• Hey

    i want to setup a remote desktop so that when i am out on the road i can rd into my home computer/sever and work on it.

    I want to do this as then i don't have to install all my stuff on my local machine which i have with me

    My question basically is, what is the best way of doing it? I guess first setting up a vpn connection (if so which one of the three. I have read things in the documentation of each, but am a little confused over which is best. like is there a page where there is a comparision or is that just a silly newbie idea because they are so very different and i have just missed the plot completely…) and then forwarding the rd port to the computer i have running at home....???


  • PPTP would be the simplest to implement as it won't require installation of any software on the remote machines.

    You won't need any port forwarding, just a handful of rules (eg. ping, DNS, RDP) applicable on the PPTP interface.

    1. VPN - Depends ;)  IPsec is the most complicated to get right, OpenVPN a bit complicated if you don't read the documentation, PPTP probably the easiest for Windows, but known to have security concerns (search the forum)

    2. No need to port forward, but you'll need to ensure that your pfSense/VPN gateway is the default gateway

  • Hey

    thanks for the replies.

    Yeah i forgot that no port forwarding is required, cos like they on the same network then (depending on firewall rules)

    Just wondering what is meant by PPTP is less secure…

    i searched the forums and read different people's views. Would it be correct to say that OpenVPN would be the most secure? to be honest from what i read i didn't think that security was such a big problem on PPTP. Is there a specific example of a problem that you could give/point me to on the forum? I mean the connection is encrypted and once on the firewall only allows access to the machine i want with it having a 16 character password....


  • More that you'll be able to route or bridge traffic at that point, NAT won't necessarily be involved.

    PPTP doesn't have encryption as part of the standard, though it looks like the Microsoft implementation does.  All I know is that I've seen many posts (here and elsewhere) suggesting that the implementation has problems.

    IPsec or OpenVPN would, IMO, be your better choices.  OpenVPN is pretty easy to secure effectively if you read the documentation on the OpenVPN site.

  • pfSsense, Linux, Mac OS X and Windows all support 128-bit PPTP encryption.

    Everything you do in the world of security is a compromise. RDP is encrypted anyway (RC4) so you're really looking at a VPN to avoid replay or brute-force attacks.

    PPTP: All modern operating systems have PPTP, with 128-bit encryption, out-of-the box. NO software installs at the client = major convenience. Easy to configure and use on all clients. Using a dedicated username + password for the connection (and a different one at the RDP) = 2-factor authentication. On pfSense, PPTP connections have their own rules, so you can limit the services over the tunnel to ping, DNS, RDP (as I mentioned initially).

    OpenVPN: Only Unix-style operating systems have it installed out-of-the box. May be difficult/impossible to install on the client system (eg. locked-down client PC). Can be difficult to set up because of choices of tunnelled or bridged modes, certificates, DH etc. Tunnelled mode doesn't have any firewall rules and is "allow all" = bad for server, bad for client.

    IPSec: I'd say it's very difficult to get configured on a random client PC and is best suited for long-term tunnelling between sites. I have four IPSec tunnels configured to various places and I'd be very reluctant to recommend it to any end-user for road-warrior use. If you get it working on the client PC, the pfSense implementation has interface-based rules (as per ethernet & PPTP), so can be locked down nicely.


  • Hey

    Thanks for the replies.

    I think i will use the PPTP for the road warrior, just for easy of use and will use the Ipsec for my server to server tunnel for backups.


  • I have to agree with most of Bern's assessment, except that I think he gives PPTP too much credit security wise. PPTP encryption uses RC4 as well, which has some known weaknesses. It also exposes a lot of information in the unencrypted side channel which makes it even less secure. See this article for some more in-depth analysis of a couple other potential issues. With all of these potential attack vectors it might be worth using for the ease of use factor, but IMO the security concerns merit serious consideration. Personally I'd never use it for anything, and I'm not much of a security nazi.

    As far as IPsec is concerned, I agree that it can be a bit tricky to set up a working roadwarrior configuration with PKI, but the ShrewSoft VPN client is pretty straight forward and much easier to get working than MS's built-in client (which has never worked for me - I think it relies on L2TP). Once you get the server side configured properly and learn how to administer the PKI it's really not difficult to get going - but it's still not really something you can just hand to a lay person and expect them to be able to use. With NAT-T in 1.2.3 I'm now using IPsec exclusively whenever I don't need Layer 2 tunneling (where I use OpenVPN). OpenVPN is easier to package in a user-friendly way though if you don't have control of the client PCs as well.