Emergency 'Temporary' VPN for remote users.

Discussion in 'Business & Enterprise Computing' started by KonMan, Apr 9, 2020.

  1. JumpingJack

    JumpingJack Member

    Joined:
    Jun 16, 2002
    Messages:
    289
    Last edited: Apr 13, 2020
  2. Beanz

    Beanz Member

    Joined:
    Sep 11, 2002
    Messages:
    1,185
    Location:
    Melbourne, Vic
    Just run OpenVPN on your CentOS box.

    1. It's free
    2. It's temporary
     
  3. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,643
    Location:
    NSW
    All good, better to spend your easter weekend with family rather than thinking about work!

    Is it possible to disable on the draytek side rather than client side, just in case some users haven't bothered?

    Would surprise me if you couldn't, I'd expect most VPN solutions would have a setting for whether you can access the admin portal via the web, via a VPN connected machine or only from the corporate LAN. Just remember if you're all working offsite that you probably still want to allow admin from a VPN connected machine.

    You can, in fact last I looked there were pre-made scripts that allowed you to import a list of IP ranges to allow/block based on countries for most popular firewalls (at least the ones that allow bulk imports). Consider with this though that they're not always 100% reliable and up to date, so you may end up accidentally blocking legitimate traffic/users.
    Also look at what you're trying to protect/prevent, and if it is better achieved another way - port scanning isn't likely to be a big issue if it's running on 443, it's the HTTPS port so is incredibly common on the web, it's not generally scanned for VPN access. Sure a targeted scan may happen for softether running on 443 but unless there is a known vulnerability I'd say it's less likely to happen. The key safety measures I'd take with something like this is making all passwords a decent strength and using something like fail2ban to block IPs if multiple login attempts are made - a lot of the time bots will try common usernames such as admin/administrator/root etc so blocking the IP based on multiple incorrect attempts is generally more worthwhile than just a temporary account lockout.

    The other thing to consider with suggesting this to your IT provider VS doing it yourself is support - if you put this together you'll likely end up supporting it too, and it's generally a PITA to support users remotely (especially if they can use their own computers, not company provided ones), and I can almost guarantee people will expect you to help them with this out of hours too.
     
  4. Opticon

    Opticon Member

    Joined:
    Apr 12, 2009
    Messages:
    270
    Location:
    Perth, WA
    karnophage likes this.
  5. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,813
    Location:
    Brisbane
    Takes me about an hour to set up OpenVPN from scratch, including a Certificate Authority, AD integration, and combined config/certificate export.

    Less if it's bundled into something like pfSense.

    In the time this thread has been alive, I've set up VPN access for two different sites. Not even kidding. Just get it done.
     
  6. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,511
    Location:
    Adelaide
    Do this. Also since you've purchased a fortigate anyway, get your supplier to ask fortigate to cut you a VM license for the amount of months required until the appliance arrives.
     

Share This Page

Advertisement: