Hey guys. I’ve recently come on board with an MSP that primarily manages small-medium size businesses (I believe most of our clients are dental practices) that have maybe three or four sites at absolute max. My work experience in the field has primarily been inside the LAN so far and as I get trained for our operations and build my skills one of the things I want to get more familiar with is site-to-site networking so I can recommend solutions to our clients according to their needs and budget. Most of our operation is vendor support for practice management software but we do manage core networking infrastructure as well.
If our company has administered network equipment for a client then it will be Unifi switches and Sonicwall firewalls, both of which I’ll get up to speed with hopefully shortly, but some have very basic ISP-provided hardware. I believe that we do not administer to home offices.
I’m familiar with the overall concept of site-to-site networking but as far as the execution, I was looking for some pointers; are there pure software solutions in the FOSS domain that can feasibly be utilized here, possibly with improvised hardware like a spare computer to act as a server, if not then what would be a good budget hardware solution for a small-medium business and what would the limitations be (e.g. number of concurrent users and/or licenses, etc.), particulars of different VPN clients/protocols, what are any HIPAA-related caveats, so on and so forth. A brief explanation of the overall logic of each solution would be helpful as well, if I need to do some research/reading that’s perfectly fine too.
Site-to-site is done between the firewalls, in your case the SonicWalls. You have what you need already. I wouldn’t recommend site-to-home, use a client VPN for that purpose.
It does sound like you are asking more about client VPN here. Again, SonicWall can license for concurrent sessions, others will do similar. Get a firewall and leverage bridge mode for those just using ISP hardware like the Comcast Business Gateway.
As for client VPN… I would advise limiting access to client hardware and not home PCs. That’s where policy and regs come into play. Similar, resource access on a VPN session should be limited in nature, meaning access rules should be in play.
Check /r/networking for more info.
As you have a policy of sonicwall, I would read up what that can do first, and see if it fits requirements
If you’re already buying in on the Unifi, the Unifi Security Gateways do site-to-site VPN very easily, albeit with some caveats. The USGs need the public IP on their WAN interface, no double NAT. They need to be adopted to the same controller, so the controller needs to be visible on the internet and “layer 3 adoption” done and I last I checked the “dream machines” don’t work for this.
But with the requirements are met you just tell Unifi to do site-to-site VPN between two selected sites and it does it, no detailed manual setup needed.
Your Sonicwalls can handle that role nicely.
Client VPN is a consideration as some of our customers do have remote needs but I figured I’d get site-to-site under my wing and then I could easily fold client VPN into that knowledge (since presumably it’s just as simple as installing OpenVPN on a hardened mobile device).
I’ve been told by my superiors that Sonicwall charges by number of licenses, which is a big motivator in me posting this as I’d like to offer our clients the cheapest solutions possible given their size, regardless of how convoluted the process (for me, not for them).
Any considerations regarding dynamic WAN addresses?
The USGs need the public IP on their WAN interface, no double NAT
It’s possible, but it required writing some absolutely horrible custom JSON…
The controller needs to be reachable by domain name or IP address; dynamic DNS services can handle that. Besides that, to my knowledge dynamic IP addresses aren’t a problem, but then our IPs don’t change often. Maybe if it’s changing every hour or something silly like that it’d be an issue.
Are public addresses pretty reliably stable? I have no idea what a typical lease time is for a public address so I don’t know if they’re semi-permanent until some kind of outage event occurs or whatnot, or if they regularly do automatic cycling, so on
Either way I’ll review some dynamic DNS providers.
Generally (for Comcast in my region, at least) dynamic IP addresses don’t generally change often, even if you tell your device to release and renew. I would still recommend a dyndns because I have seen it change after a maintenance window or after I alter something billing-related on my account.