As stated in this article about considerations for external VPN access for EVO, it's often possible to add a VPN server to the environment without purchasing additional hardware or software.
While configuring a VPN may seem like a daunting task at first, the rewards are great, and when taken one step at a time, it's not terribly difficult. There are too many possible implementations to create one definitive guide, so this article serves as a foundation to help you keep going in the right direction.
In fact, the hardest part is likely the planning. When it comes to actually configuring the VPN, the steps are surprisingly short and painless, and often happen (mostly) automatically. Essentially, it's going to consist of generating certificates, keys, configuration files, and starting the service.
Brief explanation of terms
Since some terms are relative, a bit of clarification:
- In this article, "local" means the workplace (VPN server), and "remote" refers to the outside users (VPN clients) wishing to connect to the workplace.
- Local Network (LAN): For this article, this refers to the workplace network environment used by all machines in-house (for simplicity's sake, we'll assume there's only one local network). An example of using a LAN would be entering a new Wi-Fi password on a device -- that device joins the local network, and a router on that LAN typically assigns the device an IP address in a compatible subnet, which allows it to see other devices on the same network, and typically to also have access to the internet.
- Router: This may be a standalone component, or it may be integrated with a switch. Many switches provide routing options, and many routers offer additional ports, acting as a switch as well. Since there's overlap of the roles, it's possible there's more than one device in the environment that offers these capabilities, and you'll need to determine which one to configure -- generally, the VPN server will be added to the same device that's providing the gateway to the internet.
VPN Server Configuration
Choosing the host device
While it is possible to designate a Windows machine, Mac server, or any Linux/Unix-like device (even a Raspberry Pi) to serve the role of VPN server, it's best to use the router as the VPN server, since all clients connecting to the local network will be connecting through this device.
If a dedicated appliance elsewhere on the network will act as the VPN server, it should be understood that the VPN-designated device's link to the local network is the link that all remote clients will use to share access to the local network.
If your firewall/router doesn't offer VPN options, then the best and simplest option is to get a router that does offer this functionality. Routing traffic, whether local or VPN, is what a router is designed to do.
Reaching the VPN server
One important consideration is that the public IP address used to reach your VPN server may change at some point, unless you've purchased a static IP for your business. The internet service provider (ISP) assigns its subscribers dynamic addresses from a pool, and while your workplace address may not change frequently, this is an important detail to keep in mind. If this address does ever change after configuring VPN, all clients will need to update accordingly in order to reconnect to the local network.
Side note: it is possible to work around the dynamic nature of ISP-provided addresses, without purchase of a static IP address, by setting up a dynamic DNS service. There are free and paid options for these services, which can allow for uninterrupted connectivity by ensuring the hostname for your network is updated even if the IP address changes.
Method used to reach the VPN
Configuring a VPN server will require opening a port, regardless of implementation choice. Security is therefore an important consideration, since this adds exposure to the LAN, so care needs to be taken that only the intended clients can connect, and that they do so in a secure manner.
The authentication method chosen for a secure connection is important, and there are a few choices available, so this decision should be made carefully. As an example, it's possible to quickly configure any Windows 10 machine to act as a VPN server, but this is strongly discouraged, since it will expect clients to use PPTP to connect, which is an obsolete and vulnerable VPN protocol. It is however possible to configure a more secure L2TP/IPSec VPN using Windows Server, or to add OpenVPN to a standard Windows workstation.
The most commonly used solution
If your router is not already running OpenVPN-compatible firmware, it may even be possible to flash an alternative firmware to the hardware without the need to replace it (with the understanding that this may brick the device and/or void the manufacturer support!) -- for example, here's DD-WRT's router database to check compatibility and find install instructions.
Once installed, instructions for configuring the router VPN should be provided by the router manufacturer, and instructions for configuring an alternative firmware (DD-WRT, OpenWRT, Tomato) are found at their respective sites.
OpenVPN is included by default with DD-WRT. If it's not already installed on your router, refer to the router or OpenVPN documentation to install it.
Public Key Infrastructure (PKI)
Once you've got a device running OpenVPN, the next step is to generate certificates and keys. This is the part that ensures security for your connections.
Many devices offer wizards and/or guides for configuration to simplify the creation of the required certificates and keys.
If no wizard is available, some decisions will need to be made about key strength, expiration times, revocation policies, and so on.
There are three main components to consider here:
1. CA (certificate authority)
2. The server
3. The client
The CA is most important, as it's what issues the digital certificates required for the server and client to agree.
For OpenVPN, the server must authenticate the client, and the client must authenticate the server. This bidirectional authentication ensures trust between the systems.
A workstation can be used to generate the required certificates and keys, which can then be copied to the router and client machines.
EasyRSA 2 is included with the Windows OpenVPN installer. For UNIX-like (Mac, Linux) systems, EasyRSA 3 can be used.
Follow the instructions at this page to create the required files.
VPN Client Configuration
While both Mac and Windows provide built-in options for connecting to a VPN server, these are not compatible with OpenVPN, so a third-party VPN client may be required to connect.
The client workstation will need to have the server-provided files in the same directory as the .ovpn or .conf file (the extensions are generally interchangeable), so check the client applications to see where it keeps its configuration files. The .ovpn or .conf file will need to have the VPN server address in place, and will need to be edited if that address changes.
If L2TP/IPSec, or IKEv2 will be used instead of OpenVPN, it should be possible to use native OS connectivity options (Windows also provides support for SSTP).