VPN - How Complicated

[BostonDan]

Hi Everyone - I am considering setting up a VPN between two small offices, both of which obtain thier IP address from Comcast using DHCP. My end goal is to locate a Synology NAS at each office location and have the NAS's backup to each other. The offices don't share data but are part of the same company.

I have setup NAS's within LAN's in the past, but I have never played with VPN. The process of setting this up appears straight forward, but I'm being cautioned from an contracted IT firm that it is complex and creates reliability concerns.

Do I need a VPN router or can I simply use the Comcast router and open up a port address to the NAS?
If obtaining a VPN router is recommended, any model recommendations?
Pitfalls/Guidance?


Appreciate the help - Dan

 

[thiggins]

If all you would be using the VPN for is the Synology-Synology backup, you could just use the SSH option in the Synology backup utility.

The main potential hassle is that the Comcast IPs can change, which will break your connection. Fortunately, Synology has a Dynamic DNS service embedded in the NASes.

 

[BostonDan]

Thanks very much Tim. Using the SSH option and dynamic DNS, do you see any reason an IT manager wouldn't want to do this. To me it seems straight forward, but I'm looking for that extra confirmation or someone to tell me I'm not opening a can of trouble if I push this path.

Any words of caution?

 

[thiggins]

I have nothing else to add. Provided you use a strong passphrase, SSH will be plenty secure.

 

[stevech]

Though I use DynDNS, my cable modem (TimeWarner) public IP address hasn't changed in 5 or more years. Even after they upgraded the cable modem about 4 times.

 

[BostonDan]

Thanks Guy

Thanks very much Tim & Steve for the vote of confidence.
I have a BS in computer engineering, but I don't provide IT services for a living. I was hesitant going against the recommendation of the outsourced IT guy, who does networking for a living, he tells me for many multi-office businesses. He advised against it due to the complexities of setting up VPN and security. The current solution is costing over $1000/yr to backup 50GB and covers only 1 office. Currently, there is only 1 revision of data being maintained. My plan is to push much harder to make the NAS solution happen, in my opinion it is the best most cost-effective path and will handle both offices.

Thanks for the help

 

[jdabbs]

You will lose your job when it is discovered after a disaster that a working backup hadn't taken place in 3 months. Be careful when choosing what responsibilities to assume.

A major part of my day job is setting up IPSEC VPNs. The reputation for complexity stems from an large number of parameters and no "standard" VPN configuration. Get two of the same model device and set them up identically, and things will be fairly straightforward (though routing/NAT might still take some fiddling with). Get two different models though, and you're in for an ordeal. Many techs are ill-equipped to troubleshoot VPNs, and even if they have the theory down pat, lousy small business routers won't put enough information in the logs to diagnose the cause.

 

[BostonDan]

You will lose your job when it is discovered after a disaster that a working backup hadn't taken place in 3 months. Be careful when choosing what responsibilities to assume.

A major part of my day job is setting up IPSEC VPNs. The reputation for complexity stems from an large number of parameters and no "standard" VPN configuration. Get two of the same model device and set them up identically, and things will be fairly straightforward (though routing/NAT might still take some fiddling with). Get two different models though, and you're in for an ordeal. Many techs are ill-equipped to troubleshoot VPNs, and even if they have the theory down pat, lousy small business routers won't put enough information in the logs to diagnose the cause.

Thanks for jumping in Jdabbs.
Kinda funny you put it that way. The current backup system hasn't been working properly, failing to backup consistently for at least somewhere around 8 months. Failures far outnumber the successes. I started looking at alternatives initially because of the failures, but additionally because $1200/year for 50GB seems expensive, especially when looking at other hosted solutions like Carbonite Business - $229/yr for $250GB or Carbonite Business Premier - $599/yr for 500GB.

If I ditch suggesting a full VPN solution and suggest using SSH with dynamic DNS as Tim suggests, do you see any concerns/complexities if the same model NAS and router on both sides will be utilized.

Thanks everyone for the feedback, really appreciate the ideas and gaining knowledge of the pitfalls.

 

[thiggins]

If your IT consultant can't set up a simple point to point VPN, and if he is the guy who has set up the dysfunctional backup system. Maybe it's time to find a new consultant.

Jdabbs has a good point. Even if it is not a firing risk, there is always the "you touch it you own it" risk. Just go in with your eyes open.