VPNs – why so difficult?

After years of having technology allowing encryption and authentication to remote networks, why is it still so damn complicated?

I am the first to admit that I am not all-knowing about firewalls, encryption, and the like, but I use these devices (and software) regularlly, and as an end user, it is just too damn complicated!

I have been trying to set up 2 Fortigate firewalls to allow me the ability to set up a VPN tunnel (with encryption of course) and allow full web browsing service (though I do not want to limit it). ie: I want to have one firewall in my datacenter and the other will connect to it when required for service, and I can route a netblock down to the remote firewall, and have my systems behind the remote firewall online, firewalled, and the ability to reach the global internet.

This doesn’t seem like rocket science, but for the life of me, I can *not* make it work with any of the technical documents I have found online.

It just should *not* be this difficult. (I will be expounding soon about OpenVPN soon enough in this article)

Setting up tunnels is pretty easy and it is what I have working already, tunneling from a Cisco 831 to a Cisco 7200VXR. I can set up gre and ipip tunnels without hassle (excepting a problem where there are MTU issues and I need to reduce the MTU of my workstations behind my 831). This works, but it isn’t dynamic enough for my long term needs.

My goal is to be able to haul around (give to friends, go on vacation with) a hardware based firewall that is small enough to travel with, and when at my destination, connect up to my central hub and be online, encrypted, sourcing out my known IP block for my connection. This would allow me to go on vacation and bring my firewall with me, connect to the hub, and do everything I would need to do to get work done, all without being blocked by:

• the temporary ISP for port 25
• the temporary ISP web filtering
• the temporary ISP for SIP traffic

Does that not sound cool? Would it not be great to be able to always know your IP address?

Would this not make it easier to set up corporate firewalls and filters since you could have a remote employee always coming from the same, known, IP address or range? I mean, don’t just assume the firewall is doing its job, implement authentication (XAUTH or something) to make sure that the hardware can’t just be stolen.

Would this not make it easier for geeks like me who are sick and tired of the constant filtering being done by so many ISPs providing so called service?

Sure, this puts more burden onto me and my network as I need to make sure that everything is happening correctly, my systems are up to date, and that any breach/virus/worm that happened to cause me hassles would be directly attribitable to my IP address I just traveled with. But so be it, I’ll take that responsbility.

Queue in…OpenVPN.

Now this was easy to set up, and even adding in routing and static. Then, with just a little more work, I have it working to allow exactly what I was trying to accomplish – I can route my network (or host) through the OpenVPN server without hassle or problem, and having the ability to use SSL certificates is pretty handy. With a little more work, I should be able to also add in a layer of username and password on top of the already working authentication via the certificates.

To turn off a customer, I can issue a certificate revocation, effectively shutting down the ability of the remote client connection from authenticating and routing traffic.

Number of hours burned trying to get hardware firewalls going: more than 30

Number of hours burned getting OpenVPN to do what I wanted: 2

Winner so far: OpenVPN (and me)

I would still, rather, like to have the hardware firewalls doing this work – it would make my implementation easier for my needs, and allow me to help out friends using those filtering ISPs the ability to have real network accessibility.