VPN solution

Can anybody help me sort out a VPN solution? I administrate a small
network of around 30 computers. Half the machines are behind a NAT
firewall and half have static IPs addigned to us by our ISP (for various
reasons I won't go into).

The main SMB fileserver is behind the firewall but I need a way for people
to access it from home. So far I've figured a number of solutions:

1) FreeSwan/OpenSwan. Too complicated and involved for what is a very
small network. For example, it seems to require DNS registration for our
subnet before it can be used. I also struggle to understand much of the
terminology.

2) PPTP via PopTop. I set this up successfully today but to encrypt data
transfer with Windows clients, you need a special mppe kernel module. This
has to be built against your current kernel so an automatic kernel update
will break it (ie via yum). I don't fancy having to rebuild the module
each time a new kernel is released (I use RPM package management on
RH9/FC1 machines for my servers).

3) Simply putting the Samba server onto the Internet with a static IP. The
data transfers won't be encrypted but the user authentication is. Trouble
is that this could mean the entire fileserver is compromised should there
be a bug in Samba.

4) A special machine that mounts the SMB server and provides outside
access via its own SMB server. This means that if it gets compromised, all
they can do is trash an otherwise empty machine (although I suppose
they'll still be able to wipe files on the SMB mount).

Any ideas?

In message <(E-Mail Removed)>, peak man wrote:

> Can anybody help me sort out a VPN solution? I administrate a small
> network of around 30 computers. Half the machines are behind a NAT
> firewall and half have static IPs addigned to us by our ISP (for various
> reasons I won't go into).
>
> The main SMB fileserver is behind the firewall but I need a way for people
> to access it from home. So far I've figured a number of solutions:
>
> 1) FreeSwan/OpenSwan. Too complicated and involved for what is a very
> small network. For example, it seems to require DNS registration for our
> subnet before it can be used. I also struggle to understand much of the
> terminology.
>
> 2) PPTP via PopTop. I set this up successfully today but to encrypt data
> transfer with Windows clients, you need a special mppe kernel module. This
> has to be built against your current kernel so an automatic kernel update
> will break it (ie via yum). I don't fancy having to rebuild the module
> each time a new kernel is released (I use RPM package management on
> RH9/FC1 machines for my servers).
>
> 3) Simply putting the Samba server onto the Internet with a static IP. The
> data transfers won't be encrypted but the user authentication is. Trouble
> is that this could mean the entire fileserver is compromised should there
> be a bug in Samba.
>
> 4) A special machine that mounts the SMB server and provides outside
> access via its own SMB server. This means that if it gets compromised, all
> they can do is trash an otherwise empty machine (although I suppose
> they'll still be able to wipe files on the SMB mount).
>
I'm sure somewhere I've seen how to do Samba over ssl. There's a Windows ssl
proxy that can be used if they need to handle things. Or you could just use
ssh, I'm sure that could be used to port-forward the relevant ports. Just
have a machine with a static IP that accepts incoming ssh from the outside
world.

--
Dave
mail da (E-Mail Removed) (without the space)
http://www.llondel.org/
So many gadgets, so little time...

"peak man" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> Can anybody help me sort out a VPN solution? I administrate a small
> network of around 30 computers. Half the machines are behind a NAT
> firewall and half have static IPs addigned to us by our ISP (for various
> reasons I won't go into).
>
> The main SMB fileserver is behind the firewall but I need a way for people
> to access it from home. So far I've figured a number of solutions:
>
check out http://www.smoothwall.org

B