By John Connelly
JC Computer Services
I’ve tinkered with many open source products over the past couple years, but I’ve never installed any for a client. For a friend, I installed Mepis on his son’s desktop to stop the torrent of malware, and I’ve played with Ubuntu on my laptop and struggled with wireless driver work-arounds. Never made a dime on it until I was inspired by a frequent forum poster here at The Forcefield. Then, with my inner salesman awakened I scored BIG.
The Scenario: Important client has employees that work from home, some travel across the country. Their current solution is to RDP directly into their 2008 Server. They are forwarding port 3389 to the server, and logging in with very weak passwords. Given the nature of their work, HIPAA laws apply to them. Obviously this solution is a major security breach waiting to happen.
I suggested a VPN solution. I explained what it was, how it worked, and showed them various solutions provided by Sonicwall, Firebox, and Cisco. Given the number of VPN connections they needed, all of these solutions were rather pricey, and had subscription-based licensing fees. They would have agreed to one of them, they had to do something soon. Now that they had a ballpark dollar amount in mind, I told them I could build a VPN appliance for less that had no re-occurring fees. I chose OpenVPN, and here is how I did it.
First, I had to choose between the free community version and the paid version. The free one has the benefit of being….free. The paid version has GUI menus, simple installers, and more extensive tech support. Being new to OpenVPN, and with a big client at stake, I chose the paid version. So I shelled out $50.00 for 10 licenses, this gave me 12 licenses total (2 are free). Given the huge licensing fees that others charge every year, I had no qualms about the amount. The free community-based version can do everything the paid version can do, but I needed to implement this fast and needed some hand-holding.
Based on another recommendation of a forum poster, I chose a simple 1U server to run it on. They already have a rack, and it gave my product the shiny high-tech feel it needed to help justify the big markup. It would have run much the same on a beat-up old Dell I had, but I needed it to look cool.
My next choice was the OS to install it on. There are many Linux distributions supported, including Ubuntu, which I almost went with. In the end I chickened out and went with XP Pro. When I have more time to test and become more familiar with how OpenVPN and Unbuntu work together, I will have it ready for my next client. I downloaded a VMware Player and a VM of OpenVPN, and installed both. The setup was very straightforward. You have to choose between running it routed or bridged mode. I chose bridged. I gave my box an IP on the network, and port forwarded 443 to it. I also changed the default admin password.
Now I had to decide how to authenticate users. They are running AD on the server, OpenVPN supports connections to AD via LDAP. Installing LDAP on the server was simple, I had it replicate the AD directory. In OpenVPN, I entered my admin username and password on the server, and its computer and domain name. It connected, and found my users. I could have chosen to input usernames and password into OpenVPN, or setup a RADIUS server.
Setup on the client was the easiest part. Open a browser, go to https:\\yourcustomerdomain.com. OpenVPN will present you with a login screen. Enter your user’s AD username and password, and you will see a customized link to download the client software. The link is generated dynamically when you first log in. For my Windows clients, I used the Windows installer. I had one Mac client, the OpenVPN site recommended I use Tunnelblick (a free VPN client). I could not get it to DHCP properly. A bit of research brought me to Viscosity. For $9.00, I bought one license and it had it working in 5 min. It recognized the client.ovpn file that OpenVPN generates, and imported without any issues.
Finally, I had my users select new passwords that did NOT have word “password” in them. Because OpenVPN was connected to AD via LDAP, it picked up the new passwords too. RDP now uses the internal IP of the server, and I stopped forwarding port 3339 on the router. Done.
The technical part of this job was fun. Setting up an open-source VPN was a great learning experience for me, and gives me a great new product. Salesmanship played a big part in this though, and it does not come naturally for me. In the end, it was an easy sell. I charged the same price for the box as the other commercial guys do, but made my main selling point the licensing fees. Others charge per year, I charge a one-time fee. Perhaps for new clients I will offer a smaller yearly maintenance fee. Still learning.
About the author:
John Connelly owns and operates a home based computer business serving homes, non-profits, and small to mid-sized businesses with their IT needs including repair, networking, planning, and more. JC Computer Services has been in operation for 9 years, six in Plymouth, Ma. His primary interest is in problem solving which keeps him getting up in the morning despite that his boss is a workaholic.
