Home Network, VPN & Security

At the moment, my home network is comprised of 5 computers (3 laptops and 2 desktops), one of which is running Windows Server 2008 and works as a home repository for some of our files. We access the Internet through a Thomson TG784 router which receives two wireless connections and three wired ones, one of them passing through a switch. That said, we are not using a firewall anywhere and thus relying 100% on the route'rs firewall capabilities. We have never had any problems so far, but now I would like to set up a VPN (maybe using RRAS or OpenVPN) so that I can access computers here from outside. The problem is that I am really unsure if I should do this since it means forwarding at least one port to one computer (which would be the Windows Server 2008 one), thus opening, as far as I understand, all the network to the outside. So, my questions are indeed three:

1) Is the current setup we have adequate in terms of security, or should we be using a firewall on each computer (even without any VPN or port forwarding)?

2) Will it be safe to set up a VPN on such a network or am I risking unwanted access to the network?

2) In case I really decide to set-up the VPN, how should I configure it and the machines in the network for security?

User

Posted 2011-07-30T11:49:39.070

Reputation: 131

Answers

To answer your questions:

The current setup is adequate. Your router can act as a decent albeit not full featured, firewall (clear a professional firewall is better, and will offer many more options, and deep packet inspection). If you really wish to have added security, you can certainly enable the software firewalls, however having port 3389 open for your firewall, forwarded to your server only, they are not going to be able to get to the other computers anyway, unless they somehow guess your VPN username and password.
Any open ports or access from the outside is a risk: Heck, being connected to the Internet is a risk. That said, you have to weight the risks to the benefits, and only you can really do that. I would say the risk is low, and that I have done this exact thing for years for businesses.
There is not much to configure unless you want to add a certificate server, and issue your laptops certificates so only they can access the VPN. Be warned, that will secure you a lot more, but it is a lot more involved to set up, and would be a separate question, probably on Server Fault. Once you set up the VPN, and they connect to the network, it is like you virtually plugged your computer into the switch. You can access drives on the server, or if you are in a situation with a laptop remotely, and a desktop system running a Pro version of Windows, you can use the laptop to RDP to the desktop. In this scenario, you are doing all the work on the LAN, so there is very little latency with large files, only the screen paints and mouse/keyboard clicks with RDP.

One last thing, your laptop may suffer performance issues is you have drive mappings to the server, and the server is not there (not connected locally or via the VPN). You might want to use scripts to map and unmap drives as necessary.

KCotreau

Posted 2011-07-30T11:49:39.070

Reputation: 24 985

Use Hamachi. You can easily create VPN tunnels and never need to open a port on your router. I use it since I travel with my laptop but need to access files at my hone servers or I may need to update settings/VMs on my private cloud.

kobaltz

Posted 2011-07-30T11:49:39.070

Reputation: 14 361