VPN Solutions for Distributed Installations?

merreborn asks: "I work for a very small software company (10 employees) that's developing a Point of Sale solution for a small retail chain (~20 stores in several states) on the other side of the country. We're going to be shipping Debian systems with our software installed to these locations -- all of which are connected to the Internet via consumer-grade DSL, and inevitably behind some sort of NAT box. Our office is similarly connected, and we've got a couple of dedicated, co-located servers off-site with static IPs. We'd like to be able to access these systems remotely for maintenance from the office -- what would that entail? Which VPN solutions are best suited to this situation these days (IPSec, PPTP, vtun, ssh, ssl/OpenVPN)? Are there any detailed, current books on the subject? (O'reilly's VPN book is 6 years old now)"

Yes.

[numbski]

Next question? :D

Seriously, OpenVPN would do the trick, and I do it right now. The only thing that bugs me about OpenVPN is that you either have to set up a key signing authority, or use pre-shared keys. The key signing authority process is well documented, it's just that I've never actually been able to make it work. Pre-shared keys works just fine though. The protection isn't as good however.

Once I get key signed OpenVPN working then this solution is a no-brainer.

Re:Yes.

[kotj.mf]

What the parent said. Actually, OpenVPN will really only work if you can garuntee that you're the only people who will ever be using the link. If you're ever going to have to interoperate with any outside trading partners, though, you're stuck with an IPSec solution. If you decide to go that route, feel free to futz around with OpenS/WAN, or just buy a bunch of PIX 500's on ebay.

Re:Yes.

[kotj.mf]

Also, I found this sentance in TFA a little disturbing:

Our office is similarly connected, and we've got a couple of dedicated, co-located servers off-site with static IPs.

It implies that the remote sites, and maybe even home base, don't have static IPs.

Dude, seriosly. Pay the phone company the extra five bucks a month for an IP at each site. You'll thank me later.

Re:Yes.

[HotNeedleOfInquiry]

What he said. Don't even fsking think about VPN without fixed IP's everywhere.

Re:Yes.

[TCM]

OpenVPN to the rescue again. It has options to specify the peer by name instead of IP address. Together with options to periodically ping the peer and re-resolve its name upon timeout, you can even establish VPN connections between two peers with dynamic addresses, as long as they both have a fixed name, e.g. *.dyndns.org.

Re:Yes.

[walt-sjc]

Pay the phone company the extra five bucks a month for an IP at each site.

In Verizon land, it's $30 / month nearly doubling the cost of a business line. Still worth it IMHO.

Re:Yes.

[AmericanInKiev]

My understanding is the OpenVPN will navigate dynamic IP pretty well - provided at least one link is static - but that it also supports dual dynamic ip (so long as you are not the unhappy victim of simultaneous changes.

As it was explained to me, by my good friend Jim (who wrote the thing) Both connections will attempt to reconnect and rebroadcast the return IP. (presumably this is configurable).

AIK

Re:Yes.

[Christopher Cashell]

You don't understand OpenVPN. ;-)

OpenVPN operates very much in a Client-Server style, similar to many commercial VPN Concentrators. The server has a fixed IP address, and the clients connect to the server. After authenticating and establishing a connection, the server gives the client a DHCP-style assigned VPN IP address. Any communication done through the VPN is done between that IP and a tunnel-specific IP on the OpenVPN Server.

If you have fixed Peer-to-Peer tunnels, IPSec is the standard, and it works

Re:Yes.

[caluml]

Yep, it's used on Anonet [fshell.org] in varying numbers, and works very well.

Re:Yes.

[arivanov]

If you are doing it yourself the choice is between OpenVPN and OpenVPN.

Advantages:

• Ease of setup. Once you have an SSL CA setup the OpenVPN part is a piece of cake
• Possibility to use multiple links, load balance, failover, hang yourself by any means necessary. See Caveats though...
• Possibility to use QoS and run VOIP on top with no worries. While IPSEC security is considerably better studied than OpenVPN (this does not mean it is better, it is just a devil we know), IPSEC has a major failing. In its most common VPN use which is tunnel mode it is utter piece of horrid shite as far as QoS is concerned. Shameless plug: you can lift off QoS setup for OpenVPN off my website [sigsegv.cx]
• Possibility to get hardware acceleration on the cheap. It is trivial to get OpenVPN to work with an SSL library which has via padlock support. A padlock capable motherboard is around 120$. This theoretically gives you 50Mbit hardware accelerated AES. Practically - see caveats
• Ease of debug and understanding. It provides you with the notion of interface. You can tcpdump it, collect stats, check its status, you name it. You do not get any of that with IPSEC.

What you need to keep in mind are a list of

Caveats:

• OpenVPN will copy from userland to kernel and back to perform its task. As a result it has a speed limit per client which cannot be worked around. It is a fundamental limitation and is around 5MBit per client (multiple clients bandwidth grows as a log of the number to a total of around 15-20MBit). For a distributed installation or road warriors this may prove to your advantage, because no single client can eat all the resources. There is always some resource to go around. If you want higher speeds on a single encrypted point to point link you are better off with IPSEC transport mode overlay of IP-in-IP or IPSEC overlay of PPTP.
• OpenVPN route mechanism has minimal error checks and will bugger up your routing table majestically of you decide to do something really fancy. If you want to run a large distributed infrastructure you have to run quagga and use OSPF or RIP for routing. Either works fine provided that you can do them and you use peer-to-peer mode of OpenVPN. This also allows you to interoperate nicely with any failover within your network and this is something you never get out of IPSEC.
• You cannot use the Server mode of OpenVPN along with routing protocols. Actually I think that there are some fixes in the Quagga CVS head that will allow this but I will advise against this. This is a mode for road warriors. If you want infrastructure you better set your tunnels properly as peer mode ones.

If you are doing it vs someone else, especially someone with an overgrown IT department full of certification waving droids you have to use IPSEC. I have had some bad experience with SWAN varieties and personally I would suggest using Racoon and the KAME stack. Anything else aside they have some good debugging and so far I have managed to make them interop versus every implementation I have tried.

Re:Yes.

[nmos]

I'm not sure why you keep comparing OpenVPN VS. IPSEC. Openvpn is a product and IPsec is a protocol (actually a set of protocols) and in fact OpenVPN USES IPsec.

Re:Yes.

[arivanov]

Under IPSEC I mean any standards compliant implementation floating around. I am speaking based on some experience with Checkpoint, Cisco, Nortel, KAME, FreeSwan and a few others. When used in tunnel mode they all suck by design because they do not offer an interface notion to the OS so there is no way to run a routing protocol on the tunnel. They similarly suck QoS-wise. I am using IPSEC because the suckiness is actually a natural result of the RFC definitions of the protocol.

If you use transport mode IPSEC

Re:Yes.

[Christopher Cashell]

As far as OpenVPN you are deeply mistaken. It has nothing to do with IPSEC. It uses TLS over TCP or TLS over UDP. The second case requires some sequencing. None of the packet formats has anything to do with the IPSEC RFCs, the OS level abstractions have nothing to do with the RFCs and the keying is not anywhere near the madness specified in the IKE RFC.

"OpenVPN uses an industrial-strength security model designed to protect against both passive and active attacks. OpenVPN's security model is based on using S

Re:Yes.

[arivanov]

Nope. Whoever wrote it is a dolt (though it is on the OpenVPN pages).

ESP per its RFC definition is a protocol in its own right. It is not over UDP.

Granted, OpenVPN UDP frame format closely resembles the payload part of ESP in uncompressed mode (no point to reinvent the wheel). IIRC the source correctly, once you start using compression the format differs from for both compressed and uncompressed frames (lzo versus deflate compression). In addition to that keying and keepalive are inband on the same UDP conn

Re:Yes.

[Christopher Cashell]

You are correct, ESP is a separate IP protocol (Protocol 50), and from that standpoint, has nothing to do with UDP. However, there is also RFC 3948 [rfc-archive.org], which specifies tunneling ESP over UDP.

Now, I've been using OpenVPN for a long time, but I will readily grant that I've never dug into the nitty gritty details of it's protocol, so I don't know for sure if this is what OpenVPN is doing. When I saw the comment on the OpenVPN page, I assumed they were using ESP over UDP for the transport protocol, though.

Re:Yes.

[Jacco de Leeuw]

Many vendors support L2TP/IPsec.

(By the way, it's IPsec, not IPSEC).

Re:Yes.

[Christopher Cashell]

OpenVPN will copy from userland to kernel and back to perform its task. As a result it has a speed limit per client which cannot be worked around. It is a fundamental limitation and is around 5MBit per client (multiple clients bandwidth grows as a log of the number to a total of around 15-20MBit). For a distributed installation or road warriors this may prove to your advantage, because no single client can eat all the resources. There is always some resource to go around. If you want higher speeds on a sing

Re:Yes.

[arivanov]

My fault. Numbers quoted are for TCP encaps tested over an uncongested 100MB link. UDP goes higher several times. Possibly in the 10s of MBit so 40Mbit you have seen is achievable. Hardware in my deployments has been P4 on one side and Via with hardware AES acceleration on the other. P4 on the other makes no difference. Dropping to Via on both sides also makes no difference.

As far as the CPU it is not the limitation by any means. At least with TCP the client gets to its max throughput long before the CPU ha

Re:Yes.

[Deagol]

The company I work for right now is rolling out OpenVPN. Our 2 main offices are connected via the shared static key method, our employees and vendors are issues certificates to log into another server. It works really well and is *much* faster than the MPD solution we used before.

I love how you can customize each client connection's routes and stuff, but this only works if you use the certificate method. Our vendors are allowed only to the 2 subnets they need, while us employees and admins get full run

Re:Yes.

[Christopher Cashell]

Did you use the OpenVPN provided scripts for managing the keys?

Because I managed to setup a new OpenVPN server from scratch, using certificates for authentication, in less than an hour this afternoon. Admittedly, I've used OpenVPN quite a bit in the past, but I did this setup from scratch, using the provided scripts, and it was *really* easy. Everything "just worked".

Additionally, OpenVPN also supports making use of PAM for authentication, giving you lots of other options. You can even setup OpenVPN to a

Re:Yes.

[thegrassyknowl]

Another vote for OpenVPN. Its flaws aside, it is the most reliable VPN software to use through a NAT device. I tried PPTP and IPSEC and both needed extensive configuration to make them even useable. OpenVPN was a matter of forwarding a single UDP port into the VPN server and it just works (TM).

Debian... and PPTP

[strredwolf]

You may be stuck, unless you're willing to switch to Ubuntu. I've tried them all, and only PPTP on a Ubuntu server or a recompiled Debian kernel w/the MPPE patches (or the latest 2.6.15+ kernel) works very well. I'm not sure how Debian is reacting that 2.6.x is standard now, but it's slow to change away from 2.4. Ubuntu is better in that reguard (it's base is 2.6 with patches).

Re:Debian... and PPTP

[Rekolitus]

Or you could install Debian with boot: linux26.

Re:Debian... and PPTP

[merreborn]

Due to hardware issues, we're using the Testing branch (which is obviously less than ideal) which ships with 2.6.15.

Re:Debian... and PPTP

[nmos]

I've got several Debian Sarge boxes running OpenVPN with 2.4 series kernels and it works fine. In fact some of these were Woody boxes until fairly recently.

IPCOP Works Well

[Anonymous Coward]

In a similar fashion we provide support for an application base that we are growing. If they want "Premium" support then we provide an IPCOP firewall for the location and turn the VPN tunnels on only when we need to support them. IPCOP is free and very reliable and we then deploy it on a low profile microATX desktop case not much larger than a Cisco PIX. Works well.

Re:IPCOP Works Well

[Rob_Bryerton]

I second the IPCop suggestion. We have deployed several, and setting up a net-to-net VPN is a snap.

To the parent (or anyone else): any suggestions or links for suitable diskless/alternative hardware for IPCop other than a standard PC? I don't like the idea of a hard drive in the box running for years, being reset occasionally by people used to unplugging linksys 'routers' etc

Re:IPCOP Works Well

[oops.sgw]

WRAPcop: A guy that calls himself xpapa provides images for the WRAP-platform from PCengines (already mentioned in this thread by the guy running m0n0wall on that hardware).

IPCOP then runs from CF-cards (>=128 MB), the whole box pulls about 5 W max and is QUIET. I run a few of those for clients, and one for my own office.

WRAP-hardware:
www.pcengines.ch

Xpapa's IPCOP-images:
http://www.xpapa.de/modules.php?name=Downloads&d_o p=viewdownload&cid=1 [xpapa.de]

Re:IPCOP Works Well

[oops.sgw]

following up myself:

IPCOP brings IPSEC-based VPN, but is also able to do OpenVPN (even in parallel with IPSEC-VPN) by using the Zerina-Addon.

Re:IPCOP Works Well

[nmos]

I don't know how much space IPcop takes up but you can get cf -> ide adapters and cf cards pretty cheap these days. I just picked up a couple of extra 256MB CF cards from Newegg for $12 each and I think the CF -> IDE adapters were in the $20 range.

Tinc

[rdejean]

Someone already mentioned OpenVPN, i would also look at tinc (http://www.tinc-vpn.org/ [tinc-vpn.org]). It supports full mesh routing between all your sites, which would be a pain with OpenVPN. Of course if everyone is connecting back to a hub, then not a big deal.

Also for your NAT boxes, if you want to do it cost effectively, get some Linksys WRT54GL's and install OpenWRT. You can then run your VPN (openvpn or tinc) on those routers, which would make a much cleaner VPN network.

Re:Tinc

[TCM]

DON'T use tinc, CIPE, vtun or PPTP!

http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_v pn.txt [auckland.ac.nz]

Really, OpenVPN must be the best thing since sliced bread. Runnable as non-user, chrootable, interfacing with standard tun/tap devices, certs. None of the complexity of IPsec. I love it.

My 266MHz Geode WRAP [pcengines.ch] can handle 6Mbps which is enough to connect a LAN wirelessly. Faster boxes should handle more than that, despite someone else saying 5Mbps would be a limit.

Re:Tinc

[gsliepen]

Disclaimer: I am currently the main author of tinc.

Please read http://www.tinc-vpn.org/security [tinc-vpn.org]. I agree that OpenVPN has better security, but it is focussed on a centralised client-server model, while tinc is focussed on a decentralised peer-to-peer model. So if the latter fits better, and you can live with a protocol that is not as secure as the current SSL protocol, then you should definitely give tinc a try. It is unfortunate that OpenVPN hasn't copied tinc's distinctive features (yet), and personally

ssh could be good enough

[georgewilliamherbert]

If you know what the remote IP addresses are going to be (consumer grade but fixed IP addresses at remote ends) then ssh would be an adequate solution by itself, and a lot simpler than most of the alternatives. With its ability to forward ports and X windows displays, it can handle pretty much anything.

If you need constant monitoring and interaction a real VPN may make more sense, but ... think carefully about how much complexity you add in the management layer here. Does that overall improve or degrade the total environment's reliability and managability?

Re:ssh could be good enough

[Homology]

If you know what the remote IP addresses are going to be (consumer grade but fixed IP addresses at remote ends) then ssh would be an adequate solution by itself, and a lot simpler than most of the alternatives. With its ability to forward ports and X windows displays, it can handle pretty much anything.

It's peculiar that this is the only post that recommends ssh for remote administration. It is very easy to setup and make work, in contrast to VPN in general.

Re:ssh could be good enough

[homer_ca]

For connecting to single hosts like the co-located servers, you're better off with ssh. Use RSA authentication instead of passwords to be safe. A VPN is still useful for connecting a client to a network or a network to another network.

one word... Hamachi

[pagebt]

http://www.hamachi.cc/ [hamachi.cc] Hamachi is a very easy to use and extreemly hard to block VPN that looks to your system as if it was another network device. these days I leave my laptop at home and access all of my daily needed data + VNC as if it was sitting right next to me

Re:one word... Hamachi

[TCM]

Right, isn't Hamachi using a central point which you don't control? I wouldn't want to send any data - let alone sensitive data - over such a "VPN".

This might be adequate for gamers and equally "sophisticated" user groups. Using it for a company? Bad idea.

Re:one word... Hamachi

[TCM]

I was wrong. Indeed, Hamachi only serves to bring peers together which then establish a connection among themselves. But how is this better than using OpenVPN with static hostnames? DynDNS should be common enough.

Re:one word... Hamachi

[tweek]

As much as I think it's a bad idea, how is this any different from outsourcing your VPN solution to a third party such as Netifice or someone else?

compartmentalize!

[TheSHAD0W]

I'd have to disrecommend running a VPN between these sites simply for your convenience; it would mean that a security failure at any point on the network could jeopardize all of the machines in the network. I recommend you stick with ssh/scp for access to those machines.

Re:compartmentalize!

[gregmac]

I'd have to disrecommend running a VPN between these sites simply for your convenience; it would mean that a security failure at any point on the network could jeopardize all of the machines in the network. I recommend you stick with ssh/scp for access to those machines.

Actually the way the OpenVPN server is configured by default, each machine is put onto its own network basically (ie, you get a 10.8.0.9, with netmask 255.255.255.252), and the server will not route between clients. If you're running the VPN

Re:compartmentalize!

[AmericanInKiev]

I believe OpenVPN is written using OpenSSH - so cake and eat it too?

AIK

Re:compartmentalize!

[Homology]

I believe OpenVPN is written using OpenSSH

You are wrong in that belief. OpenVPN uses OpenSSL.

Re:compartmentalize!

[TheSHAD0W]

No matter what crypto method used, I was warning against leaving a network between a large number of distant computers open.

Try SSH

[dantal]

I've has a very simmilar situation last year and we found that ssh was much easier to work with and any vpn solution. The only potenial issue is since you are using consumper grade DSL ip address may change. But that is very easy to get arround by having the remote systems cheching there ip address every so often and when is changes sending it to you either by email or posted to a web server.

Re:Try SSH

[walt-sjc]

... Or by using one of the many dyndns services, or even running your own dyndns service.

"Some sort of NAT box"

[Gothmolly]

Its called a commercial firewall. Its tempting to roll your own using a $45 Linksys and CIPE/OpenVPN/IPSEC/PPTP/Freeswan, but seriously, do you want to spend your time watching messages like "Processing a NONCE.." ?

Buy some small, even older, used, Netscreen firewalls for a few hundred each. If you do the preshared keys trick, and put them in aggressive mode, they'll all connect back to the central hub firewall, a Netscreen 10, or whatever model replaced it.

It just works, no dicking around with /etc/ubuntu/foo.key or chintzy NAT boxes that can't pass protocol 50, etc. etc.

Re:"Some sort of NAT box"

[walt-sjc]

A linksys RV082 works quite well for VPN's like this, and are reasonably priced.

Re:"Some sort of NAT box"

[tweek]

I second this. We do this for our retail locations. We have two ns-208 models running in Active/Passive mode and install either Netopia 3386 or Netscreen-5gt models in our stores.

The total cost on the concentrator side was 30K but it's redundant and the cost of the remote routers are $250/$400 respectively.

Re:"Some sort of NAT box"

[Jacco de Leeuw]

Aggressive mode isn't very safe (read why [www.ernw.de]).

OpenVPN rocks for this

[pavera]

We currently use openvpn for a remote management service that my company offers have been using it for over a year now, more than 50 customers up, works from behind nat, with dynamic IPs, through all sorts of nasty things, and as long as the internet is up, the VPN is up and we have connectivity. Ive used alot of different VPNs (openswan, cisco, PPTP) nothing comes close to the stability of openvpn tunnels, especially when dealing with adverse network conditions (NAT of any sort, multiple NATs, poor link quality, etc) even if the internet link is pretty spotty, openvpn does a very good job of automatically renegotiating the tunnels as soon as it has connectivity.

Quick breakdown of obvious options

[Anonymous Coward]

Basically there are three groups of VPN "solutions" these days: IPSec, PPTP, and everything else.

I use IPSec pretty extensively. If you're dealing with inter-Linux-server communications where each end has a static IP address, IPSec is hard to beat. It's simple and pretty easy.

PPTP is mainly a Microsoft thing. Not applicable here obviously.

"Everything else" breaks down into application-specific protocols for specific applications. This is what I would recommend. Go take a look at OpenVPN. When you don't know

ZyWalls

[beavis88]

We're using ZyWall 2 boxes [zyxel.com] for NAT/routing/IPsec VPN. At ~US$200 each they are pretty economical, and very easy to setup via http config. Even has support for being a DynDNS client, which is just fantastic for DSL without static IP. You would need a beefier model as the concentrator, but they arent much more expensive - eg Zywall 35 supports 35 sessions @ around US$600. They also can be configured to play nice with just about any other hardware (Sonicwall, etc) with proper IPsec support.

Oh, and...

[beavis88]

I hate replying to myself, but FWIW, the ZyWall 2s I have also support a serial modem connection that will auto-dialup if the broadband fails. Pretty slick, especially for something like a retail environment.

Easier

[ratboy666]

Create a web site that echoes back the requesters IP address. Put it on the "dark web" so it isn't spidered, and you don't get hit with traffic.

On your client box, run a script that hits the web site (wget) and fetches the IP address. If that has changed, post the new IP address, and installation name.

Now you have the clients and the assigned IP addresses. You can then use SSH to build whatever infrastructure you need to the client box, securely. No need to worry about the brand of router used, etc. About the only problem is if the client uses a dialup on demand connection. To accomodate this, the "poll for IP" can be modified to always submit information, and ask if the connection should be retained.

If the connection should be retained, the remote operator can be notified.

I used this approach to securely administer remote Linux machines over direct connection and dialup for years. Now I find none of my users use dialup anymore (finally).

Ratboy

Re:Easier

[corbettw]

Wouldn't it be easier to have this cron job?

#!/bin/bash

[[ ! -f /tmp/last_ip ]] && touch /tmp/last_ip
ifconfig eth0|grep inet |awk -F: '{print $2}'|awk '{print $1}' > /tmp/curr_ip
diff /tmp/curr_ip /tmp/last_ip 2>&1 > /dev/null
[[ $? -eq "1" ]] &&
cat /tmp/curr_ip | mailx -s "$HOSTNAME current IP" reports@yourcompany.com
mv /tmp/curr_ip /tmp/last_ip

Set it to run every minute, and you'll always know what the IP address of your remote site is. On the receiving end, you co

Re:Easier

[TCM]

I disagree, it's quite a hack. Personally, I use a script that gets invoked whenever a new PPPoE connection is established. From there, I do an update to a DNS server.

Voila, DNS is my "db", I don't run a script every minute and still get better time granularity, because the update is only done when a state change on the interface occurs.

Re:Easier

[corbettw]

Personally, I use a script that gets invoked whenever a new PPPoE connection is established.

That is cleverer, I'll have to go that route next time something like this comes up.

Re:Easier

[ratboy666]

This won't work. Behind a NAT router, the local ip address will be (say) 192.168.1.120. Not routeable. Giving this IP to the remote site is useless.

What you want is the IP address assigned to the router. To get that: use SNMP to the router. Yes, but SMC Barricades (and others) don't do SNMP. Hit the configuration web page for the router, and figure out how to get its status. Different for every NAT router. Hit an external computer: easy!

The reason to make it a web page: ease of local debugging.

Once the IP a

Groove

[CrosbieFitch]

http://www.groove.net/ [groove.net] is what you need. Supported by Microsoft too.

OpenVPN

[dimss]

I would recommend OpenVPN because I have some experience with it. OpenVPN is very reliable solution when you have to connect several remote sites to single L2 (ethernet) segment.

We use Intel-based Linux server at our datacenter as VPN server. It runs several instances of OpenVPN on different UDP ports (OpenVPN can use TCP as well) for different customers. Endpoints are Asus WL-500g Deluxe routers with OpenWRT Linux and OpenVPN installed. Maximum throughput is 3Mbps with blowfish encryption and authentication (limited by 200 MHz CPU). These devices are small, silent, inexpensive and reliable enough. Endpoints are connected using various types of Internet access -- DSL, Cable, LAN, WiFi etc. Some customers have ~70 endpoints without problems.

If you insist on using Debian computers as VPN endpoints, do not use harddisks!!! They will die. Use IDE flash, for example. Use fanless CPU and PSU if possible.

Re:OpenVPN

[Rekolitus]

If you insist on using Debian computers as VPN endpoints, do not use harddisks!!! They will die.

Wait, what? Why?

(I always thought those "don't blame us if it blows up your computer" disclaimers were exaggerating!)

Made in Japan - The Teriyaki Experience

[viewtouch]

This Canadian customer of ours has about 80 restaurants and has fully deployed our Linux & X Window System POS solution in all of its restaurants all across Canada. HQ enjoys an open VPN link with each of them and all data from the restaurants, including credit/debit cards is remotely synchronized with the storage system at their Toronto HQ. The company's IT staff is actually just one person, Doug deLeeuw. The company is increasing its units by about 25% this year. When you have the kind of control that this company has you find something like that much easier to undertake and you're much more likely to succeed. I doubt that there's another restaurant organization in the world with this kind of advanced POS deployment, not to mention that one person did it all by himself. Perhaps in another five to ten years you'll be able to read about it in a book.

Re:Made in Japan - The Teriyaki Experience

[janic]

Okay, what do they use for the VPN link?

For that matter, which company do you work for? I am terribly curious.

Very tasty food, BTW.

Thanks.
John

Re:Made in Japan - The Teriyaki Experience

[viewtouch]

Their using openVPN. When Doug first set openVPN up there was something not quite right with it so he brought the problem to the attention of the person behind openVPN and paid him for several hours of work to address the issue and make it all work just fine. He also makes use of rsync and dynamic DNS. The neat thing, in my opinion, is that none of these components have to either be aware of the POS app and the POS app doesn't have to be aware of them, yet, from the user viewpoint the overall effect of al

Re:Made in Japan - The Teriyaki Experience

[nmos]

Do you have a link to more info on your POS solutions? Also, do you have solutions for other markets or just restaurants?

Feel free to email me if you prefer. ray AT sonictech DOT net

Re:Made in Japan - The Teriyaki Experience

[viewtouch]

Our web site is viewtouch.

Hardware

[bomonguny]

If you really want a trouble free setup, I recommend using some sort of hardware VPN. Firewall/VPN boxes can be purchased for less than $400 and are great (Juniper Netscreens, Sonicwall, Watchgaurd). If setup correctly, the boxes will almost never fail. You can also use the firewalls/vpns in a situation where the client networks have dynamic routable IP's. This assumes that your office has a static.

This approch can even be taken to the open source "fanboys" Just download a firewall distro like smooth

m0n0 baby!!!

[jcims]

We use m0n0wall ( http://www.m0n0.ch/wall [m0n0.ch]) for this exact thing...it supports a number of different hardware platforms, including PC, but my favorite is the pcengines WRAP boards (pictured in silver with antennas here)

http://img.m0n0.ch/gallery/brandon_kahler/01_19_06 _WRAP_Wireless_DSL_Large_Text.jpg [m0n0.ch]

They run off of compact flash and the WRAP boards + case are ~$200. They will act as your NAT firewall behind the commodity broadband interface (dsl/cable) and have a great number of features, including a capti

OpenVPN all the way!

[forsetti]

OpenVPN [openvpn.net] all the way! My server and client config files are each < 10 lines long. I manage my certificates with TinyCA [sm-zone.net]. I think all of this is readily available via apt. Also has Windows and OSX clients.

Router-based (Cisco 800)

[dago]

I guess that if you're asking this question, you don't have any experience with linux-based VPN. I also think that if you are have to do troubleshooting, the last thing you want to debug is your VPN.

For my part, I also started with linux-based VPN (openvpn, ipsec) for private use (3 sites), but then, I come to the conclusion it wasn't worth the effort & time spent. I switched to the Cisco SoHo routers (the 800 series [cisco.com]) who are just working. I have automatic tunnels between all sites, and can to VPN connection directly to any of the sites, plus many other funny things (IPv6). All this with just simple configurations, mostly through the wizard (SDM [cisco.com]) or by copy, adaptation & paste of sample configs.

Of course, these routers may be a little bit too much (of configuration or price) for you, so you may also want to try consumer-grade solutions (e.g. Linksys BEFSX41, Netgear FR114P, ...).

Disclaimer : I wish I could get a percentage of Cisco sales ;)

PS : oh, and port tunneling with SSH is, from my experience, an awful solution for VPN.

Openvpn & hardware solution

[Abstract]

hi, everone already has given their opinion about openvpn. so here's mine:

i've run an openvpn solution between corporate LAN and datacenter, and it worked okay but i'll take a look at some dedicated hardware box for the next implementation. maybe netscreen or so.

why?

Well first off, when one doesnt yet have a linux router/fw available one has to buy that. this'll probably cost as much as a cheap netscreen box.

second, when running openvpn on a nondedicated box openvpn has to fight over resources with other

vtun devices

[RobiOne]

Check out http://vtun.sourceforge.net/ [sourceforge.net]. I know of at least one VoIP appliance company that uses vtun links to their home base for updates and managment.

FreeSwan

[camrocks]

Having used FreeSwan on a few linux clarkconnect systems, I have found it to be a most reliable package when installed under debian, however, if you are a newb, and are feeling a bit out of your depth here, clarkconnect can offer a really cheap easy to set up solution that is well maintained software wise.