Small & Medium Business Cost Effective Virtual Private Network (VPN) Tunnel

Warning: This article was published many years ago (greater than two) May 1, 2016. Some information may be outdated.

[su_tabs]

[su_tab title=”VPN”]

While Consulting for a Business doing about +20Cr (3M USD) revenue, It was a challenge to have full-fledged IT team to manage the Network and other IT related stuff.

The Primary issue was the Accounting Package “Tally ERP9” a popular Accounting Package which is licensed as a server with multi user but lacked remote connectivity but for “tally.net” which used a ddns server hosted by tally. Tally now provides a sync facilities but expects each of the branch to buy a lic..? which requires to renewed every year.

There are many hardware suppliers like Cisco, Netgear etc which provide VPN Routers like RV80 or VPN FireWall from Netgear again these are licensed per connection. They are worth the buck but involves issues beyond a small business person. To find a skilled person on VPN tunnel is also quite a challenge.

With the necessity of WiFi at all the location, one IT hardware that is a must is WiFi Router. While Evaluation of available routers against the cheapo stuff, the ASUS Router are ranked Uno. I have personally used these & Linksys Router, the Diff was that ASUS was using Custom Built DD-WRT Firmware while Linksys, we have load the community DD-WRT firmware. Although I prefer on a personal level to customise the solution, but with the cyber security threat, it’s better to use stock firmware which is monitored by OEM’s for any leaks or threats.

Cyber Theft maybe not a major concern for small business but with the digital India Drive from Govt. of India most transaction are now online, hence unprotected private network will be misused, hence some level of protection is required one such OEM is Cyberoam.

The Higher End ASUS Routers Provides Security Levels along with VPN hence for this project, I have chosen ASUS AC68U (20K INR the ASUS AC88U is with Dual LAN @24K is a better alternative). One other aspect for the weak SLA of the ISP service Providers, there is no easy solution for this, in large cities the ISP are reasonable fast to attend the issues but in rural or semi urban area its a pain, hence 3G or 4G dongles which can be plugged into the WiFi Router is the best solution.

The Other Tabs, I shall explain the configuration and setup details, also how the system work address a Small Office Requirements.

Configuration of “VPN on ASUS”
Configuration of “OpenVPN” for TAP or LUN operations
Configuration of ADSL Router for the OpenVPN to Work
“Conclusion” where the WiFi Router is used for data backup, 3G, FireWall and other Configuration

[/su_tab]

[su_tab title=”VPN on ASUS”]

VPN is having a secure tunnel (Connection) between your branches, so that all resources can be shared between the branches and the Head Office, like Printer, Tally, Application, Storage Backup, etc.

vpn

Let take a look at the Configuration available on ASUS Router

VPN_Router Landing Page

Select the VPN and Then OpenVPN

6f242ff3-f6eb-471f-9777-8a9b6f656177

Enable the VPN Server at the Head Office

a18d45b3-65bc-443e-ad63-3dd20c33e469

Now we have to Enter the Username and Password for the clients to connect

We have completed the minimum configuration this setup, Follow the Next Tab for “TAP” or “LUN” and other configuration

[/su_tab]

[su_tab title=”OpenVPN Setup”]

VPN tunnel is basically LUN or TAP (Click for Details)

  • LUN is VPN on layer 3 (one more hop between subnets)
  • TAP is bridge two ethernet segments in two different locations

[su_box title=”Warning” style=”glass” radius=”10″]In TAP setup you can have computers in the same ip subnet (eg 192.168.1.0/24) on both ends of vpn, and they’ll be able to ‘talk’ to each other directly without any changes in their routing tables. Using tap you’ll have slightly more overhead – besides ip headers also 38B or more of ethernet headers are going to be sent via the tunnel (depending on the type of your traffic – it’ll possibly introduce more fragmentation).

TAP vpn will act like ethernet switch. this might sound cool and is useful in some cases but i would advice not to go for it unless you really need it. if you choose such layer 2 bridging setup (TAP) – there will be a bit of ‘garbage’ (that is broadcast packets) going across your vpn.

Your Data Consumption will be higher but if you want to use Tally then this is the only option, because “Tally ERP9” is still not a fully developed multiple site Application.
[/su_box]

We are setting up an TAP (Bridge VPN) because of the “Tally ERP9” limitation

2128d238-4676-4ee2-ae1f-3259d56dc5ea

Let’s download the Configuration file, which we will require to configure the VPN clients at the Branches and Laptops / Desktop. Save the download File and rename it “XXX Client OpenVPN” XXX->Your Company Name

8f0c4334-296a-4bee-b9f1-a18941c2bbd0

How to Configure for Desktop / Laptops etc.. is detailed in the links provided. Pls go through it and implement it using the Client File downloaded above.

22e859db-f754-4fc5-aa3d-00a4fb40bfa7

[su_box title=”Warning” style=”glass” radius=”10″] The ADSL or Cable Modem Require to forward PORT 1194 for OpenVPN to work.
Pls also note Static IP is Other Requirments, because we do not static IP we need not worry, dyn.org provide this service for 20 USD per Year (1500 INR) for 32 Sites.
If you have a static IP from your ISP then dynu.com is free service, login and configure it. I use their service for my VPS Servers and also ignore the domain Name NS Restriction. ie ask the domain registrar to point to dynu Name Servers (NS1.DYNU.COM) and configure the Dynu to point to the VPS.[/su_box]

[/su_tab]

[su_tab title=”ADSL Setup”]

1. We have to ensure that ADSL router forwards the PORT 1194 to ASUS Router
[su_box title=”What are Virtual Servers” style=”glass” radius=”10″]A Virtual Server is defined as a service port, and all requeststo this port will be redirected to the computer specified by the server IP. For example, if you have an FTP Server (port 21) at 192.168.0.5, a Web server (port 80) at 192.168.0.6, and a PPTP VPNserver at 192.168.0.7, then you need to specify the following virtual server-mapping table:[/su_box]
Screen Shot 2016-05-01 at 10.21.06 PM

2. Now Configure the DDNS to ensure we can reach our HQ Router.
Screen Shot 2016-05-01 at 10.25.04 PM
Note: Pls Subscribe to Service from dyn.org (paid Service) or use www.dynu.com (free for Now)

[/su_tab]

[su_tab title=”VPN Client Setup”]

at the branches we select the Client

Screen Shot 2016-05-01 at 8.39.13 PM

Let add the profile to connect to HQ

Screen Shot 2016-05-01 at 8.39.45 PM

[/su_tab]
[su_tab title=”WRT Extra”]

Some of the other features which is useful for SOHO or SME

1. 3G or 4G Dongle: Dual WAN : for Redundancy for the ISP

Enable VPN Client

2. AiProtection: we can enable

Screen Shot 2016-05-01 at 8.59.53 PM

  • Parental Control (to allow Staff “Mobile Phone” to Access the Internet During the Breaks or 05 Min once every two Hrs)
    I personally do not subscribe to this but while analysing the bandwidth consumption many of Employees just do not understand the concept of self control. Most are downloading the Video and Crap from “WhatsApp”.
  • Network Protection: I am sure this is essential feature that needs to be enabled. but most of the Scheduled Bank and Govt. Site will not work
    [su_box title=”Warning” style=”glass” radius=”10″]I can confirm “Karnataka VAT” & “Karnataka Bank” sites are shit and will not work if the Network Protection is enabled
    So Much for Digital India.
    [/su_box]

3. Adaptive QoS: We can use the Feature to check on what is hogging the Bandwidth and ensure that we have some control

3.1 enable the control

Screen Shot 2016-05-01 at 9.01.19 PM

Screen Shot 2016-05-01 at 9.23.59 PM

a few screen shots from “Bandwidth Monitor”

Screen Shot 2016-05-01 at 9.03.23 PM

Screen Shot 2016-05-01 at 9.01.46 PM

we can drill down

Screen Shot 2016-05-01 at 9.02.13 PM

4. Under “Advance Setting” Click “Wireless” and Then Filter on Mac Address, I recommend the Blacklist ie “Reject”. Whenever any staff member personal device is seen on the network we can reject it from connecting on the WiFi.

Screen Shot 2016-05-01 at 9.33.29 PM

[/su_tab]

[su_tab title=”Conclusions”]

DD-WRT started of as a Community Mod to Linksys Routers WRT54 and now has developed into a firmware developer for most Router OEM’s (click to check the List). I suggest that you should check here.

It’s great to be a geek and stumble along but when the setup is for  “production” then I strongly suggest please use stock firmware. If the feature you require is not available then search for device which provides the features in stock firmware (Google is a useful Tool for Search)

for 20,000 INR the ASUS Router RT-AC68U is worth it. Of Course if you are going to use many of its features and at the same time except a reliable and strong WiFi Zone.

please free to PM or Email Me using the comment or contact form, if you require more details or clarifications.

[/su_tab]

[/su_tabs]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.