VPN Solutions for Distributed Installations? 85
merreborn asks: "I work for a very small software company (10 employees) that's developing a Point of Sale solution for a small retail chain (~20 stores in several states) on the other side of the country. We're going to be shipping Debian systems with our software installed to these locations -- all of which are connected to the Internet via consumer-grade DSL, and inevitably behind some sort of NAT box. Our office is similarly connected, and we've got a couple of dedicated, co-located servers off-site with static IPs. We'd like to be able to access these systems remotely for maintenance from the office -- what would that entail? Which VPN solutions are best suited to this situation these days (IPSec, PPTP, vtun, ssh, ssl/OpenVPN)? Are there any detailed, current books on the subject? (O'reilly's VPN book is 6 years old now)"
"Some sort of NAT box" (Score:3, Insightful)
Buy some small, even older, used, Netscreen firewalls for a few hundred each. If you do the preshared keys trick, and put them in aggressive mode, they'll all connect back to the central hub firewall, a Netscreen 10, or whatever model replaced it.
It just works, no dicking around with
Re:compartmentalize! (Score:3, Insightful)
Actually the way the OpenVPN server is configured by default, each machine is put onto its own network basically (ie, you get a 10.8.0.9, with netmask 255.255.255.252), and the server will not route between clients. If you're running the VPN network in a different subnet from your regular network, you can tightly control the routing between the two. A security failure at one endpoint will only comprimise that endpoint and provide access to what it can normally access on the server - not the whole network. You still need to provide other protection on the client (eg, tripwire) to protect it seperately.
Comprimising the server is still going to get you access to everything, and this is true with pretty much any setup.
Re:Easier (Score:3, Insightful)
Voila, DNS is my "db", I don't run a script every minute and still get better time granularity, because the update is only done when a state change on the interface occurs.