Remote Desktop and VPN
-
Already answered. There is no invisible VPN (route print, ipconfig /all), there is no way to ensure the VPN will work (reasons stated), there is nothing preventing people from merely reformatting the drive. There are good reasons laptop vendors are offering encryption and remote tracking/wipe solutions independent of the running OS. And finally yeah, there is major security concern of giving automated access to (at least part of) your company infrastructure via the VPN.
You seem to misunderstand the scope of what I am trying to achieve. I don't expect anything to be completely invisible to an educated computer user. I also don't expect anything to work in unusual situations such as the few you mentioned.
To me, "invisible" to the user just means an average or uneducated computer user would not see anything running in the taskbar and would not see any error messages about not being able to connect. It just needs to connect when it can and not let the user know what is happening. OpenVPN does not do this, as far as I can tell.
The typical situation I expect is for the laptop to be behind a single NAT at a hotel, or connected to a mobile (cell phone) data network. Neither situation has posed a problem for me with OpenVPN or VLC (separately), so I would expect any form of VPN to be able to connect to the firewall as long as the port isn't blocked on the laptop's side.
As far as security goes, I think the VPN firewall (in pfSense) can easily limit the access to a single IP address on the internal network, or prevent all access to the internal network.
Again, I would like to have my original questions answered. Most importantly, I would like to know if Windows VPN can connect to pfSense's IPsec VPN. That would be the only technical hurdle I have to deal with.
-
Most importantly, I would like to know if Windows VPN can connect to pfSense's IPsec VPN.
Yeah of course it can. It's documented. Such as using the Shrew Soft VPN client. There is absolutely no guarantee it's gonna work in a random hotel, or over a mobile network. Not to mention that it still is extremely bad idea to connect to a VPN without any sort of authentication required from the user. Well, this clearly is heading nowhere. Final advise here: invest time in user education, instead of trying to invent whacky "solutions" because your company is "cheap". Is the company data cheap as well? ::)
-
Windows has a built-in VPN client, which is what I have been asking about. I would prefer not to use a program which runs in the taskbar. Does ShrewSoft's client leave an icon in the taskbar?
I would love to use commercial products, but as I said, my company won't pay for anything. That's why I have to try to implement something "whacky," as you put it. The size of our business is fairly small, so our internet connection is as well. With around 20 people in the office, we are fine with a 50/10Mbps connection from the cable company. You might consider that "cheap" but it is all we need for now.
Not everyone has the computer knowledge it takes to troubleshoot everything. That's why companies have IT departments. The people I'm supporting have to focus on their jobs, and using a computer is just a tiny part of their work. If I told their manager that they all need computer training, he would laugh in my face and call it a waste of time and money. Doktornotor, you seem like you know a lot about networking, but you don't seem to be very good at understanding others or the situations they present. Instead of answering the questions, you are giving me situations and suggestions which are not practical, don't apply to me, or I have already considered.
-
There is no L2TP IPsec support on pfSense, so… NO. You are stuck with OpenVPN or third-party IPsec clients.
If people cannot be taught to type in their password, if people get confused by taskbar icons, well... lost cause, fire and hire someone capable of using a computer as computer, not as a typewriter. Also not my fault your manager is an idiot who considers education of employees to be "waste of time and money", to put it absolutely honestly.
-
There is no L2TP IPsec support on pfSense, so… NO.
I don't understand your statement. I am using 2.1-RC0 due to the driver support for my NICs and I can clearly see L2TP and IPsec as VPN options. Are you saying those aren't working, or they don't work with Windows VPN client?
-
Oh well. I wasn't trying to be contradictory myself. I was just thinking how to get to a laptop in the least obtrusive way possible. Actually, this is not the first time someone asked about having a VPN client be used this way. VPN client as to be accessed as if its a server…
Anyway, Its certainly possible to load a VPN client on the laptop, have it use DNS to find a pfsense/openvpn server, dial in without a password using a cert and maintain a connection whenever possible. However, that little icon will be right there to see, and its quite a heavy process to hide.
My brother's laptop does this by the way - Every time he turns it on.
I have a few computers out there running as clients to my VPN - I'll see if I can remote into one that way, but I doubt it.
-
I don't understand your statement. I am using 2.1-RC0 due to the driver support for my NICs and I can clearly see L2TP and IPsec as VPN options. Are you saying those aren't working, or they don't work with Windows VPN client?
The native Windows "client" requires L2TP/IPsec. This is NOT implemented. IPsec alone is not usable with native Windows client. L2TP alone is useless since it offers no encryption whatsoever.
-
I have a few computers out there running as clients to my VPN - I'll see if I can remote into one that way, but I doubt it.
As far as I can tell, you just have to make sure Terminal Services (Windows 7/8) is running and accepting connections on the VPN interface. If you want to use the PsTool program, that requires a registry tweak to allow it to work if they are not on a domain. See this page: http://www.brandonmartinez.com/2013/04/24/resolve-access-is-denied-using-psexec-with-a-local-admin-account/
I haven't tested it on a VPN, but it should be the same as being on a local network as long as the firewall is set up to allow connections between the VPN client and the computer inside the network.
After reading about this more, it looks like it might be possible to hide the OpenVPN taskbar icon and notification balloons. I might be able to set up scheduled tasks to start up the VPN connection.
-
NAT is very transparent in one direction - and very non-transparent in the other. I doubt its as easy as you think, but I'm going check it shortly.
-
OK - You will be happy to know that if I lower my firewall rules and allow communication between clients that my windows 7 VM and my ubuntu machine CAN browse the shares of the remote client. I can also ping the virtual IP assigned to the distant windows 7 client. Communications seem completely open in both directions as long as I deactivate my firewall rules that are in place to prevent such things.
That distant computer is a Windows home machine and did not support RDP out of the box, but every other service on that laptop which is 2000 miles away, was open to any computer on my LAN.
So, assuming you load a VPN client on the laptop, and only load 1 configuration and put a link to the openvpn client file in the startup folder as I have done, you should be in business. I'll give it a shot with a Vista Ultimate machine in California. If the communication is open and 2 way like the win7 machine I don't expect any issues.
HAHA - Actually that machine is home premium… Anyway - Try it. (My fault - I have taken as many people off Windows as possible)
I can't imagine that RDP is the only service running that wouldn't be accessible when everything else is. -
For anyone who comes across this in the future, my solution requires me to set the OpenVPN service to automatic in services.msc. After doing so, the OpenVPN service attempts to connect to any configuration in the folder specified by the affiliated registry entry, and it does not need the use of the GUI. Adding "auth-user-pass passwordfile.txt" to the configuration, and creating passwordfile.txt with the user name on the first line and password on the second line allows it to connect. This can be a security vulnerability if you do not restrict what the VPN clients are allowed to access and is not suggested for most applications of VPN.
I haven't tried it, but I'm fairly sure the GUI won't work after setting the service to automatic. It doesn't bother me much, and it just means we will have to use IPsec on the computers which need a VPN connection to access our internal network.