Many businesses considering a Virtual Private Network (VPN) to cover their internet and database applications share the same set-up concerns. You want to know the most efficient and cost effective approach to get “from here to there”. You'll also want to evaluate whether to go with a site-to-site connection or user connection approach. Plus….you'll want some idea of the best options for appropriate hardware.
To help this learning opportunity along let's set-up a realistic practical example….and then address each of the concerns around this scenario.
You have 10 satellite offices spread some distance apart …. each with multiple users …. that you want to connect to a central headquarters location.
For this scenario here's my suggestions to address the most common set-up concerns…..
First…..a Site-to-site connection is best; by having two VPN endpoint routers talk to each other, you can have all the computers behind each router connect as opposed to paying (say) $35 or more for each computer to have a client loaded. Depending upon what router you buy, some come with pre-installed PPTP and IPSEC VPN clients already installed so you're all set.
Next, the type of network connection you are going to be using is a critical element. Such as Cable, xDSL, T1, or DS3. Depending on the size of your usage base (number of users and load each places on your network) you should consider a T1 line as your backbone. You can always scale up as the need arises (to a bonded T1 or DS3) or scale down if warranted (fractional T1). This level of dedicated bandwidth circuit also affords more reliability, stability, and scalability ….. not to mention a QoS (Quality of Service) and SLA (Service Level Agreement) form providers who over these levels of circuits. That makes business sense.
Remember to gauge your budget for hardware, and also determine if there is an expectation for having any folks traveling who'll need remote access. The former I'll address next. The later bears on your circuit size decision discussed above.
For the guts of the network your common choices run the gamut of Linksys, SMC and Netgear; Zywall is another option; and so is OpenVPn, which is script based. The deciding factor will always be “cost” and “ease of configuration.” Then again, if you're one who doesn't mind a little work (and you shouldn't if you're in the network game) a little overtime is necessary and worth it with some solutions.
Alright, for hardware here's some ideas……
From the Linksys SOHO/SMB turnkey solution department, I submit the following hardware devices. Many IT managers use Newegg.com for a source because they have good prices (in my opinion).
1) WRV54G – “Severely” underrated. Supports 50 IPSEC VPN tunnels and 5 onboard Quickvpn IPSEC VPN clients; you can upgrade clients from 5 to 50 (yes, it's real VPN). Does not support NAT-T/GRE, so you cannot configure a microsoft VPN server connection with this unit.
2) WRT54GL routers using DD-WRT 24B VPN edition Firmware. It supports both client and server Open VPN. This is very secure and stable. Far less expensive, keeping with the hardware VPN direction, than anything I have found.
3) RV016/042/082 – All support a minimum of 5 IPSEC VPN tunnels (or higher), minimum of 5 quickvpn clients (with upgrade option same as WRV54G). Units support NAT-T/GRE, has onboard PPTP server with 5 clients, and allows you to configure a microsoft VPN server behind it for additional PPTP/L2TP clients (128 in total).
4) WRVS4400N – Supports 5 IPSEC VPN tunnels, 5 Quickvpn clients (no upgrade option as of yet), and supports NAT=T/GRE. Additionally, you have port based VLAN available, IDS/IPS services, to include email alert, user define-able access control lists, define-able services, supports IPV4/IPV6 for LAN connections, WMM for improved QoS and video/audio. Yes, I'm showing favoritism on this one. I've friends currently testing this and it's looking like the Linksys products of old.