[SOLVED] Shared drives over VPN

[Kirby]

I have a customer who just had me redo their shared drives to give each person individual access rights and they asked about a VPN. I was under the impression that they could access shared drives when the connected to the VPN, but that didn't seem to work. I'm not really familiar with VPN. I'm in a small town and there is not much call for it. I've dealt with it only rarely.

The VPN server is on a Windows 7 Pro machine. The laptops connecting to it are Windows 10. I'm just using the built-in Windows software to host and connect to the VPN. My questions are 2: Can I set it up so that they can access the shared drives over the VPN while still accessing the Internet over their local connection and can I allow 2 or more people to connect to the VPN at the same time? I probably don't want 2 people connected. It's DSL and with shared drives full of PDFs it's going to be slow enough upload the way it is. But I'm curious.

 

[Markverhyden]

You're running a VPN server on a W7 machine? Why? How?

I have a number of clients, plus myself, that use VPN and have complete access to the remote LAN(s) while maintaining connection to the local LAN (and internet).

 

[YeOldeStonecat]

The question of still accessing the internet while connected to a VPN is controlled by several methods, depending on the VPN service. For native windows, there's a checkbox in the VPN dial up adapter properties for using the remote gateway, or not. That's the split tunnel yes or no.

As for browsing a mapped drive, lots of stuff comes into play here. Netbios broadcasts don't pass through a VPN tunnel by default (and if it's allowed to, it REALLY clogs up the pipe), so no network browsing will occur in a VPN tunnel without internal DNS handling it, or doing the poor mans WINS approach..lmhosts files, or...going access via IP instead of host names \\192.168.10.10\stuff for example.

Much better doing a file share program like dropbox, or sharepoint, or owncloud, or datto drive, stuff like that.

 

[Kirby]

The question of still accessing the internet while connected to a VPN is controlled by several methods, depending on the VPN service. For native windows, there's a checkbox in the VPN dial up adapter properties for using the remote gateway, or not. That's the split tunnel yes or no.

As for browsing a mapped drive, lots of stuff comes into play here. Netbios broadcasts don't pass through a VPN tunnel by default (and if it's allowed to, it REALLY clogs up the pipe), so no network browsing will occur in a VPN tunnel without internal DNS handling it, or doing the poor mans WINS approach..lmhosts files, or...going access via IP instead of host names \\192.168.10.10\stuff for example.

Much better doing a file share program like dropbox, or sharepoint, or owncloud, or datto drive, stuff like that.

I did get the Internet working the way you said, I just wanted to double-check that was right. I am as good as they get at fixing problems with computers, but anything that isn't directly problem related tends to vex me because I don't run into it very often.

I really can't do a dropbox-type solution here. This is for an insurance company and the reason I was just over there was that their higher-ups wanted them to have access to their stuff set up on a per-user basis rather than just, "These people have the password for read access, those have the password for read/write access". Each person had to have their own, personalized login with permissions set up specifically for them. They have dozens, maybe hundreds of folders for their customers with each customer's documents separated into the folders and being updated regularly. It's just too much data, and they always have to have access to the most up-to-date data. And anything I do to duplicate the data may be a security concern. I would have to talk to whomever told them to change their security before I could even consider a cloud-based option, and I'm betting the answer would be no.

 

[YeOldeStonecat]

That's where the more proper business grade solutions like OwnCloud...and Datto Drive, step in. Permissions, and logging, as granular as a domain controller/file server.

DattoDrive is based off of OwnCloud. Free for the first year, unlimited users, up to 5TB data, and 10 bucks a month after that for the basic version.

 

[Mainstay]

DattoDrive is based off of OwnCloud. Free for the first year, unlimited users, up to 5TB data, and 10 bucks a month after that for the basic version.

I wish these companies would just say this. I cannot find pricing or even what the different packages ARE on their website. TONS of information and flash and dazzle, but no actual content.

I am interested, but only from your post, not their website.

 

[Kirby]

I wish these companies would just say this. I cannot find pricing or even what the different packages ARE on their website. TONS of information and flash and dazzle, but no actual content.

I am interested, but only from your post, not their website.

Yeah, they want your contact information so that, instead of pricing, they can give you more marketing. It's annoying as hell. If I can't find pricing for a product I simply won't consider the product. Had to start doing that so that I didn't spend the entire day on the phone with some jackass or another trying to sell me something for weeks after a casual inquiry. I either know I want to buy before I contact them or I don't want to buy.

 

[brandonkick]

A synology would also work very well for this.

You can have users connect to it from outside the network, and it's as granular as it gets with logins and permissions. Not to mention, the added bonus of being a major part of a proper backup solution and no monthly fee. You buy the unit, buy your hard drives, set it all up and no additional costs!

I have one set up at my first job, and for the unit and 4x2TB drives I think we are in around $1200 to $1400 ? I don't remember 100% but that's a ton of data in RAID 10 and a good solution. Some companies can be weary about things like dropbox because of "privacy".... usually makes them feel a lot better if the box is sitting inside their own office.

 

[YeOldeStonecat]

I wish these companies would just say this. I cannot find pricing or even what the different packages ARE on their website. TONS of information and flash and dazzle, but no actual content.

I am interested, but only from your post, not their website.

Takes about a whopping 3.5 seconds to Google it...and find answers. Datto is channel based, and as with pretty much all the other channel based products...prices are hidden, and flexible. Clearly MSPs/VARs don't want the "actual prices" of services they offer to be easily seen by the public. When Datto launched DattoDrive...their prices were right up front because their original plan was to bring the public to MSPs with such disruptively low prices, but us MSPs asked them to tuck 'em away more so we could resell and make some more bus fare on it.

They have a couple of other tiers of DattoDrive..with more features (such as LDAP integration), higher levels of support, and higher costs.

 

[Mainstay]

Takes about a whopping 3.5 seconds to Google it...and find answers.

And find answers that are non-official from over a year a go amidst buy outs and acquisitions. No thanks.

I want real values and real comparisons between plans.

I do not have the time to poke around endlessly trying to find answers when there are so many possible solutions out there. And I am certainly not going to recommend this to a client based on such an approach.

 

[YeOldeStonecat]

And find answers that are non-official from over a year a go amidst buy outs and acquisitions. No thanks.

I do not have the time to poke around endlessly .

First hit from my non-endlessly search is right from their own site...I would call that "official"..since it's right from the horses mouth, and still active....not a buyout or acquisition, they purchased the rights to use/modify OwnCloud code to make their own platform.
https://www.datto.com/blog/Datto-Launches-Datto-Drive

But anyways, de-derailing the train, getting of the topic of effort (or none) info finding solutions, a good file sync/sharing/portal program "such as" Datto Drive, or the original source...OwnCloud (for those that can't climb on board channel only products), or similar robust business grade file sync/access products such as eFolder (Anchor), AutoTask (Soonr), FileCloud....there are tons of other ones to choose from.

 

[Kirby]

A synology would also work very well for this.

You can have users connect to it from outside the network, and it's as granular as it gets with logins and permissions. Not to mention, the added bonus of being a major part of a proper backup solution and no monthly fee. You buy the unit, buy your hard drives, set it all up and no additional costs!

I have one set up at my first job, and for the unit and 4x2TB drives I think we are in around $1200 to $1400 ? I don't remember 100% but that's a ton of data in RAID 10 and a good solution. Some companies can be weary about things like dropbox because of "privacy".... usually makes them feel a lot better if the box is sitting inside their own office.

Physically connected drives are being targeted by encryption viruses now, so I don't trust them as much as I once did for backups. For network drives, I suppose it depends how they work. If they show up as a drive letter I wouldn't consider it a "safe" solution, but there are NAS systems which do real-time backup of files as they change and allow the customer to go back to a certain date, which is really cool.

Still, when the data matters you can't beat an encrypted, cloud-based solution for backup. Yes, it costs money, but if the data is important you spend what you have to in order to protect it from loss. It's like insurance. Yeah, it sucks if you're paying for it and never need it, but that's better than finding out you needed it after the fact, if the data is important.

Back to the original topic, I believe what I'm hearing here is that there is no way to use shared drives over a VPN directly? All the solutions I'm seeing seem to be third party middle-men where the data is in 3 places instead of 1 (on the server, on the 3rd party server, on the laptop when it's being worked on). Normally they pull it up directly from the server to work on it and it's saved there automatically when they save. I'm pretty sure there's some built-in protection there to keep a file from being saved when another employee has it open as well, not that it's a huge issue. It's a small, family owned business.

So, if the VPN won't work and they don't want a 3rd party involved, what's the best solution you guys can think of? They have a static IP, so I know FTP will work, but it's entirely inelegant. Not to mention it's a port scanned by every hacker ever. Is there, maybe, a software solution which would allow them to see and work on files from certain directories, using their login for permissions? Could I maybe do Remote Desktop over the VPN instead? It's not exactly what they're looking for, but it would work for them, if it works over VPN. Thanks.

 

[Mainstay]

what I'm hearing here is that there is no way to use shared drives over a VPN directly

No - you can access and map a drive over VPN. For the best blend of internet performance, you just need to modify your metrics to ensure you have split tunnel enabled.

Could I maybe do Remote Desktop over the VPN instead?

If they need more than just files, i.e., they need to access QuickBooks files, which should not be accessed over a VPN, then yes, this is where an RDP connection comes in. VPN into network, secure the connection, then RDP into a target machine to use software installed on target machine which can then access files in the target machines network. MUCH faster for files like QB and SAGE and AutoCAD.

If you want to host multiple remote connections simultaneously on a nice workstation you could look into this: http://www.thinsoftinc.com/product_thin_client_winconnect_server_vs64.aspx

 

[Kirby]

They don't do QuickBooks or anything remotely like that. It's mostly PDF files. Insurance policies, I think. They're an insurance company. I've never opened their files, so I guess I don't know what's in them for sure, but it's all PDFs and DOC/DOCXs. To be honest, I don't even know how they use the files. I think they scan the signed documents into the shared drive as PDFs mostly. What they want to be able to do, if I'm understanding how they work, is pull these up from home when customers call with questions. It's pretty straight forward.

So here's another scenario. The machine which is hosting the files is also the machine which is hosting the VPN. Is that something I can work with?

Let me lay out how it works. I guess I should have started with that.

1) They have one shared folder which everyone can access. Most people can write to it, a couple can only read.

2) A very few of them have access to their own personal directory nobody else can read or write.

3) Just because it's convenient if they ever start using it, I set up one of these "personal directories" that everyone can read and write to so they can share things back and forth, but they've never used it.

Nothing but that first directory and all its sub-directories and files are important, as far as remote access is concerned. The computer hosting these files and the VPN is just Windows 7 Pro and it doesn't have Office or any other software on it except antivirus. It sits in a tiny little closet where they store their holiday decorations. It is literally never used for anything but the shared drive and, if I get this working, the remote connection. I have to move a bunch of things out of the closet every time I go work on it so I can get to it.

Any solution where they could access this single shared directory, directly from the computer it is on, not a third party, would be fine, so long as it's secure. They each have their own login to the file server which decides whether they have read-only or read-write access, but remotely nobody would need write access, only read, if that makes it simpler.

 

[YeOldeStonecat]

Sounds similar to a real estate office I recently took over....lots of remote/home workers (agents)...need to access the server.
I'll never expose the VPN services of a Windows box to the internet anymore. Especially a desktop operating system. I'd be formatting and rebuilding that thing on a weekly basis. If you're going to VPN...use a 3rd party hardware appliance, like a good biz grade VPN router..or if a high number of concurrent VPN users...a dedicated VPN appliance sitting behind the router.

But what you describe is a textbook perfect scenario for a cloud hosting service. The real estate office I did...around 15 users, grouped into independent agents, team agents, office staff, and owners. And I have the cloud file access groups that match the user groups within the network...for who can get what level of access to certain folders.

Works very well. No clunky VPN needed, nor the incredible support overhead of supporting various home users with various operating systems of mixed health, and various home grade routers...and mix matched security software...all things that affect VPNs.

 

[Kirby]

The problem with a cloud-based system is insurance agents have the type of information about customers that can lead to identity theft and insurance fraud. Being the end-user insurance guys it is literally not their choice. They are beholden to the higher-up companies that decide what security they need to continue doing business with them. I could have them ask if there are any allowable cloud-based solutions, but I couldn't just implement one on my own. In fact, the VPN thing was a request they made while I was doing required security upgrades. This is a small town and the business is fewer than a dozen employees. They've been to each other's houses. They know and trust each other completely. But some company they do business with insisted that each person had to have individual access to the files. They can all ready them and, I think, there are only 2 who can't write them. But the security change was required, out of their hands, do it or go out of business. So it's not just them I'm dealing with and the information MUST be absolutely, 100% secured, encrypted before it leaves the premises, etc.

 

[Mainstay]

OpenVPN on a Mikrotik router (or whatever) secures the connection.

Direct file share over the VPN with user authentication and I think you are golden.

Ensure you have secured offsite backups that are compliant with your rules and regs.

Our users scan directly from their local scanners at home to their shared network drive at the main office. Users can then sort and work with those files collaboratively.

 

[Kirby]

Okay, I just talked to the client about what type of information is on the server and realized that there are cancelled checks and medical information and all kinds of things on there, so it has to be HIPAA compliant as well. At this point, I don't have a choice what to do. I wouldn't have even tried the VPN had I realized the nature of their data. My one choice is to contact the people they do business with and see if a) they will allow this and b) how they would like it implemented. That way it's their asses on the line, not mine.

 

[YeOldeStonecat]

Which is why sticking to good biz grade cloud file storage can help comply with this, and still keep things incredibly easy to use for end users. You have those encryption options with many of them. Logged for proof.