Accessing LAMP application behind VPN 1

[giovanni4000]

Hallo ,

I need your help .....
Our office has a webbased application (using LAMP - Linux Apache Mysql Php) in a Slackware Linux server at our office. We have 3 branches located at other cities. We want to access the application from each branch using simple browser, but the application MAY NOT be accessed by public. The cost must be as cheap as possible.

*) Is there any other solution cheaper than VPN ?

*) Is it possible to access the webserver via VPN ?

*) Planning: client browser (windows) with dynamic IP => internet => Router + Firewall (slackware Linux) => webserver (Slackware)

Where is the best position for VPN, the same as webserver or in the Router+Firewall server ?

Any suggestion is very helpful.
Thank you very much.
Best Regards,
= gio =

 

[Noway2]

With dynamic clients you will need some form of VPN. You could use a VPN router, e.g. a Cisco, to give your clients a LAN address that can access the web server which will cost about $300 for a small Cisco with up to 10 concurrent users (IPSec VPN). Alternatively you could use SSH (on Windows use Putty) and create tunnel that sends browser traffic to the server. This is how I connect remotely when I want to do things like adjust the router(s) that aren't accessible from the public side. In either case, make sure the Apache host is not listening for connections on the public IP or is otherwise blocked.

 

[IPGuru]

Open SSL can be used to create a VPN & should be available for your linux server, How much cheaper do you need

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[giovanni4000]

Hallo Noway2 & IPGuru,

Thank you for your information. I got some other information about this:

a) Using Dlink DFL family which are cheaper than cisco (actually cisco is ok with $300 USD , and Dlink has almost the same result as cisco. But I still don't know, may be I must also use 1 hardware (VPN+Firewall+router with IPsec) for each client. So, I need 1 for server side, 3 for client (each branch need 1 hardware). This solution has no problem with dynamic IP.

b) A friend told me to use OpenVPN (still learning it), which using SSL vpn (more secure than IPsec or PPTP). I need 1 linux box for vpn+firewall+router at server side, and just use OpenVPN GUI client at client side (windows). So just need 1 hardware & 3 software. The hardware must not be expensive (PC with celeron processor is enough - using Slackware OS inside). Still don't know about dynamic IP, will work or not with OpenVPN AS (server side) & OpenVPN GUI (client side).

Any idea ?

Thanks
Gio

 

[Noway2]

Using Dlink DFL family which are cheaper than cisco (actually cisco is ok with $300 USD , and Dlink has almost the same result as cisco. But I still don't know, may be I must also use 1 hardware (VPN+Firewall+router with IPsec) for each client. So, I need 1 for server side, 3 for client (each branch need 1 hardware). This solution has no problem with dynamic IP.

I would stay with the Cisco over Dlink for the use of the Cisco Client software being in such wide use and availability. You only need one firewall/router at the server, the clients only use the client software.

A friend told me to use OpenVPN (still learning it), which using SSL vpn (more secure than IPsec or PPTP). I need 1 linux box for vpn+firewall+router at server side, and just use OpenVPN GUI client at client side (windows). So just need 1 hardware & 3 software. The hardware must not be expensive (PC with celeron processor is enough - using Slackware OS inside). Still don't know about dynamic IP, will work or not with OpenVPN AS (server side) & OpenVPN GUI (client side).

This is another option and it is inexpensive. The hardware you describe should be more than sufficient. This approach will likely take more effort than the hardware approach.

Either approach will work fine with CLIENTS with dynamic IP addresses. If your SERVER uses dynamic IP, you will need a service such as DynDNS to map your domain to your changing IP address.

In either approach, one of the biggest challenges I have seen is getting the NAT or routing rules to properly access LAN based machines behind the server/VPN gateway.

Lastly, in terms of security, you need to implement in layers. Do not rely upon your VPN for system security and implement proper authentication and other mechanisms on all of the machines. If you take a proper layered approach the differences between IPSEC and SSL for your VPN should be moot.

 

[giovanni4000]

Thank you Noway2. You are fully right. In case of dynamic server IP (using DynDNS), is it available at cisco vpn router? Or is there other solution ? (i never installing/setting dynDNS for Slackware

Thanks
Gio

 

[giovanni4000]

found this :

https://www.mozdevgroup.com/products/openkioskdistro.html

Still taking a look at all of the links ...

 

[Noway2]

In case of dynamic server IP (using DynDNS), is it available at cisco vpn router?

There are two ways to approach it, the first is to configure the service in the router. I am not certain about the dynamic DNS with the Cisco and my instinct, which seems to be confirmed by some searching, is to say no. Caution is required here because there are multiple meanings to the term dynamic DNS. one is like we're discussing - a service that points a domain to a changing IP. The other is one that updates the A and PTR records when hosts dynamically connect and disconnect (e.g. with Bind and DHCP) and the Cisco does support this. The second approach is to use a software client which looks at your public IP and updates the configuration as the IP changes. DynDNS has one for free. This should work independently of the hardware.

One alternative you might consider is Sonicwall, which I know for certain does support DynDNS and NoIP. I can't speak for new unit price, but I picked up a used Sonicwall for $100. The up (and down) side to Sonicwall is that they are very Windows centric. If you have Windows clients only, connecting via VPN if VERY easy.

I've never heard of the Open Kiosk before. While I like Slackware and think it is a fine distribution, if you find you are looking for software packages like that, you may find a more mainstream distribution being easier to support.

 

[IPGuru]

The linux box being used for the VPN server should be able to run the DynDns client without any issues.

In fact that is pretty much the setup I have for my home network

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear