Setting VPN server without static IP... Is it possible and safe?

[pari22]

One of my new client just got a cable connection and want to setup VPN.
ISP did not and does not give static IP for the service.
I've heard VPN without static IP is possible, but is it safe and dependable?
If so, how/where/what do you need?

Here are some info:

Server:
Win2k ADV. DC. FSS. Exchange.

Client:
Win2k Pro./winXP pro - also has cable modem connection without Static IP

Cable modem is connected to DLink gateway/router - hosting DHCP.

Thank you very much for your future help.

 

[milesy]

I have done just what you are asking about.

The VPN has been up and running for 5 months and the dinamic ip from Blueyounder has only been changed once.(This is the only downside)
I sent out 7 e-mails telling the users how to change the IP address on the home machines and all was put right in a few mins.

As for is it safe? I dont know. Personaly I have not had any problems.

My set up is the same as yours exept for exchange.
Hope all gose well.

 

[PaulGillespie]

Set up is just as safe! aslong as you have good security on the Gateway/server.

Use

http://www.Dyndns.org

to set up an alias. i.e. instead of your client pcs puting your ip address they put yourcompany.dyndns.org and that maps to your dynamic ip address. When the IP of your gateway changes it will update dyndns.org to your new IP and then pass it on to your client pcs.

I use it all the time with clients in similar situations and it works a treat!

 

[bell1996]

I agree with PaulGillespie!

I setup my VPN using the same service

http://www.DynDNS.org,

and it's free up to 5 entries. The IP from the ISP changes randomly, but by using dynamic dns, you FQDN gets updated as the change occurs. No need to remember IP address, just a FQDN (ie. homelan.homeip.net).

 

[John Lewis]

I will disagree with the others on this one somewhat.

If you use a dynamic DNS service, it's pretty much an advertisement that . . .

A) You have at least one service intentionally open to the internet.

B) You most likely do not have the budget to maintain a fixed IP.

A hacker could reasonable guess that there are more services exposed that you have not properly secured. Not always the case, but certainly more likely given the situation.

Also likely that the firewall is not as robust as you would find at a large corporate site. Hosting companies and companies with large IT budgets generally are not expected to use a dynamic DNS service. Several other factors related to the security of a server belonging to a large company vs security at a smaller company or a home user.

Now, I don't think that any of these are good reasons to abandon the idea altogether. Dynamic DNS is a wonderful service. I use it for several locations.

Do make sure you are properly secured. If you have a router of some sort doing NAT, forward only the ports and protocols that you really need. If you don't have one, find one. I personally like a good linux box with netfilter, but that is a bit of a learning curve.

Make sure that your VPN server is using authentication, and make sure that plain text passwords are not involved in the process. Passwords should not be short and sweet, and user names and/or passwords should not be similar to or related to the name you use for the dynamic DNS.

On that same note, the name that you use should not be obvious, either about the owner or the services provided -- a company called 'ABC Supply' should not use abcsupplyvpn.dyndns.org

Again, not trying to discourage dynamic DNS by any means, just cover your bases if you use it.

 

[pari22]

Thank you all for your help and input.
tested DYNAMIC DNS, and it is good enough.
mhkwood, thank you for your concerns and input. However, like I noted before, static IP is not an option here. and all the security settings and precautions are factors even if you use static IP.
Thank you very much anyway.

-This case is Closed.