How to Set-Up VPN that is Client and Server Independent

Question

I have about 5 clients who are all running some iteration of Microsoft Windows Server, be it Server 2003, Server 2008, Server 2013.
I will commonly connect to their networks/machines in a few different ways depending on if I'm in the same building or not in the building.

• When I'm in the building I can simply connect to the WiFi and start a remote session using Microsoft Remote Desktop and enter the IP.
• When I'm not in the building one of the clients has a LogMeIn account which I connect to and then eventually make my way to the server.

What I'm looking for is advice or a set of instructions to allow me to connect to each of my clients servers with as little extra software as possible (ie by using existing services already installed in Windows Server or settings/software already available on their in-house routers being simple Linksys, SonicWall or even Cisco).

And then once I've set up this VPN connection I'd like to be able to connect to it, independent of what system I'm on. If I'm on OSX or Windows 7 I'd like do have VPN connections for each of my client locations, and then be able to RDP into their server or any machine on that network.

I've tried setting up VPN's a few of their servers but I wasn't sure I was going through the process correctly. Do I need to forward ports? Do I need to forward ports to their router? Their server? Isn't there a VPN service already available on Windows Server? How do I configure it to allow connections from wherever I might be? What if I'm on the road traveling and I need to remote into their machine so I tether from my cell phone and do a quick fix. How can I have the connection accepted independent of what the connecting IP is?

Answer 1

There's no magic here. VPN is a complex ecosystem, with many different vendors, many different technologies, and many different configurations. There is no "VPN Master Software" or the like that will let you do what you want.

About the closest configuration I can conceive of is to configure persistent site-to-site tunnels from each client location back to your network, or back to a single server under your control. With that in place along with proper routing rules, you'll be able to, yourself, VPN to that single point, and then route traffic to each client.

This will not be a simple thing to set up, though, and you should keep in mind the following items:

• If any of your clients have overlapping subnets, the above scenario will not work. You'll need to re-number their network.
• For the above to work, you'll likely need hardware or software that supports IPSec on both ends of each VPN association
• You'll need to ensure that clients on one client's network cannot route traffic to other clients' networks
• Protect your "bastion" host very well, as that server or network has the keys for each and every one of your clients networks

If I were to offer a piece of advice? Forget your plan. Instead, work to migrate your clients to a consistent router/firewall/vpn platform so that you have a consistent means of connecting to their networks. OpenVPN is a good option here, as there are well-maintained OpenVPN clients for every OS and mobile platform out there.

Answer 2

Honestly, you're asking a lot here. EEAA points out many of the potential issues and stumbling blocks you'll face in getting something implemented based on your desires.

Personally, my suggestion would be to use something like GoToAssist, TeamViewer or LogMeIn. You already have a client using LogMeIn. Each of these require only that you install the software on your client machines and your workstation/laptop. I can't speak to TeamViewer and LogMeIn, but GoToAssist has both a Windows and a Mac client/application. IMO, You'll find this to be the easiest way to remotely connect to and manage your client systems.

Trying to find a common VPN solution that fits into every client scenario sounds like an exercise in frustration. You'd need to manage firewall/router settings (and quite possibly might need to purchase hardware), configure VPN client software/settings, etc., etc.