PPTP VPN Routers

MarkTTU

Lifetime Supporting Member
Join Date
Jun 2004
Location
Lago Vista, Texas
Posts
646
Over the last several years we've setup 25 or so VPNs at customer locations.

Initially we used a Netopia ENT-3386 router as a PPTP endpoint and it worked well. Unfortunately that router doesn't support DynDNS and we aren't always able to get a static IP at the customer location so we found a new router.

The next router we used was the NetGear FVS-336G. It was an SSL VPN router and promised no setup on the client computers because everything is just handled in a web page. That was great at first, but the way they were pulling it off was by taking advantage of security holes in Java so once Java got patched in all the browsers things stopped working. We found work-arounds for this so things can still work, but the work-arounds became more of a pain than just setting up a PPTP VPN... oh, and its a constant battle, find a work-around, Java gets patched, find another work-around, etc.

So now we're using a Cisco/LinkSYS RV-016 PPTP router. It does everything we want, is easy to setup, and so far they've been super reliable (been using them for about a year). The only problem is they only support 10 users and 2 concurrent connections. The latter isn't too big a deal as we typically don't have more than a couple of people logged in at any one time, but the former is becoming a major pain because just adding everyone that needs access from our company burns 6-7 accounts and the customer always wants a few accounts too so they can log in and check things out at their plant when they're at home or on the road.

At this point we've done tons of research into VPNs and the only practical VPN type to support across multiple operating systems (Win 95, 2k, 7, OS-X, etc) and mobile devices (iPhone, Android, Blackberry, etc) seems to be PPTP because PPTP support is built-in to virtually every device we've run across.

So does anyone know of a solid reliable router that supports DynDNS, can act as a PPTP server/end-point with >10 users (50 would be good), and is simple and easy to configure and manage? It might be nice to have support for more than 2 concurrent connections, but 5 or 10 would be plenty. Price is a concern, but not a major one as these VPNs save us hundreds of hours a year in drive time between customer sites.
 
I use m0n0wall. It's an FreeBSD-based firewall with a simple web interface that will run on pretty much any x86 hardware you throw at it. I've run it on a handful of white boxes and bought a stack of old Watchguard FireBox II's to install it on (200 MHz, woo !).

The documentation and community surrounding the project is high quality and you don't have to be a kernel-compiling Linux zealot to install or use it.

After suffering through several similar iterations with consumer-grade firewalls, I installed a m0n0wall at my father's tech-averse small business so I wouldn't have to wait a week to respond to his "the computers are actin' up again" calls. The FireBox hardware survives frequent brownouts and one small water leak (I'm a better controls engineer than plumber).

Althought I only use one PPTP user at a time, m0n0wall's standard limit is 16, and it can be expanded.

The cost for the software is zero, so you have to focus on the tradeoff between heat/size/power and price for your hardware. PC Engines and Soekirs Engineering boxes are nice, but moderately pricey. If you have a 19" rack available, the two-Ethernet-port Atom-based micro-servers from SuperMicro are lovely. Small white-box PCs are supremely cheap.

I am usually not an open-source advocate. I've installed various Unixes and Linuxes a dozen times and always gone back to Windows for my desktop, laptop, and server needs. But m0n0wall is a fantastic example of what an open-source project can be if it's not ***y enough to attract the geniuses who have to install the nightly build of Ubuntu "Monstrous Manatee" and then abandon it when their mom spills chamomile on the development box.
 
As long as you guys are discussing VPN, I would like to ask what other companies/customers do in this way of remote access.
Below is the last part of a 2 page questionnaire we need to submit to our IT dept when connecting devices to the business LAN.
I am curious as to what size company would allow a VPN. We just reached US$1 billion in sales. So are we too big or not big enough?
Web-ex is the only accepted means of remote access. Although we did have a 3rd party that did use a VPN. Oh, yea that 3rd party company had one of our VP’s on their board of directors or something.


XXXXX, Inc Standards:
• Windows XP Pro, SP3 min.
• Remote Support Option: Web-ex
• Join to XXXXX domain
• McAfee Anti-Virus
• IP Addresses are assigned by the XXX LAN Administrator.
• IT will determine if the device will or will not be put on a VLAN.
• Wireless connections to our Business Network for Industrial Process Devices are prohibited.
• Back door internet connections to our Business Network for Industrial Process Devices are prohibited.
• VPNs to our Business Network for Industrial Process Devices are prohibited. VPNs are not a proper way to run a business as big as XXXXX.
 
I can only speak for myself and most of my customers are not anywhere near your size and neither are we, but our specs for equipment we sell to our customers specify that we will run our own LAN separate from any other networking. Our requirements for remote access (aka VPN) is a high-speed internet connection dedicated to our LAN. This shouldn't be an issue for any company unless the IT department just has a big ego because its a network that doesn't touch theirs and only touches products from a single company who (in theory anyway) knows how to make all their products work together safely.

All that said the vast majority of the time it works out where there is only one LAN shared by us, other industrial vendors, and the office PCs. It all comes down to how big are the egos involved and how competent are the people involved. If everyone is competent and everyone checks their ego at the door then documents like what you posted should really just exist to weed out the people who aren't competent.

The we're too big to use a VPN is total BS in my mind. There are several multi-billion dollar companies running tens of thousands of VPNs every day; in fact they wouldn't be able to function without them. A VPN is a tool that, when implemented properly, makes everyone's life easier.
 
Ken, thanks for the m0n0wall idea. I'd heard of that project a couple of times years ago, but never heard any stories from someone actually using it in the real world. I take it you've found it to be stable and reliable not needing to be rebooted once a week or anything like that?
 
Every reboot I've done on a m0n0wall was because I had to move the box between outlets, networks, or buildings. It's solid.

TPLCK: That vendor must be on the banned words list here on the Forum.
 
Thanks Ken. We've already tried it out in a VM and it looks to be EXACTLY what we've been looking for. We're going to give one of the Soekris boards (net5501-70) a shot, already got it on order. I'll post back once we get it and try it out in the real world for a bit.
 

Similar Topics

I am trying to use setup a remote vpn router for external OEM connection. The thing I cannot wrap my head around is the gateway. We use the...
Replies
3
Views
256
Have anyone done this? I don't see why this wouldn't work but I may be missing something too. Getting any recurring account opened is a pain...
Replies
6
Views
1,007
Hello all. When I try to connect to a S7-1200 PLC (Tia Portal v17) which has a CP 1243-1 module that is connected to my clients network I get...
Replies
7
Views
1,405
Hi, We are trying to access a remote PLC for debug, the PLC is networked in with a PC that we can access through TeamViewer. Is there a way we...
Replies
9
Views
1,995
Hi - I am exploring options for cellular enabled hardware VPN / Firewall devices to deploy for remote troubleshooting purposes. I do not have...
Replies
1
Views
762
Back
Top Bottom