VPNs for dummies

glennd

glennd

Well-Known Member
Reaction score
2,526
Location
South West Victoria Australia
I have a medical client. LOB software is client/server. The server is at the practice. She wants to take her laptop off site to another practice or the hospital etc and have remote access to the medical software and patient records etc. I think the modem is a Telstra business modem like this:
https://exchange.telstra.com.au/telstra-gateway-pro-world-class-wi-fi-for-our-business-customers/
here is the vpn guide:
https://www.telstra.com.au/content/...tra-gateway-pro-v7610-configuration-guide.pdf

Windows 10 all around.

This sets up a vpn in the modem and uses standard windows vpn networking to gain access. Is this the preferred method or is there a better way?
 
The first thing that comes to meeting any statutory requirements. Over here you would need to have BAA for vendors/suppliers. But have not run into that for things like edge devices and VPN clients. Personally I'd want to have logging enabled so the server and VPN gateway would need to be able to log those activities.

I would never use an ISP modem for a VPN gateway even if it is supported. The main reason, based on past experience, is they rarely update the firmware. Same for retail grade routers. Devices like Edgemax are regularly updated by the OEM so one can be confident that potential issues are being addressed.
 
As Mark said, the better way is a business grade Firewall/VPN Router. I use L2TP/IPSec on the router and the built-in Windows 10 client. Then RDP over the VPN to a local machine with the LOB app.
 
Markverhyden said:
The first thing that comes to meeting any statutory requirements. Over here you would need to have BAA for vendors/suppliers. But have not run into that for things like edge devices and VPN clients. Personally I'd want to have logging enabled so the server and VPN gateway would need to be able to log those activities.

I would never use an ISP modem for a VPN gateway even if it is supported. The main reason, based on past experience, is they rarely update the firmware. Same for retail grade routers. Devices like Edgemax are regularly updated by the OEM so one can be confident that potential issues are being addressed.
Click to expand...
I've had a scout around and I can't find any statutory requirements for this sort of thing. When I asked the customer the response was not instructive.

Agree about the ISP modem. Nothing about Telstra modems could be called professional. It's actually a Netgear with watered down firmware. It grates on me that we have to use it at all.

I just discovered the modem has no bridge mode. Given the modem is not doing anything other than regular dsl work, i'm wondering if i should get a different modem that is capable of proper bridge mode to avoid NAT issues and the like. Or should i just hook it up and not worry about it? There seems to be two schools of thought about that.

EdgeRouter looks good.
 
TAPtech said:
As Mark said, the better way is a business grade Firewall/VPN Router. I use L2TP/IPSec on the router and the built-in Windows 10 client. Then RDP over the VPN to a local machine with the LOB app.
Click to expand...
All of that up to the Windows 10 client. We won't be doing RDP that I know of, although I suppose that could be useful for me.
 
Does the LOB app support being used over WAN? It might react weirdly if it expects a solid LAN link.
Personally, I think having a VPN on a beefier system is beneficial, a router's limited hardware can limit VPN performance, but for one user an edgerouter should be fine.
 
Last edited:
trevm999 said:
Does the LOB app support being used over WAN? It might react weirdly if it expects a solid WAN link.
Personally, I think having a VPN on a beefier system is beneficial, a router's limited hardware can limit VPN performance, but for one user an edgerouter should be fine.
Click to expand...

This is also very important. Many database type apps, like QB, don't like latency. The net result is that there can be DB corruption. Make sure to check with the app OEM to see if they support VPN connections.
 
glennd said:
I've had a scout around and I can't find any statutory requirements for this sort of thing. When I asked the customer the response was not instructive.

Agree about the ISP modem. Nothing about Telstra modems could be called professional. It's actually a Netgear with watered down firmware. It grates on me that we have to use it at all.

I just discovered the modem has no bridge mode. Given the modem is not doing anything other than regular dsl work, i'm wondering if i should get a different modem that is capable of proper bridge mode to avoid NAT issues and the like. Or should i just hook it up and not worry about it? There seems to be two schools of thought about that.

EdgeRouter looks good.
Click to expand...

Did you dig around here - https://oaic.gov.au/privacy-law/privacy-act/
 
trevm999 said:
Does the LOB app support being used over WAN? It might react weirdly if it expects a solid LAN link.
Personally, I think having a VPN on a beefier system is beneficial, a router's limited hardware can limit VPN performance, but for one user an edgerouter should be fine.
Click to expand...
That's a good question and one I will pass on to the software support. I'm not hopeful of a response though, their support is not good. They were unable to answer the question of why the client doesn't work under a standard windows user.
trevm999 said:
Personally, I think having a VPN on a beefier system is beneficial, a router's limited hardware can limit VPN performance, but for one user an edgerouter should be fine.
Click to expand...
I'm not sure what you mean here. What's next up from an edgerouter?
 
glennd said:
That's a good question and one I will pass on to the software support. I'm not hopeful of a response though, their support is not good. They were unable to answer the question of why the client doesn't work under a standard windows user.

I'm not sure what you mean here. What's next up from an edgerouter?
Click to expand...

A full server rather than an appliance. Install VyOS and away you go.
 
glennd said:
google, google ...... hrm I can't see us going that route. It's not full on use by many people, it's occasional use by one person.
Click to expand...

VyOS and Edgemax are both forks of Vyatta. Which was purchased by Brocade and has subsequently been sold to AT&T. I have no problem rolling my own stuff for my own use and/or testing. But, unless it provides some really special function, I'd never use FOSS for someone's business unless they understood that support is purely T&M. Even then I'd work very hard to discourage them.

The last time I used FOSS in a business as a part of the core was some 15 years ago. Setup a RedHat server to provide Samba services at a dental practice. That was before app OEM's started probing file hosts for running a M$ OS. So I was able to put QB and Practiceworks DB's on the Samba server. Used mdadm to setup mirroring. Worked perfectly for some 5 years. Then they wanted to upgrade and by then the M$ tax came into play.

http://about.att.com/story/att_to_acquire_vyatta_software_technology_from_brocade.html

Screen Shot 2018-05-20 at 9.01.31 PM.png
 
Yes, it's hard to make the case when comparing with Ubiquiti products. The hardware cost is so minimal that you do get what you pay for and it's easy enough to have a spare around.

If it was expensive proprietary hardware, a business case could be made for using OSS that can be virtualized and run on any hardware, but Ubiquity has made it that it doesn't make sense to go that route vs FOSS. And if you did need a beefier VPN rather than rolling out a whole different router, you could just forward to another device on the edge specifically for VPN.
 
Has anyone set up the VPN on a TP-Link Archer AC1200 or similar?

https://www.tp-link.com/au/products/details/cat-5030_Archer-C1200.html#overview

I've installed these with other business clients and I quite like them. I'm thinking if the VPN on those is ok, that might be a better option than replacing the Telstra modem with a modem that can bridge *and* an EdgeRouter.

The Telstra modem is Netgear and I'm not a fan of Netgear these days. It's dropped the adsl twice in the last week and failed to reconnect so it needs to go anyway.
 
glennd said:
Has anyone set up the VPN on a TP-Link Archer AC1200 or similar?

https://www.tp-link.com/au/products/details/cat-5030_Archer-C1200.html#overview

I've installed these with other business clients and I quite like them. I'm thinking if the VPN on those is ok, that might be a better option than replacing the Telstra modem with a modem that can bridge *and* an EdgeRouter.

The Telstra modem is Netgear and I'm not a fan of Netgear these days. It's dropped the adsl twice in the last week and failed to reconnect so it needs to go anyway.
Click to expand...
I tried setting this up for a client, was actually on an AC1750 IIRC, and it didn't work. Tried a bunch of different settings and nothing worked. Gave up and set him up with an Edgerouter X in half the time it took me to play around with the TP-Link. I kept the TP-Link in place as a Wifi AP.
 
tek9 said:
I tried setting this up for a client, was actually on an AC1750 IIRC, and it didn't work. Tried a bunch of different settings and nothing worked. Gave up and set him up with an Edgerouter X in half the time it took me to play around with the TP-Link. I kept the TP-Link in place as a Wifi AP.
Click to expand...
Oh. Did you set the AC1750 to bridge mode?
 
glennd said:
Oh. Did you set the AC1750 to bridge mode?
Click to expand...
They don't call it bridge mode. They have a setting somewhere, I forget exactly where, but you have the option to choose Router mode or AP mode.
 
You must log in or register to reply here.

Similar threads

HCHTech
Hot-Desking setup
Replies
0
Views
541
HCHTech
HCHTech
HCHTech
[SOLVED] RDS server not allowing more than 2 sessions
Replies
11
Views
4K
HCHTech
HCHTech
tek9
[REQUEST] iPhone not downloading media on certain WiFi networks
Replies
5
Views
1K
Markverhyden
Markverhyden
timeshifter
10G Networking for Dummies
2
Replies
21
Views
3K
Sky-Knight
Sky-Knight
thecomputerguy
Am I making a big mistake migrating this client to SP/Teams?
2
Replies
26
Views
6K
Sky-Knight
Sky-Knight
Back
Top