cloud.

      --
      To Terminate, or not to Terminate, that's the question - SCSIROB
    5. Re:Routers with VPN by pnutjam · · Score: 1

      I always counsel people to stay away from SOHO equipment. It's not worth the hassle when you can get mikrotik, ubiquiti, or pfsense for the same or less. If you do go with a big name consumer router, at least make sure it supports openwrt.

      --
      Cheap storage VM.
    6. Re:Routers with VPN by sribe · · Score: 1

      Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

      Yes. But stay away from the Cisco/Linksys small business routers.

    7. Re:Routers with VPN by Anonymous Coward · · Score: 1

      I just read this: OpenVPN Firmware implementations

      It says the Mikrotik OpenVPN implementation doesn't support UDP, and tunneling via TCP incurs in a huge performance penalty so I would advise against it.

      Try to look for any cheap router that supports VPN via IPSec (IKEv1/IKEv2). People complain about IPSec because they don't know it but it's actually extremely easy to setup, it might be a bit more time-consuming than OpenVPN but if you value performance above all this should be the way to go. If you go with OpenVPN instead at least make sure the implementation you go with actually supports tunneling via UDP.

  5. Re:Capped cable? by RavenLrD20k · · Score: 1

    It's Cox. Top tier used to be soft-capped at 400 Gigs which my household alone was pegging every month until they decided to raise all their caps. Now it's a 2TB cap that we barely use a quarter of. Until this situation arose, I had been considering dropping service down a tier and saving about $50 a month. Unfortunately the only other option I have for broadband (besides satellite) is 6Mbps DSL hard-capped @ 200 Gigs... though they can't tell me if I'm close enough to the CO or not.

  6. OpenVPN by JeremyR · · Score: 1

    If "mixed environment" only means that there are hosts running various OS's at both locations, it's fairly irrelevant.

    Anyway, I am using OpenVPN for what appears to be a similar scenario--routing traffic between a relative's and my house. I don't have Internet traffic from one site being routed through the other, although the VPN certainly could be configured that way.

    I will also echo the previous recommendation for PFSense, which I am using on one side of the VPN (running on a fairly inexpensive ALIX board). On the other side, I'm using an Ubiquiti EdgeRouter Lite. I can heartily recommend either one, but particularly the EdgeRouter which can't be beat for its ~$100 street price.

  7. TeamViewer or LogMeIn? by mlts · · Score: 1

    I might be totally off base, but I wonder about a program like TeamViewer or LogMeIn. If the security trade-off is acceptable, that might be an alternative to trying to create VPNs.

    1. Re:TeamViewer or LogMeIn? by leonbev · · Score: 1

      Yeah... it all he needs is remote desktop access to (primarily) a few Windows systems for patching things and snooping on your kid, just installing TeamViewer on them would be a lot easier than setting up a VPN. Once you have that, you could just put PuTTY on one of the remote Windows boxes to log into the Raspberry Pi project boxes if needed.

      Of course, I guess that you could always do something fancier liking run VNC servers on different ports for each system and port forward those through the firewall for remote access, and use something like like NoIP to give them a fixed hostname to access. That's kind of old school at this point, though.

    2. Re:TeamViewer or LogMeIn? by postbigbang · · Score: 1

      I find it's interesting that the L2/L3 responses are so much different than the potential LogMeIn or GoToMyPC/etc ideas.

      The software person's visage of new hardware is that it potentially opens up too many ports. The hardware people will look at the software VNC-like ideas as potentially untrustworthy.

      VNC/RDC/RDP are super-simple for civilians to install and maintain, and all can be removed from memory when not in use, so as to reduce attack profile.

      Just my 2c worth.

      --
      ---- Teach Peace. It's Cheaper Than War.
  8. If your goal is to make things simple, this isn't by klubar · · Score: 1

    If your goal is to make things simple, this isn't the answer. You're going to end up with lots of "sort of works together" software, all of which will need patching and will occasionally just stop working.

    For not many dollars, and a lot less time investment you can use something like logmein remote which will give you nearly always reliable, and secure remote access to the machines. You can even set it up so no one needs to be at the remote machines for you to log in. As long as the machine is booted, you'll be set.

    I've used logmein (paid) and it's nearly flawless.

    As for monitoring all the URLs your son accesses, you could probably set up a proxy server on the local machine that emails you the URLs daily. But the option of routing the traffic back to your machine via a VPN is just a solution looking for a problem. If^h^hwhen something goes down, you'll be busy rebooting ever bit of hardware along the way.

    Good (or just practical) engineers remember... keep it simple stupid.

  9. Have you tried TeamViewer? by Chirs · · Score: 2

    For your main goal of being able to log into your parents' machines, have you tried TeamViewer?

    As for setting up VPN, I think you should be able to do it relatively inexpensively with something like a couple of consumer-grade routers running DD-WRT. The one at location B is set up as a VPN client, and the one at location A is set up as a VPN server. You might want to set up address ranges for DHCP at location B such that they're part of the network at location A but not assigned at location A. That way you can avoid needing to do NAT at location B as well as location A.

  10. Re:Networking is hard by Anonymous Coward · · Score: 1

    I love these "Ask Slashdot" questions because everyone insults the OP for not knowing how to do something with computers.

  11. old solution... by IT.luddite · · Score: 1

    Haven't had to do this in years (approximately 15 yrs actually) but when I did, I used FreeS/WAN to hook up a bunch of networks over the internet running on smoothwall. Everything else is routing tables. Man, what a trip down memory lane.

  12. TeamView FTW by Anonymous Coward · · Score: 1

    I do almost all my friend/family support with TeamViewer. Mac and Windows without any issues at all. And since TeamViewer can use port 80 and 443 your ISP won't be blocking it. I just set their computer for unattended access and setup an account to login them through.

    Now for the issue of watching you son's internet traffic. Be prepared for him to learn how to bypass things...that's what kids do ya know.

    1. Re:TeamView FTW by RavenLrD20k · · Score: 1

      Be prepared for him to learn how to bypass things...that's what kids do ya know.

      Fully prepared and expecting it. He likes to figure out how things work like I used to. If he takes interest in trying to bypass the security it'll escalate like a chess game. So far he's more interested in building and programming electronic projects than getting online much. It can often be a battle of wills to even get him to use the internet to find his own answers when he's stuck.

    2. Re:TeamView FTW by ashpool7 · · Score: 1

      Easiest solution for your son: plug directly into the modem while you're not there...

    3. Re:TeamView FTW by RavenLrD20k · · Score: 1

      Not quite so easy.

      Modem with 4 connect points is outside the house next to the Power Meter which is double locked, one for the service key and a padlock for our access to the connect points which my dad has the key for. There's an ethernet line on one of the connect points that comes out of there and goes into the basement where it goes into a locked closet with a thick metal door and deadbolt. Inside this room the cable comes into a large locked metal breaker box flush mounted in the wall just for this purpose; again, only my dad and I have the keys to this box. Inside this box is where we set up the wireless router, with the antennae removed from the unit itself and connected outside the room using extension cables with BNC connectors. All the physical connections in the house have to come into this box.

      Diverting the outside connection to a server locked in the room and another line going back into the box to the router would be trivial to set up. I also have a lockable metal box with powered ventilation that a desktop workstation could fit in nicely with plenty of room to breathe (acquired from the local RadioShack when they were selling off their fixtures after the bankruptcy). Though based on most of the responses here I'm probably going to find some cheap routers (sub $100) that can run DD-WRT and OpenVPN to replace the one there and keep it inside the locked box. As far as wireless, I'll likely set up an AP or 2 on the main floor instead of the current setup that's not working very well outside the basement (for obvious reasons). Now that it's my dime going into this, my dad is more willing to let me have reign on the network and how things are set up.

    4. Re:TeamView FTW by dave420 · · Score: 1

      You are assuming he won't be able to get past your security without you noticing, which judging by your "Ask Slashdot" question, seems a poor assumption. My money is on him getting past your security and you not even realising.

  13. tinc by taoboy · · Score: 1

    I use tinc for precisely this. One tinc on a public-facing server, then any computer in any location connects to it to form a network with the others. A bit tedious to configure, but it works well with both Linux and Windows hosts.

  14. MikroTik RouterOS by Binky+The+Oracle · · Score: 1

    I'm not super-network talented, but I recently used two Mikrotik RB951s to set up a permanent VPN tunnel between two houses for much the same reason. I didn't need the additional routing to make all traffic send through point A, but I know we use that setup at work for our remote workers. My arrangement ended up being traffic from each house going out it's own connection, but with a permanent IPSEC tunnel between the two for server synchronization and tech support purposes. The Mikrotiks are fantastic little boxes and an amazing value. There are multiple 951 models, and you may prefer one of the non-wifi Mikrotik products if you don't need the radio (though having a 1w radio has been nice also!)

    --

    Slashdot comments... splitting hairs since 1997.

  15. Re:Capped cable? by McGruber · · Score: 1, Informative

    I've noticed that AT&T has started capping their DSL service. The bastards have very misleading advertising -- their tv advertisements say things like connect your mobile devices to DSL at home to "Save on Mobile Data".... but then the same advertisement says, in very fine print, that "Data overage and other charges apply".

  16. pfsense by powerlord · · Score: 1

    pfsense routers using OpenVPN connection between the two locations (probably location B acting as a Client to location A server, with it set up to route all traffic through the tunnel to A).

    Likewise you could also just set up an OpenVPN server at location B and use an OpenVPN client to connect from a machine on "A" to the "B" network for when you need to work on things there (but then you won't have the traffic routing from "B" through "A" before it hits the Internet).

    Personally I used a small fanless box from NetGate (that came pre-installed w/pfSense and 6 NICs) to run our SoHo office of ~10 devices on the computer network + another 15 phones on a second network feeding into a second NIC. Load balanced WAN connections from two different providers, and OpenVPN server for remote connections for fixing things at home, and all the bells and usual bells and whistles (for me at least).

    --
    This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
  17. LAN to LAN VLAN by maz2331 · · Score: 1

    I second many of the above suggestions. pfSense isn't a bad solution, OpenVPN will work, and little Cisco VPN routers are good too. I'd personally just put a Juniper SSG-5 on each end, for the simple reason that they are available on eBay for around 50 bucks each and are relatively easy to configure.

  18. AutoSSH by fwarren · · Score: 2

    If you have one Linux system there with an account you have access to AND an server on your end that you can SSH into your set. On your server you need an account for them to log into which has their autossh users public key in the authorized_hosts file.

    You want an excutable file named /etc/network/if-up.d/reverse-ssh

    # Ensures that autossh keeps trying to connect
    AUTOSSH_GATETIME=0
    su -c "autossh -f -N -R *:$8000:localhost:22 -R *:$8001:localhost:5900 pozer@myserver.com -oLogLevel=error -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" root

    I have autossh run as root and log into the account pozer on myserver.com. At that point you have a computer on your network with port 8000 opened to their Linux box and 8001 available for vnc. I set the looged in users X destkop to autorun run "x11vnc -shared -forever" export their desktop over vnc. I also install UltraVNC on the windows PCs.

    If you had a windows PC at 192.168.1.50 you could add "-R *:8002:192.168.1.50:5900" to the above autossh command so you can reacn it with "vncviewer myserver:8002"

    If you dont know the IP address till later you can set up a forward tunnel by remoting into their server over ssh. ssh remote@myserver -p 8000 -L *:8002:192.168.1.50:5900"

    As long as there is a reverse tunnel you can use to create a connection back to their linux machine you can open up and access any port on their network. you can use vnserver to run a headless desktop in the background on their linux mint PC.

    --
    vi + /etc over regedit any day of the week.
  19. I use NeoRouter for that by ebbe11 · · Score: 1

    Works on Windows, Linux (that's where I run my NeoRouter server) and Android. They have a free (beer) version that I used for a couple of year. I'm on the paid version now. http://neorouter.com/

    --

    My opinion? See above.
  20. Re:Consider TeamViewer instead. by pfleming · · Score: 1

    I had trouble getting TeamViewer running on a Debian box. It wasn't worth the time to figure out what was wrong as it worked on a Windows machine.

  21. Splashtop and Sophos UTM by TheCow · · Score: 1

    I have a similar situation for remote access, but my parents are 12 hours away.

    I use Splashtop with the remote access feature (paid feature). No approval to access the machine is required.

    I use Sophos UTM(next gen firewall, formerly Astaros(sp?)) for Web filtering, spam and anti-virus protection in my home as I was tired of trying to tie solutions together to make them work and SPAM was really starting to get bad. As you are doing this for personal use, you can get their Home use virtual license for free and run it on an old computer with esxi. Since it is a full fledged firewall you can also setup VPN connections if you want to. As you are covering multiple house holds you will need a user in each household to get a separate license for home use. Or you could purchase their appliances. With this you can create web filter rules with time based restriction, user based restrictions, ip address restrictions etc...

    Splashtop Remote desktop solution:
    http://www.splashtop.com/

    Sophos UTM home use:
    https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

  22. Re:Mikrotik by AaronW · · Score: 1

    I agree that the MicroTik routers are powerful. I have been using one for several years. My biggest complaint with it is the confusing documentation or documentation that's out of date. I had a hard time figuring out things like traffic management (QoS and shaping) though now that it's working it's quite powerful. I also have had a lot of confusion on how to set up the firewall so I can VPN in with various operating systems. The only one I've gotten to work from Android is PPTP, though I would love to use IPSec instead due to all the weaknesses in PPTP. Windows is even worse, following all the suggestions I have yet to be able to connect via Windows.

    --
    This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
  23. Re:Chrome Remote Destkop by RavenLrD20k · · Score: 2

    If he's going to be using my or my Parents' network resources and the government says I'm responsible for what he does until he's 18, you bet your ass I'm going to do checks to make sure he isn't doing anything that will warrant a visit from the Feds. Beyond that, he has a pretty good amount of freedom and leeway on the web.

    That said, I'll have to look into CRD to see if it'll work given the apparent constraints that my Parents' ISP has placed on the connection. Windows Remote Assistance was working for a while and that is primarily what we used whenever they needed some quick work or a tutorial on something they wanted to do with the computer... Unfortunately it just stopped working all of a sudden. We figured out that their ISP had started blocking ports; upon contact the ISP made it clear they weren't going to be helpful in opening them up for us. This is the reason for the desire of a VPN where every machine on my Parents' network will look like they exist on my local NAT so I can easily just point the RDP Client or SSH session to a known IP address and have the full access I need. Using RDP would also eliminate the need for someone to actually have to be at a desktop while I did maintenance. To facilitate this more, I plan on setting my parents' computers to respond to WoL packets as well.

  24. Re:Networking is hard by Anonymous Coward · · Score: 5, Insightful

    The only reason why I found the OP funny is, in his own words "significant amount of training as a Network Administrator".

    Even network admins without significant amounts of training know the simplest fix for this is 2 cheap routers running openvpn with the second one set to route all outbound traffic through the tunnel. This has NOTHING to do with the operating systems.

    Or, just use something that lets you support your parents, like teamviewer, that works across platforms, and can install as a service, and access anytime remotely. Many products out there that work on linux/mac/windows.

    Tracking your kids internet while he is away seems something better accomplished with something on his device. If you are that worried about his internet habits, while he is at Grandma's you should be worried when he is off wifi, at friends, etc.

  25. IPv6 by nyet · · Score: 2

    Get some IPv6 endpoints (and subnets) from he tunnelbroken and set up some basic ipv6 linux firewalls at both ends. Ditch all the crazy NAT/VPN crap and just go 100% peer to peer.

    1. Re:IPv6 by nyet · · Score: 1

      err tunnelbroker

      http://tunnelbroker.net/

  26. Re:Maintenance server by Nimloth · · Score: 1

    This ^
    This is much smarter than routing traffic from your son's computer at B through A to get to the internet. Save the extra latency and fault point.

  27. PFsense could do all of what you want by interestingthoughts · · Score: 1

    Using a PFsense with multiple nics you could set up numerous networks and control routing between the networks at that point. Also pfsense can fully intergrate openvpn into the Scheme and has a firewall and filtering to be able to tell where everyone in the network is going. It also allows for port forwarding for you Linux box. did I mention all of this is done through a GUI interface. Software can be downloaded at: https://www.pfsense.org/

  28. OpenVPN by MoZ-RedShirt · · Score: 1

    OpenVPN does exactly what you need. You can link your locations with a site-to-site tunnel and include the nets on both sides.

    https://openvpn.net/index.php/...

    You can set one of the VPN gateways as the default gateway for the other net and OpenVPN runs on all sorts of hardware including WLAN routers and iOS devices.

    --
    Microsft spel chekar vor sail, worgs grate !!!
  29. Re:Mikrotik by ahodgson · · Score: 1

    Use OpenVPN; the Mikrotiks support it although setup is easier from the command-line than their gui.

    The client for Windows works well.

  30. one thing at a time by nine-times · · Score: 1

    In your desciption, you have lots of different random things you're trying to do, and it'd take me some time to parse it out, and then I'd have questions.

    But you say, "I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry." Ok, so my first question would be, do you really want VPN for that? It might be easier to go with some kind of remote-control service or MDM. LogMeIn comes to mind as something that does not require someone to send an invitation, though it's not free anymore. Speaking of LogMeIn, you could also look into their Hamachi service as a VPN. (For the record, I have no affiliation with LogMeIn).

    You could set up routers on each site that are capable of creating a VPN tunnel, and then just create a VPN tunnel between them. I think DD-WRT supports this, if you can't find anything else to do the job, and Buffalo makes routers with it pre-installed. I haven't used them, but I'd bet I could get something working with that. On the other hand, the reason I've never done that is that site-to-site VPN tunnels can be just finicky enough that I wouldn't bother with them unless I need a constant ongoing connection between two locations for a serious purpose, and when I do need that, I get professional gear. As a result, I can't verify the reliability of VPN for any consumer level gear.

    I would also wonder, if the ISP is blocking "desktop sharing ports", might they also be blocking common VPN ports? Can you just change the "desktop sharing ports"? Maybe you can do a NAT on the firewall to redirect the ports, and then you don't need to reconfigure the desktops to use different ports.

  31. OpenVPN by bleh-of-the-huns · · Score: 1

    I have 3 VPS and 2 mixed networks. All of them can communicate with each other over different subnets

    Make one of the VPS servers your master OpenVPN server
    Connect all the other VPS, or network gateways to the Master as clients.

    Make sure you advertise the routes using server side client config directives (usually in $path/openvpn/ccd/$name_of_certificate)

    Problem solved.

    Can even go a little more advanced, setup a vps in another country, and use static routes to make it appear like you are local when you hit certain websites (say BBC iplayer..)....

    --
    I came, I conquered, I coredumped
  32. Alternative remote desktop solution by swillden · · Score: 3, Interesting

    It sounds like the motivation for the change isn't that remote desktop didn't work well, but that it has stopped working, so you don't have a good way to remotely administer their machines. If so, rather than setting up a VPN, a remote desktop that does work would would do the job.

    Chrome Remote Desktop (a Chrome browser extension from Google) does this quite handily. You can set up one-time remote sessions, where someone on the other end has to give you an invitation for each connection, or you can set up persistent connections which you can use any time. It's cross-platform (Windows, Mac, Linux).

    I haven't looked into the underlying network protocols in detail, but I understand it uses libjingle, which implements ICE for NAT traversal (https://tools.ietf.org/html/rfc5245). What I do know is that I've used it in many bizarre network configurations and it's been flawless... if both hosts can reach the net, they can reach one another.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Alternative remote desktop solution by SirSpammenot · · Score: 1

      "Chrome Remote Desktop (a Chrome browser extension from Google) ... you can set up persistent connections which you can use any time."

      Where the hell is THAT documented? Seriously: I would look at it once.... Having Chrome always running might sound like a great idea until you NEED it, but unless it also works on Chrome Desktop (ie: Chrome books, Chrome Boxes, etc) it is of questionable use for supporting grandpa and 8yr old Susie.

      --
      1 Dachshund + 1 Dachshunds = A Paradox.
    2. Re:Alternative remote desktop solution by swillden · · Score: 1

      At least for Linux there's a command-line tool that keeps the server always running. That's what I use. Not sure about Windows or Mac. As for Chrome Desktop, Chrome is always running; works fine.

      In any case, the questioner indicated that he's previously used a RD solution that required some action on the remote end to initiate it, and that worked (though perhaps less than ideal). So even if you have to have someone at the remote end start Chrome, or even initiate a per-connection invitation, I expect it's still workable for his use case.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  33. Re:Chrome Remote Destkop by Teun · · Score: 1

    If you can't trust the little runt, get a different son.
    Seriously!

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  34. Re:Networking is hard by pnutjam · · Score: 1

    Instead of 2 cheap routers, I would use pfsense. It will do everything he is asking for. It will do captive portal, so I can cap bandwidth per user or device. It will give him logs and show per device usage. If he configures it, he can filter with several different plug-ins.

    It will also act as an openvpn client or server.

    --
    Cheap storage VM.
  35. Keep it simple by kosmosik · · Score: 1

    In my opinion you are making this issue more complicated than it really is. You really don't need site-to-site VPNs and custom routing to accomplish your goals.

    If I understand you correctly your goals are:

    1) To have remote access to machines (Linux, Windows, others) in few remote networks.

    Just set up VPN server in each of these remote networks. OpenVPN is probably a good way to go. It would run on any Linux machine, Windows machine (if you dare), even on some routers (f.e. DD-WRT compatible). If these networks are behind dynamic IPs you will also need somekind of dynamic DNS service.

    Having VPN server running in all locations you just login to it and access whatever machine in that network remotely. For Windows machines DameWare is probably not a bad idea. It is commercial software but you only need to pay for one license - the license is for an operator (you), not for client machines. You could also use VNC - why not? For Linux machines SSH is a no brainer. And other devices (like printers, networking gear, etc.) probably have HTTP interface anyway.

    Also you wrote: "me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites". Well are you aware that you DO NOT need to log in to Windows systems to apply patches and security updates? It just happens automatically. Just turn on Windows Update.

    And since it looks like you are required to take 4hr trips to fix your parents computers that makes you basically their administrator - DO NOT give them administrator rights on their machines. Set them up with quite secure configuration - no admin rights, antivirus software running and set to automatic, backup running and set to automatic, updates running and set to automatic. If you do so I hardly see a need to physicaly access their machines (modulo hardware failures).

    2) You have described your second goal in such convulted way with buts/ifs and so on that I need to cite this mess: "I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default.".

    So basically you want to:
    * monitor your sons network usage
    * enforce policies on your son (like no Internet after eight since you were bad)
    * enforce password usage (or other form of authentication) on your users since you don't want to allow your son to use their grandpas computers while they are not around physically guarding the machines

    Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.

    That means that you are contradictiong yourself by saying that you dont want to have any firewall or blocking - you do.

    How you are claiming that you have any training in network administration is beyond my understanding.

    1. Re:Keep it simple by spauldo · · Score: 1

      Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.

      Um, what?

      He's not setting up a corporate network, and he's not protecting vital data. Hardcore security isn't required (and can still be had, at some inconvenience to the users, using things like this, for instance), If he's got a UNIX-based firewall that can run cron scripts, that's all he needs.

      Try this:
      1) Put grandparents' machines on static IPs (or set their IPs on the DHCP server, if whatever's serving DHCP supports it).
      2) Have grandparents put a password on their Windows boxes and set the screensaver to lock after a few minutes.
      3) Set up a cron script to turn off internet access for all IPs except the grandparents' machines at a certain time, then turn it back on in the morning.
      4) Disable the cron script and disable internet access altogether if the kids are grounded.
      5) Use the firewall logs to see what the kids are doing. A little scripting can generate reports for you, if you want.

      If only one kid is grounded, it's a bit trickier, but still doable. A kid could unplug the cable or turn off one of the grandparents' machines and take the IP, but that would be best dealt with as a social issue (i.e. beat the kid's ass if he does).

      I use a similar setup here and it works like a charm. I use OpenBSD for the firewall, but Linux and pfSense have the same capability.

      --
      Those who can't do, teach. Those who can't teach either, do tech support.
    2. Re:Keep it simple by kosmosik · · Score: 1

      > that's all he needs

      No it is not. You have contradicted yourself in your post. You have described a solution which from begining is flawed. Then you described that flaw (the kid could just change his IP to grandparents machine or even MAC if you would go for MAC based filtering). So you have basically posted a solution that is not a solution at all if you wish to make things working without beating the child.

    3. Re:Keep it simple by spauldo · · Score: 1

      I assume you don't have kids. Or work in security, for that matter.

      This is standard industry practice. You weigh your security needs (very little, based on the original question) and base your policy on those. If you catch someone circumventing your policy, you take action (for parents, you punish the child; for companies, you discipline the employee).

      What this setup does is make it non-trivial for the children to circumvent the basic security setup. It also makes it dead easy to find someone who is circumventing the security setup - the child's internet usage will look different than their grandparents'. There will be no accidental circumvention of the security policy. The real problem, from a parental point of view, is that the child is deliberately disobeying - and that's a parent issue, not a technical one.

      Think about it; if you really want to secure your house, you'll build it out of steel deep underground. Locks can be easily circumvented; I could probably break into the average house in less than ten minutes, and I'm no locksmith (or burglar, for that matter). But for some reason, you don't find people living in buried steel vaults. Banks, on the other hand, do use buried steel vaults; their security need is greater than the average household.

      --
      Those who can't do, teach. Those who can't teach either, do tech support.
    4. Re:Keep it simple by kosmosik · · Score: 1

      > I assume you don't have kids. Or work in security, for that matter.

      So you have lots of kids and work in security and it didn't occur to you that it would be easier and more effective to just take kids laptop and lock it up somewhere?

  36. Re:Chrome Remote Destkop by pnutjam · · Score: 1

    I did some extensive pfsense openVPN work awhile back. It has since been replaced by a "managed" solution and I was gifted the old gear. If you want some inexpensive Alix equipment, hit me up. They handle pfsense and openvpn very well.

    --
    Cheap storage VM.
  37. Hardware VPN device by musicon · · Score: 1
    You could do all of this through software (openVPN, etc.), but honestly life is too short to go through all the effort required as well as making sure it all works and stays updated. I'm getting too old for this crap and just need something that works in the least amount of time and effort required.

    I'd recommend you look at something like the Meraki MX64/MX64W at all three locations, it will do all of the necessary tunneling and filtering you need (with the advanced security license), as well as allow you to monitor what is happening on the network.

    Additionally, it's all cloud managed so you can view and configure the device from anywhere.

    I deploy these at work for our remote offices, and just purchased a similar setup at home (an MX64 and two MR18). I can filter what my kids get to as well as easily support remote backups and administration at my parents home.

    1. Re:Hardware VPN device by kosmosik · · Score: 1

      So in hardware VPN device VPN related stuff is being done in their ROM or maybe there are physical gears doing the VPN stuff...?

    2. Re:Hardware VPN device by DavidRawling · · Score: 1

      Is this like the other Meraki stuff where you have to pay Cisco licensing each year to be able to continue to use and manage the hardware (without paying the license it's a brick)? If so it may not be the best solution (also consider - to manage the device you have to have it connected to the cloud, so if that connection goes away or gets flakey, you're SOL).

      Plus you have the delightful experience of buying new hardware rather than continuing to use existing stuff if you don't want to pay the danegeld any more.

      For those reasons I can't recommend Meraki kit (unless I'm wrong and it's changed) - try the Ubiquiti or Microtik kit instead, or Sophos Home Edition, or frankly anything else that doesn't have continuing payment requirements.

    3. Re:Hardware VPN device by musicon · · Score: 1

      Yes, there is an annual cost for support on the device. However, it's minimal (~$70/year) and the ability to manage and monitor from anywhere is nice. I'm actually not sure what functionality is lost without maintenance, but I assume it's like most of their other products in that you stop receiving updates but it continues working fine with the last installed version.

  38. Re:Chrome Remote Destkop by ashpool7 · · Score: 1

    The suggestion in here to use OpenVPN or use a site-to-site router connection with DD-WRT using OpenVPN is the best bet. You could configure a small APU/ALIX machine to do this work if you didn't want to use DD-WRT.

  39. Or...TeamViewer ? by obarthelemy · · Score: 1

    TeamViewer is similar to remote desktop, and quite good. It's free for personal use. You might want to try that, or simply changing Remote Desktop's ports, before launching into complicated stuff, mister Network Admin.

    --
    The Cloud - because you don't care if your apps and data are up in the air.
  40. Is VPN the right solution or is it overkill.... by David_Hart · · Score: 1

    Yes, you could go through the trouble of setting up VPN, etc. and it would work. But VPN connections can be tricky if you don't know what you are doing.

    Personally, I've been using Teamviewer (Free for private use) for remote control. They have Windows, MAC, UNIX, and mobile clients. You do have to know the password on the client that you are connecting to and I believe that you can set it to a permanent one, but I've never needed to. I just get my Dad to read the 4 or 5 digit random number back to me. I believe that you can set it up to be always-on if you buy a license.

    https://www.teamviewer.com/en/...

    As for monitoring your kid's Internet access, it isn't going to work. He'll quickly find out that Grandpa's computer has access to everything... (grin)

    The easiest thing to do is install a monitoring program on his computer and buy a 802.11ac router for home and a router for grandpa that has built-in Parental Controls. You could then check the program logs on your kid's computer and the logs on the router.

    Unless you really have your heart set on learning how to configure VPNs and understand IP networking, it's just not worth it for Remote Control and Parental Monitoring.

    However, if you also plan to use the link for backups between their home and yours then it might make sense as backup services like Carbonite can be costly. In that case, the Meraki solution proposed by a previous commenter would be a good place to start.

  41. Softether by Youssef+Adnan · · Score: 1

    I'm surprised no one mentioned Softether https://www.softether.org/ - with multi-protocol support and site-to-site capability, it should be able to cover all your needs. Setup a server in the cloud - DigitalOcean is a cheap and excellent host - with Softether. Setup another softether client in your household on an old machine and set the two to do a site-to-site. From the digital ocean installation, ensure that the gateway is whatever you like to be (another VPN to work, perhaps?) and you're all set.

  42. Simplest to maintain by davidwr · · Score: 1

    It will cost you some bucks, but the simplest-to-maintain connection would be a dedicated machine at the far end to act as a firewall that forces all traffic through a VPN, and some box at your end to receive the VPN's traffic and route it wherever it needs to go.

    Doing it this way means there is no special software to install on the clients and nothing will "break" when Windows 10 or Raspberry Pi's next OS revision comes out.

    For appliances like these, I would recommend you consider one of the specialized distributions that are built with this kind of thing - and the security that goes with them - in mind. A decade ago I would've said OpenBSD but there may be something better out there now.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  43. Wrong solution by Harlequin80 · · Score: 1

    You don't need to route the traffic from their network to yours. You are making this way way way more difficult than it needs to be. Setup a router at the grandparents end which has everything running through it. Set it up with a squid proxy and all the traffic will be loggable there.

    Next configure that route to be a vpn server and you connect into it whenever you want. Once connected you can read the logs and check your sons internet habits and you can access the rest of the network to fix their machines.

    Unless I am missing something there is nothing in your spec that actually requires a site to site connection. Christ you could probably get away with a few non standard port forwards and just ssh directly into your sons laptop.

  44. Two ways... by PhunkySchtuff · · Score: 1

    There are two ways of doing this.

    One is to look for alternative remote desktop software that does work. I've had success with TeamViewer - YMMV.

    Two is to put in a lan-to-lan VPN at each site and configure your routing appropriately - either go with something like DD-WRT or get something that will do it out of the box like a Ubiquity EdgeRouter Lite ($100 and it has 3x gigabit ports and enough horsepower to route at an appreciable fraction of that rate)

    https://www.ubnt.com/edgemax/e...

    --
    Specialist Mac support for creative pros, Melbourne
  45. Re:VPN by pnutjam · · Score: 1

    pfsense, properly configured, can stand against any commercial product. For dynamic IP's, openVPN works great. I have used both mikrotik and pfsense and configured them such that you plug them into any network and they immediately tunnel home with a OpenVPN. Don't bother with swan or the other ipsec or pptp solutions.

    --
    Cheap storage VM.
  46. Re:Networking is hard by Anonymous Coward · · Score: 1

    Dear Slashdot, How do I fix my car? I have knowledge of cars because I drive one everyday. I know there are volumes of text dealing my specific repair, even an actual factory manual. However, I'm a self entitled Gen-X'er and want you to walk me through the entire process, holding my hand. I am too proud to pay a mechanic to fix the car, even though he can do it one day. I'd rather waste even more money, time and resources doing it myself. Except I don't know how to do it myself. I know that people have gone through years of training to do these types of repairs, but I feel like I can do it myself because I AM SO SMRT.

  47. Re:Networking is hard by ArcadeMan · · Score: 1

    +1 Funny.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  48. NetBSD IPsec by manu0601 · · Score: 1

    This is a job fo IPsec tunnels. OpenVPN could also do the job. Linux, FreeBSD and OpenBSD has been cited. NetBSD can do it too. IMO NetBSD may have the path of least resistance but that is personal opinion.

  49. Networking 101? by darkonc · · Score: 1
    You can pay a couple hundred bucks for a pre-built solution, or you can build a pair of OpenBSD routers to do the job. You can either use a pair of old machines that you've been too lazy to send for recycling, or you can buy a pair of Raspberry PIs with a second (USB) ethernet connector, for a low power solution. VPN them together, and set the default route for the router at network 'A" to be through network 'B'. Problem solved. People have suggested both IPsec and OpenVPN to build the tunnel. . Just make sure that both networks don't use the ubiquitous 192.168.1.0/24 network, or you'll be in routing hell trying to talk back and forth.

    My question is: If you know what you're doing, why wasn't this the obvious solution for you before you posted?

    As for needing enough CPU power, don't worry.. Back in the '90s, UBC Comp Sci was using a bunch of 30MZ pentiums to route between 10Megabit networks (mostly thicknet, with some thinnet). The reason why they used 30Mz machines??? The supplier ran out of 25Mz machines. .. So I figure that just about anything that runs over 300Mz would be overkill for your particular problem -- and anything less is probably no longer supported in many of the current distros.

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  50. Site to Site VPN ? by nehumanuscrede · · Score: 1

    Easily achieved with Cisco hardware ( read that enterprise class ) but can't swear to it via PfSense. Talking a beefy and / or $$$ router though for the speeds you quoted in the Cisco world.

    PfSense will do a few flavors of VPN, but I've never tried to get it working with any sort of logic to flag which traffic should bring the tunnel up and which should go out unencrypted.

    However this link is informational:

    https://doc.pfsense.org/index....

    Since it's a mixed environment, it would probably be best to do it at the router level.

  51. Re:Networking is hard by pnutjam · · Score: 1

    I've done pfsense and routerOS, pfsense is way easier and the documentation is clearer. If you do it right, with an embedded box, electricity is a wash. If you throw it on a virtual server you are already running, you probably come out ahead.

    --
    Cheap storage VM.
  52. Seriously? Come on this isn't even a hard one by mlwmohawk · · Score: 1

    You need two raspberry PI2B computers, dynamic dns, and openvpn.

    Dynamc DNS service to tack B side ip addresses
    OpenVPN to create the VPN
    Leave the VPN on all the time using the raspberryPIs
    ip route add 192.168.2.0/24 via 192.168.1.100

    (assumes your A side raspberrypi is .100, and your net is 192.168.1.0 and their net is .2.0)

    If you can't port-forward VPN through your ISP, you can fool it by "router hole punching"

  53. Sophos UTM Home Edition by icuk · · Score: 1

    Go download: https://www.sophos.com/en-us/p... You'll have a free licence for 50 ip addresses per side. Beauty is.. its linux; supports more hardware options than pfsense. I use this to do exactly what you're wanting to do. I built small cheap computers($250 a pop from newegg, tri nic'd) to be the "FW", installed the UTM box to every family household that needed one and setup site-to-site VPN between them. Works perfectly and it easy to manage.

  54. Cisco SOHO routers will do it by Drewdad · · Score: 1

    Cisco devices have a feature called VTI - virtual tunnel interface. Basically it's an IPSec-protected GRE tunnel, but it looks like just another interface on the router.

    Then you just set up your routing rules. Policy-based routing will allow you make decisions based on the source IP.

    This stuff works great in a SOHO environment. Doesn't scale well, though.

  55. Get a NAS ... by nbvb · · Score: 2

    Get a small NAS, such as a QNAP or Synology.

    They both have OpenVPN built in, so use that. Then you have a NAS for centralized backups (because if you're managing remotely you want to make sure they're stuff is backed up, right?) and your VPN connectivity.

    Win win situation. If you get creative, you can even cross-replicate the NAS's so you have a true offsite backup.

    1. Re:Get a NAS ... by nbvb · · Score: 1

      THEIR, not they're. Stupid autocorrect.

  56. Re:Networking is hard by fieldstone · · Score: 1

    If you're after filtering rather than tracking, OpenDNS has worked well for me in the past, can be installed on the router at location B, and has built-in filtering categories. Also, it's free (but you'll need to make an account to use the filtering). I concur on TeamViewer. I use it to support several hundred clients and it's very reliable, as long as your parents don't close it or uninstall it because they don't know what it is.

  57. Screen Connect by dahlellama · · Score: 1

    From what I understand of your requirements, you want to be able to remote into Mixed OS systems to do technical support more then the need for a VPN. In that case I would recommend Screen Connect. It works like it uses SSL and has client initiated connections and persistent clients. Since it is a piece of installed software it can be installed anywhere you need it. It is a little pricey at $375 for a single persistent self-hosted solution. The licence includes one year of software updates and support. On top of it, if you do not want to renew after the year is up you can continue to use it without additional cost. https://www.screenconnect.com/

  58. Re:OpenSSH + PortForwarding + RemoteDesktop by dahlellama · · Score: 1

    X2go would be another option. It will do the X forwarding to a very nice client. I use it to remote into my Linux systems at home then RDP from there. http://wiki.x2go.org/

  59. You're Overthinking by Thumper_SVX · · Score: 1

    I know this is old now, but honestly you're overthinking this.

    First, as others have mentioned here you can use TeamViewer to do remote desktop support, and it's free. No need to upgrade to Windows 7 Ultimate or anything else for that matter. I've used it on OSX, Windows and Linux and it works like a champ. I've supported family and friends... and even had a commercial license for TeamViewer for a while because it really is so easy to use and maintain that I found it invaluable. I don't do that job any more, but I still maintain TeamViewer on my computers in my house so I can get into them and manage/maintain them while I'm on a business trip. Same on my son's laptop so if he has a problem I can support him remotely.

    Now of course comes to your son. Don't. Seriously... kids are going to be kids, and they're going to work around any controls you put on a computer. The only thing you are LEGALLY required to do is to control what he has access to at YOUR home. Once he's off your network, anything he does is the responsibility of the party that owns the network he's using. Yes, he should be held responsible by you as a parent, but legally there's nothing forcing you to do this. Plus, kids are going to find workarounds regardless; my son is 15 so you can imagine the battles I've had with him over the years. As it stands now, I manage his Internet access at home using a Sonicwall TZ-215 firewall that has Gateway Anti-Virus and some content controls turned on. Honestly, I don't block porn... he's 15... but I do block some categories I personally find distasteful; hate speech and the like. If he needs something for a particular essay he's doing for school that's blocked, he can ask me to unblock it and he does. This way there's mutual trust going on, which to be honest is the RIGHT way to parent.

    I also don't check the logs to see where he's going on the web. Just so long as he's not doing anything illegal (and yes, I do block bittorrent for that reason) that could get me in legal hot water I don't particularly concern myself with it. I check his laptop for malware and to make sure updates are in place periodically, but beyond that I don't see the need to get overly stressed about it. Besides, we have an understanding that if he does anything bad that gets his computer malware that's going to be too much trouble to clean up (like more than 30 minutes of work on my part) then his machine gets re-imaged and he gets to reinstall everything, restore his own files etc. I make him responsible for his backups as well.

    Is my system perfect? No, but it works. And right now I have a 15 year old boy who may or may not go on porn sites occasionally (I really don't care), plays games occasionally... but generally is a well-behaved kid when it comes to technology.

    I guess what I don't get about your requirements; if your primary reason for the site B connection is supporting your parents, then why backhaul all the Internet traffic across your own network? With a decent managed firewall you can do all the controls you like, and there are web-managed options as well. Some of them even support OpenVPN natively or some IPSec variant that you can create a virtual private network for managing stuff. If you really want content controls on your parents network then you really need to review what you're trying to accomplish here. You don't have to get something as fancy as a Sonicwall, there are plenty of other cheaper options but that is certainly one.

    I do have a VPN as well as my TeamViewer connections... honestly SSH is easier to manage my Linux boxes than TeamViewer most of the time because I don't need a GUI. As a result, all my Linux boxes partake in an OpenVPN network against a hub system hosted on Linode (where my web server is also hosted). I have the OpenVPN client on my laptops so when I'm out and about I can join the network and SSH to any of the systems no matter where I am (I keep a HOSTS file with all the IP's). Bonus; I can host my own mail server on my home box without using the storage on the L