VPN Solutions for Distributed Installations?

merreborn asks: "I work for a very small software company (10 employees) that's developing a Point of Sale solution for a small retail chain (~20 stores in several states) on the other side of the country. We're going to be shipping Debian systems with our software installed to these locations -- all of which are connected to the Internet via consumer-grade DSL, and inevitably behind some sort of NAT box. Our office is similarly connected, and we've got a couple of dedicated, co-located servers off-site with static IPs. We'd like to be able to access these systems remotely for maintenance from the office -- what would that entail? Which VPN solutions are best suited to this situation these days (IPSec, PPTP, vtun, ssh, ssl/OpenVPN)? Are there any detailed, current books on the subject? (O'reilly's VPN book is 6 years old now)"

"Some sort of NAT box"

[Gothmolly]

Its called a commercial firewall. Its tempting to roll your own using a $45 Linksys and CIPE/OpenVPN/IPSEC/PPTP/Freeswan, but seriously, do you want to spend your time watching messages like "Processing a NONCE.." ?

Buy some small, even older, used, Netscreen firewalls for a few hundred each. If you do the preshared keys trick, and put them in aggressive mode, they'll all connect back to the central hub firewall, a Netscreen 10, or whatever model replaced it.

It just works, no dicking around with /etc/ubuntu/foo.key or chintzy NAT boxes that can't pass protocol 50, etc. etc.

Re:compartmentalize!

[gregmac]

I'd have to disrecommend running a VPN between these sites simply for your convenience; it would mean that a security failure at any point on the network could jeopardize all of the machines in the network. I recommend you stick with ssh/scp for access to those machines.

Actually the way the OpenVPN server is configured by default, each machine is put onto its own network basically (ie, you get a 10.8.0.9, with netmask 255.255.255.252), and the server will not route between clients. If you're running the VPN network in a different subnet from your regular network, you can tightly control the routing between the two. A security failure at one endpoint will only comprimise that endpoint and provide access to what it can normally access on the server - not the whole network. You still need to provide other protection on the client (eg, tripwire) to protect it seperately.

Comprimising the server is still going to get you access to everything, and this is true with pretty much any setup.

Re:Easier

[TCM]

I disagree, it's quite a hack. Personally, I use a script that gets invoked whenever a new PPPoE connection is established. From there, I do an update to a DNS server.

Voila, DNS is my "db", I don't run a script every minute and still get better time granularity, because the update is only done when a state change on the interface occurs.