Advice on Setting up a VPN on a small business network

I am working with a small business ( 4 people ) and I’m looking into setting up a VPN. The primary need is to be able to connect to an ACT database remotely.

We don’t really need a lot of remote access. I have never set up a VPN before. I know Windows comes with the ability to set up a VPN and then you have to configure the router to forward the appropriate ports. I tried to do research on this, but with VPN for downloading it is hard to find any useful information in this context.

Any experience anyone has with setting up or working with a VPN in this context, i would appreciate any input. Anything to think about. Software I should or should not use. Any settings you feel are important. Any tips or tricks…it would be greatly appreciated.

I will have to configure a Verizon modem/router. The server is Windows 10. It is using the 192.168 IP set.

Thank you in advance.

If your router doesn’t do it (being a verizon it almost certainly doesn’t), then you either invest in some software that does it, or buy a different router that will. There are basically 2 types you have to worry about, either hardware based VPN’s or software based ones. The hardware based ones are really just software based ones in dedicated packaging. There isn’t really magic to it. So it depends on what you are after. If your users travel around a lot, then you probably want a software based VPN. If they generally stick to home/work then a hardware based VPN might be fine. Linksys and friends make hardware VPN router boxes you can take and plugin, one @ the office and 1 @ home/etc and it just works, for the most part.

Software VPN’s are a bit trickier to setup, but they are also a lot more flexible. The OSS big kahuna is OpenVPN it’s a bit tough for newbies to setup, but it’s pretty reliable and works fine, once you get it there.

Otherwise you pretty much have to pay for it. Every Network and Network adjacent vendor it seems sells a VPN, so you have a bajillion choices. I’m not familiar enough with the Commercial crowd to know what’s decent and what isn’t but you can probably try them all out and see which one seems to work best for you.

Around VPN’s being secure, they all are mostly OK-ish at it.

Google’s Security team would probably say don’t use a VPN and just ACL and secure the poop out of your ACT database and proxy/relay traffic to it after authentication and authorization.

Ideally, the boss wants to be able to access ACT from anywhere…like sitting in cafe doing work. In reality, he’ll probably be doing 99% of it at home.

Are you looking to set a site to site vpn where the connection is always on, or more like an on demand type where you establish the connection when you need it?

What kind of firewalls are you using?

Typically your Firewall would handle VPN connections.

Like what /u/HODL43 said, we need to know what kind of firewalls (if any) you’re using.

Deskroll, TeamViewer, are good options for remote access.

Untangle. Open vpn module. Idiotproofed.

Database connection over vpn, no, no…
Have users remote desktop into their machine to work.

Security issues and the boss:

This can easily be executed through ACT Premium, which sits in the cloud. However, my boss in convinced it is a decent likelihood that the company (Sage who is the ACT publisher) will mine his contacts and sell them. I find this crosses the line to counterproductive paranoia.

While I understand how frightening and confusing it all must be for someone who doesn’t understand cybersecurity, I see it as my job to help him make good business decisions that balance risk vs. reward.

Yes, freeware companies like Facebook sell your social media data to monetize their free service. Yes, Home Depot uses old version of Windows NT on their mission critical POS systems and don’t want to take down their systems to apply necessary patches. ( Must be very difficult when you are running a a 24/7 retail store.) Even companies like Evernote got hacked.

However, that is a far cry from Sage mining and stealing it’s own customer’s data. The irony is, the current security in the office is pretty weak. We are using a standard Verizon modem/router/firewall and Windows 10 computers with the basic firewall and security software and settings. Moreover, he logs into his ACT database internally, and doesn’t have a password on his account.

How do I frame a conversation to help him use standard technology with minimal risk, while locking down things for the most likely intrusions.

There is no perfect security. You make security decisions using the same risk/cost benefit calculation as you do in the physical world. Most people don’t have 10 locks on their front door, and leave their back door open. Most people don’t spend $3,000 on a security system for a $2,000 car. Most people are willing to drive a car, when it is probably the most dangerous thing we can do…statistically speaking.

So the goal for me is to figure out how to educate him and help him make good business decisions, while incorporating reasonable best practices for security. Any suggestions, links to information, etc., would be appreciated.

Most likely ACT will run poorly over a VPN. I’d use some sort of remote desktop solution.

Untangle Next Generation Firewall is free, very easy to set up, and has a great implementation of OpenVPN. It will set up its own certs and once it’s set up all you have to do is download the profile.
It also has a lot of other great functionality - even in the free community edition.
It will run on a commodity PC with two NICs. I’ve implemented it in dozens of places.
You can implement the VPN in network mode (always on site to site connection) or in client mode, where the NGFW acts as an OpenVPN server.
I typically use either a used or cheap barebone PC with 2GB of RAM and a 60GB SSD with a celeron CPU - this provides plenty of power for a home or small business. It doesn’t like some of the newer micro ATX mobos, but I’ve found one that works very well and is inexpensive from AliExpress. Or you can slap an Intel NIC into an old Dell desktop and Bob’s you’re uncle.
The OpenVPN server works very well - I’ve seen it easily handle 10 concurrent user connections with no problems.

How is it safe somewhere when remote access is enabled and available to the internet without a VPN?

Just whatever firewall is built in to Windows and the Verizon Modem/Router.

It sounds like a software VPN is going to be necessary.

Also I would advise against forwarding ports 1433/1434. That’s hanging out a sign that says “MSSQL Server - Hack Here.” Use an alternate port up in the stratosphere if you absolutely must use port forwarding, but even that’s not the best idea. Implement a VPN and make your users connect securely to the network and then make the database connection to the local internal network address. No open ports that way except the one for the VPN.