Recently at Oppedahl Patent Law Firm LLC we chose to explore possible work-from-home approaches. This blog article and a previous article talk though some of the things that we are working on, in case it may be of interest to some readers. The previous article talks about being able to unplug a phone from a desk in the office, and put the phone into car, and take it to an employee’s home, and plugging it in, and having it work just as it would in the office. This article talks about being able to unplug a desktop computer from a desk in the office, and put the computer into car, and take it to an employee’s home, and plugging it in, and having it work just as it would in the office.
To get a desktop computer from the office to work at home, it is necessary to accomplish several things as I will discuss.
VPN. The first thing that immediately comes to mind for this is the initialism (not acronym) VPN (virtual private network). The idea is that the employee is able to gain access to the resources in the office, but a would-be eavesdropper will be stymied.
When we at Oppedahl Patent Law Firm LLC first started organizing remote access some two decades ago, we used PPTP (point-to-point tunneling protocol, Wikipedia article). In recent years use of this protocol is deprecated.
Fifteen years or so ago, we started using IPsec encryption for many of our VPNs. If well configured, IPsec offers extremely robust security. But to get IPsec to work, you must typically have complete access to and control over all equipment at both ends of the IPsec tunnel, and you have to be able to gain access to a routable IP address at each end of the tunnel. It turns out that NAT (see previous article) is extremely evil so far as IPsec is concerned. If you are in a hotel or a Starbucks you can simply abandon any hope of setting up an IPsec VPN because the hotel or coffee shop controls the router or routers that provide your connections, and there will always be at least one NAT router somewhere between you and the Internet.
But for connections from one fixed location to another, if you can simply scrap the network equipment that was there before, and bring in your own routers that are optimized for IPsec, this kind of encryption can be extremely stable and extremely robust.
But what about the employee who uses wifi at home that is provided by somebody else? Suppose an employee rents part of a house and the landlord lives in another part of the house, and suppose the Internet connection is provided by the landlord. It might not be a realistic goal to scrap the landlord’s network equipment and to bring in one’s own routers and other equipment.
This brings us to OpenVPN (Wikipedia article). OpenVPN is an open-source VPN solution that is able to traverse NAT routers and many firewalls. It is a very good choice for employee remote access. Because it is open-source, you need not worry that anybody has programmed a backdoor into it. Members of the open-source community would notice it right away if anybody had tried to slip in a backdoor. It is also more bug-free than any commercial proprietary VPN solution, since the members of the open-source community notice bugs if any and fix them. With a proprietary solution, you are at the mercy of the company which might or might not have smart enough people to notice bugs and to fix them.
What we found is that our main router in our office, a Cisco RV320, has built-in support for OpenVPN, and is able to serve as an OpenVPN server. It is able to support as many as five OpenVPN connections at the same time, meaning that five different employees could connect from home using this kind of VPN at the same time. (Some other employees connect using dedicated IPsec tunnels as mentioned above.) The router permits us to set up OpenVPN login credentials for as many as fifty user IDs, and as many five of the login credentials can be in actual use at any given instant.
One way to connect is to download and install an OpenVPN client in the user’s computer or smart phone. And we use this approach from time to time. For this to work, the user has to know how to launch the client where to click to ask it to establish a VPN connection.
But in our present effort to explore work-from-home options, we wanted to avoid having to install anything new on the user’s desktop computer. And we wanted to avoid the user having to learn new procedures for launching an OpenVPN client, turning the tunnel on and off, and so on. We wanted to keep it simple. You unplug the desktop computer from the office, you put it into a car, you drive it to the employee’s home, and you plug the desktop computer into … something … at the employee’s home. And the desktop computer hopefully simply starts working just as it did in the office. No installing a VPN client, no clicking to launch it, no clicking “connect”.
It is also true that if you install a VPN client on a user’s computer, and if you use it, the VPN client is using up some of the computational bandwidth of the processor. This could slow down the processor, slowing down the other software running on the computer.
Our favorite router for this purpose these days is the GL-iNet GL-AR750S travel router (photo at right). This travel router costs only $82. With the antennas folded down, it is about the size of a pack of playing cards. It can fit in a shirt pocket with room left over for other stuff in the pocket. This travel router runs open-source router code OpenWRT (Wikipedia article). Here, too, if anybody were to try to slip a backdoor into it, it would get noticed. And bugs get fixed.
The alert reader will guess where I am going with this. This travel router contains an OpenVPN client. You can plug the travel router into any Internet connection (even with NAT or other firewall things over which you have no control) and this router will very likely be able to establish a VPN connection to the RV320 router just mentioned. You can go to a random home of an employee and plug in this router and it will very likely be able to establish the VPN tunnel.
You can then plug the desktop computer into a LAN port on this travel router and it will be as if the desktop computer were physically in the office.
Wifi. We can then turn to another really nice thing about this router. Remember the employee who rents part of a house and whose Internet connection is via the landlord’s wifi access point? And keep in mind the desktop computer does not do wifi and only connects using ethernet. This travel router can, with just a couple of mouse clicks, be configured to be a wifi client, meaning that it can connect to the landlord’s wifi. The router is dual-band (2.4 gigahertz and 5 gigahertz) so you can connect to either kind of wifi. This solves the problem of the desktop computer not being able to do wifi.
Getting the travel router and Cisco router to talk to each other. One thing is to make sure the firmware on the Cisco router is the most recent version. Another thing is to make sure the firmware on the travel router is the most recent version. Then you need to set up the Cisco router to be an OpenVPN server. To that end, I found this article to be very helpful. Basically you configure the router to be an OpenVPN server, and then having done so, you create login credentials for each potential user. To add another user, you do these things:
- In the Cisco router, click on “Certificate Generator” to create a signed certificate for an OpenVPN client.
- In the Cisco router, click on “OpenVPN” and “OpenVPN account” to create a new account. Select the certificate that you created in the previous step. Pick a user name and password.
- Export the OVPN file (user configuration file) from the Cisco router.
- Go into the travel router. Log in to its administration web page. Click on OpenVPN and import the OVPN file that you downloaded in the previous step. Enter the user name and password.
- Click “connect” and confirm that the connection works.
There is a switch on the side of the travel router. You can configure the router, if you like, so that this switch determines whether the OpenVPN connection is on or off. We did that on all of our travel routers.
The travel router has two LAN ports. One can be used as the way to connect the desktop computer. The other LAN port can, if desired, be the way that the VOIP phone mentioned in the previous article gets its wired ethernet connection to the Internet.
Cost-free. I should emphasize that nothing discussed in this article has any recurring cost. There is no need to pay any money to any service provider for the VPN connections.
Likewise nothing discussed in this article should even present any one-time cost other than spending the $82 for the travel router and maybe migrating your main office router to a model that supports OpenVPN. It should just be a matter of doing a few mouse clicks, and Bob’s your uncle.
Physical portability. It will be appreciated that this travel router approach is very portable. An employee working from home on Monday could use the travel router at one location such as the employee’s home. If it later were to develop that the employee needs to work from a different location (the home of a relative, perhaps) then it is simply a matter of moving the travel router and the computer to the new location and to connect to the new wifi or ethernet connection.
Testing the connectivity. Of course one of the best ways for your employee to test the quality and connectivity of his or her VPN is to make use of the Oppedahl Patent Law Firm LLC speed test.
What is your VPN solution for work-from-home? Please post a comment below.