Recently at Oppedahl Patent Law Firm LLC we chose to explore possible work-from-home approaches. This blog article and a previous article talk though some of the things that we are working on, in case it may be of interest to some readers. The previous article talks about being able to unplug a phone from a desk in the office, and put the phone into car, and take it to an employee’s home, and plugging it in, and having it work just as it would in the office. This article talks about being able to unplug a desktop computer from a desk in the office, and put the computer into car, and take it to an employee’s home, and plugging it in, and having it work just as it would in the office.
To get a desktop computer from the office to work at home, it is necessary to accomplish several things as I will discuss.
VPN. The first thing that immediately comes to mind for this is the initialism (not acronym) VPN (virtual private network). The idea is that the employee is able to gain access to the resources in the office, but a would-be eavesdropper will be stymied.
When we at Oppedahl Patent Law Firm LLC first started organizing remote access some two decades ago, we used PPTP (point-to-point tunneling protocol, Wikipedia article). In recent years use of this protocol is deprecated.
Fifteen years or so ago, we started using IPsec encryption for many of our VPNs. If well configured, IPsec offers extremely robust security. But to get IPsec to work, you must typically have complete access to and control over all equipment at both ends of the IPsec tunnel, and you have to be able to gain access to a routable IP address at each end of the tunnel. It turns out that NAT (see previous article) is extremely evil so far as IPsec is concerned. If you are in a hotel or a Starbucks you can simply abandon any hope of setting up an IPsec VPN because the hotel or coffee shop controls the router or routers that provide your connections, and there will always be at least one NAT router somewhere between you and the Internet.
But for connections from one fixed location to another, if you can simply scrap the network equipment that was there before, and bring in your own routers that are optimized for IPsec, this kind of encryption can be extremely stable and extremely robust.
But what about the employee who uses wifi at home that is provided by somebody else? Suppose an employee rents part of a house and the landlord lives in another part of the house, and suppose the Internet connection is provided by the landlord. It might not be a realistic goal to scrap the landlord’s network equipment and to bring in one’s own routers and other equipment.
This brings us to OpenVPN (Wikipedia article). OpenVPN is an open-source VPN solution that is able to traverse NAT routers and many firewalls. It is a very good choice for employee remote access. Because it is open-source, you need not worry that anybody has programmed a backdoor into it. Members of the open-source community would notice it right away if anybody had tried to slip in a backdoor. It is also more bug-free than any commercial proprietary VPN solution, since the members of the open-source community notice bugs if any and fix them. With a proprietary solution, you are at the mercy of the company which might or might not have smart enough people to notice bugs and to fix them.
What we found is that our main router in our office, a Cisco RV320, has built-in support for OpenVPN, and is able to serve as an OpenVPN server. It is able to support as many as five OpenVPN connections at the same time, meaning that five different employees could connect from home using this kind of VPN at the same time. (Some other employees connect using dedicated IPsec tunnels as mentioned above.) The router permits us to set up OpenVPN login credentials for as many as fifty user IDs, and as many five of the login credentials can be in actual use at any given instant.
One way to connect is to download and install an OpenVPN client in the user’s computer or smart phone. And we use this approach from time to time. For this to work, the user has to know how to launch the client where to click to ask it to establish a VPN connection.
But in our present effort to explore work-from-home options, we wanted to avoid having to install anything new on the user’s desktop computer. And we wanted to avoid the user having to learn new procedures for launching an OpenVPN client, turning the tunnel on and off, and so on. We wanted to keep it simple. You unplug the desktop computer from the office, you put it into a car, you drive it to the employee’s home, and you plug the desktop computer into … something … at the employee’s home. And the desktop computer hopefully simply starts working just as it did in the office. No installing a VPN client, no clicking to launch it, no clicking “connect”.
It is also true that if you install a VPN client on a user’s computer, and if you use it, the VPN client is using up some of the computational bandwidth of the processor. This could slow down the processor, slowing down the other software running on the computer.
Our favorite router for this purpose these days is the GL-iNet GL-AR750S travel router (photo at right). This travel router costs only $82. With the antennas folded down, it is about the size of a pack of playing cards. It can fit in a shirt pocket with room left over for other stuff in the pocket. This travel router runs open-source router code OpenWRT (Wikipedia article). Here, too, if anybody were to try to slip a backdoor into it, it would get noticed. And bugs get fixed.
The alert reader will guess where I am going with this. This travel router contains an OpenVPN client. You can plug the travel router into any Internet connection (even with NAT or other firewall things over which you have no control) and this router will very likely be able to establish a VPN connection to the RV320 router just mentioned. You can go to a random home of an employee and plug in this router and it will very likely be able to establish the VPN tunnel.
You can then plug the desktop computer into a LAN port on this travel router and it will be as if the desktop computer were physically in the office.
Wifi. We can then turn to another really nice thing about this router. Remember the employee who rents part of a house and whose Internet connection is via the landlord’s wifi access point? And keep in mind the desktop computer does not do wifi and only connects using ethernet. This travel router can, with just a couple of mouse clicks, be configured to be a wifi client, meaning that it can connect to the landlord’s wifi. The router is dual-band (2.4 gigahertz and 5 gigahertz) so you can connect to either kind of wifi. This solves the problem of the desktop computer not being able to do wifi.
Getting the travel router and Cisco router to talk to each other. One thing is to make sure the firmware on the Cisco router is the most recent version. Another thing is to make sure the firmware on the travel router is the most recent version. Then you need to set up the Cisco router to be an OpenVPN server. To that end, I found this article to be very helpful. Basically you configure the router to be an OpenVPN server, and then having done so, you create login credentials for each potential user. To add another user, you do these things:
- In the Cisco router, click on “Certificate Generator” to create a signed certificate for an OpenVPN client.
- In the Cisco router, click on “OpenVPN” and “OpenVPN account” to create a new account. Select the certificate that you created in the previous step. Pick a user name and password.
- Export the OVPN file (user configuration file) from the Cisco router.
- Go into the travel router. Log in to its administration web page. Click on OpenVPN and import the OVPN file that you downloaded in the previous step. Enter the user name and password.
- Click “connect” and confirm that the connection works.
There is a switch on the side of the travel router. You can configure the router, if you like, so that this switch determines whether the OpenVPN connection is on or off. We did that on all of our travel routers.
The travel router has two LAN ports. One can be used as the way to connect the desktop computer. The other LAN port can, if desired, be the way that the VOIP phone mentioned in the previous article gets its wired ethernet connection to the Internet.
Cost-free. I should emphasize that nothing discussed in this article has any recurring cost. There is no need to pay any money to any service provider for the VPN connections.
Likewise nothing discussed in this article should even present any one-time cost other than spending the $82 for the travel router and maybe migrating your main office router to a model that supports OpenVPN. It should just be a matter of doing a few mouse clicks, and Bob’s your uncle.
Physical portability. It will be appreciated that this travel router approach is very portable. An employee working from home on Monday could use the travel router at one location such as the employee’s home. If it later were to develop that the employee needs to work from a different location (the home of a relative, perhaps) then it is simply a matter of moving the travel router and the computer to the new location and to connect to the new wifi or ethernet connection.
Testing the connectivity. Of course one of the best ways for your employee to test the quality and connectivity of his or her VPN is to make use of the Oppedahl Patent Law Firm LLC speed test.
What is your VPN solution for work-from-home? Please post a comment below.
Thanks a lot! We are considering TeamViewer or AnyDesk, but are not happy about our data going through someone else’s server. We shall be looking into OpenVPN for our office.
I am on board with openVPN, and with travel routers, but not with the Cisco RV320. I do not see that the Cisco RV320 runs opensource software, and therefore I cannot tell whether it has a backdoor. I also do not see the processor or memory in specs for the Cisco RV320, so it may be underpowered for business level use.
I suggest considering, instead, running Pfsense on a PC with a quad NIC card installed. That is what I am doing, with an old Dell T3400 box. Pfsense is open source, has lots of support, and feature rich, including openVPN, and a package for preconfiguring opeVPN client deployments.
Sorry but is PFSense on your PC running on Windows? If so, then your VPN solution is nost definitely not open-source.
I think Rick was pointing to pfSense installed on a PC – it is a BSD-based system.
Yes as soon as I posted my question, I realized that Rick was probably not using a Windows box at all. I bet you are right about what Rick is running on that PC. I have heard him mention “pfSense” in the past.
One option that is worth of considering when looking for a VPN server is just replacing a firmware in your routers for an opensource alternative that is provided with openVPN server. You can easily generate your own certificates with easyRSA to keep everything under your encryption at the level you choose.
We are using FreshTomato on our ASUS router and openVPN clients on laptops (Windows, iOS, Linux). There is no limit to the number of connections on VPN – we have 7 connections up and running, but it is a just a matter of generating certificates and bandwidth you have. Multi-WAN up to 4 WAN ports – we use 1Gbit ethernet + LTE dongle as a backup.
And yet If you do not want to or cannot replace firmware your current router, and yet you have an old spare PC buy some NICs (ethernet card is 10EUR max) and just install OpenWRT or OPNsense Linux router distro with decent GUI (no shell experience needed) and make it your gateway/router to the world. Check this page for recommendations https://teklager.se/en/best-free-linux-router-firewall-software-2019/
Thank you for posting, Jarek. I have wondered whether perhaps I should try out https://www.gl-inet.com/products/gl-mv1000/ as an open-source OpenVPN server solution.
Jarek is correct that Pfsense runs under BSD. The downloadable install package installs BSD and then Pfsense, so you don’t need to know anything about BSD. So assuming you can get to your PC’s bios or UEFI, you can install Pfsense. For the install package, see https://www.pfsense.org/download/. While not for the faint of heart, there is a ton of documentation on Pfsense on the web, it is heavily supported, its opensource, and its code was audited to confirm the lack of any backdoors.
Jarek – Why did you not choose Pfsense and put that on some conventional PC? I see that PFsense supports Siproxd and can act as a PPPoE server, but FreshTomato cannot. Am I missing anything, other than that Pfsense is not compatible with your router’s hardware? Thanks, RICK
Rick, it goes without saying that having a dedicated PC running system like pfSense gives much more flexibility – we are with FreshTomato as ASUS router we have is small but still a gigabit router with WiFi in 2.4 and 5GHz and good coverage, plus it allows me to configure easily some isolated virtual WiFi networks for mobile phones, tablets, guests and cleaning robot, etc. And Polish guys are developing the FreshTomato software now – so I support local initiatives 😊
I will consider going into dedicated PC as router, when we implement full scale VoIP network.