need help understanding benefit of OpenVPN
-
Hello All!
I really need some help understanding OpenVPN. Here is my issue:
I had been told we are tightening security at work. As most of the folks I service are 1/2 person offices and many are using HotSpots (MiFi) via cell carrier I cannot afford to build a PfSense box for each and for many it is not practical.
So, I decided I needed to learn how to install, configure and deploy OpenVPN.
This went well, and had OpenVPN connections working on 3 remote laptops. I reported this and was chastised stating that (OpenVPN) does nothing of value. All it does is secure tunnel from the VPN server to the other location but does nothing for security from the laptop to the VPN server so it has no value. VPN is only good if you want to watch TV or a move that you cannot see in the US.Now, I do not believe PfSense would provide software thats only practical use to to watch movies in another country. Not to mention this person has numerous laptops using VPN into the main office for access to printers, file servers etc.
So, here is my question,,, as far as security goes, what benefit does OpenVPN have? Why should it be used? Does it matter if you are connected to web via cell phone/hotspot?
Sorry for the rambling, am a bit frustrated and angered at the whole thing and looking for outside explanation on why OpenVPN should be used in business environment. And, I will not mention that "it's OK if you want to play with your experiments (PfSense) I'm just cannot afford to put Meraki firewalls in your offices at the moment".
Thanks for letting me rant in a safe place. Any rational comments will be appreciated. -
@detox said in need help understanding benefit of OpenVPN:
All it does is secure tunnel from the VPN server to the other location but does nothing for security from the laptop to the VPN server so it has no value
So this secure tunnel to the VPN server: where are the two ends? Isn't one end on the laptop itself and the other end on the VPN server?
Basically, my opinion, whomever made that specific statement really doesn't know what they are talking about, do they?
If your default route is out the VPN, then every single packet leaving the laptop are secured in the VPN so in theory can't be cracked. Of course once it hits the server it's unsecure from then on.A common use is you set up a VPN from "home" to your work, when it's connected (VPN) the work network looks local to your home network. So if the work network is trusted, the home network connected through the VPN is "trusted".
-
@mer
Thank you for you reply. Yes, I have the OpenVPN client created by PfSense on the laptop.
The laptop is connected to web via Verizon hotspot/cellphone/MiFi.
The VPN server is on my PfSense firewall.All I am attempting to to is provide a greater security for our folks who do not have a "home" office to work from.
thanks again
-
@detox So OpenVPN client on the laptop connects over the physical medium of Verizon celluar network to a VPN server that is in front of the rest of the work network (roughly).
To me it sounds like an IP packet generated on the laptop goes into the client end of the OpenVPN tunnel, gets encrypted, hits the outbound physical interface on the laptop, chunked into cellular data, far end cellular data gets recombined into IP data in the OpenVPN tunnel, then gets to your OpenVPN server.
Well, to me, that path means the data leaving your laptop is secured in the OpenVPN tunnel until it hits the OpenVPN server.
What happens after it hits the server depends on the ultimate destination. If it's going to a public service like say Google DNS, the output of the OpenVPN server end gets routed to the public internet, return comes back to your server, back down the tunnel, back to the laptop.
If the destination is something inside of work on the server side, say some equipment in the lab at $WORK then effectively the "traffic to and from the work resources is secure".
Maybe pictures on a whiteboard will help you get your point across. My father had a saying "managers are often promoted to the level of their ignorance".
-
@mer said in need help understanding benefit of OpenVPN:
My father had a saying "managers are often promoted to the level of their ignorance"
Never tell your boss you are aware of the Peter Principle. There is a nice Wiki on it.
-
@andyrh Another thing my dad said (yes he is an engineer) "If you want to prove something is fixed give it to your boss"
-
@detox just curious how exactly were your team/users accessing resources at the office before? When not in the office?
-
@johnpoz
the best $30 belkin routers you can buy at walmart; verizon hotspots -
@detox no I mean how did they access the resource actually in the office? Like file server(s), email any sort of databases in use - any other software run on servers or resources in the office..
You just opened up services ports for these things to the public internet?
edit: Unless there is some sort of actual resource in the office that they need to access, file server, some business type software, printer even. Some sort of local resource in the office then there prob is little use for a vpn into the office from their remote location if they are not actually accessing any resources there.
Say if your emails and files were all hosted externally on office 365 or something.. There would be little reason to vpn to the office from their home/laptop if there is no actual resources that need to be accessed in the office. Remote desktop to some server/pc in the office to run some business software, etc.
A vpn is a way to access resources securely over a non secure network. Ie how to access the work network from your home over the public internet (non secure).. But if you don't actually have anything they need/want to access on the business network - then justification of routing their traffic through the vpn to the work network to just go to say office365 could be seen as pointless.
Now if they say remote desktop to some box sitting in the office via remote desktop and run software XYZ on that pc.. Then YEAH!!! vpn is way more secure way to make sure this box in the office is not directly exposed to the public internet for remote desktop.. And only users and devices that have securely authed to the VPN, and then all traffic between that laptop and work network is secured for this remote desktop session.
Vs just setting up a port forward on your router at the office to the public internet for 3389 to this boxes work network IP.
-
All a VPN does, in this case, is provide a secure connection between a remote device and the office. This means the traffic cannot be intercepted. It does nothing about security on the device, such as antivirus or attacks coming in from elsewhere. One thing that can reduce the exposure to those attacks is to force all traffic through the VPN, whether work related or not.
However, many companies use VPNs for remote workers. I have installed and supported VPNs, including when I was at IBM, supporting a major corporation.
BTW, I have been using VPNs for around 20 years and never, ever used it to watch TV shows or movies that I couldn't get here. It's always been for remote access, either to my home network or office. While I use OpenVPN and years ago used CIPE, all my work VPNs were IPSec.
Incidentally, if you're using VoLTE on your cell phone (a virtual certainty these days), your calls are encrypted with IPSec so, even there, you're using a VPN.
-
@detox how you handle vulnerabilities on the cheap routers ?
how you avoid sniffing traffic without encryption ?
how you get easy updates and renew the system without replacing hardware?
how you manage easily traffic routing and adding rules ?The answer to all above is pfSense and OpenVPN. at least is what i learned from the good guys here.
