Creating and configuring a VPN server/router for remote access

Started by gdgross, March 27, 2024, 11:46:05 AM

Previous topic - Next topic

gdgross

Hi all - tech-y fellow here but not much in the way of IT things, although I'm learning.

I'd like to set up a way to access and log into my mac-mini from anywhere on the internet.  Currently I can do this via the splashtop app, but for various reasons, I would like to set up my own system.  I understand that this will require creating a VPN server for my LAN, and maybe some additional hardware purchases.  (specifically a dedicated VPN router?)

I'd like to be able to log in from a windows maching on a different wired network miles away from the mac mini and its LAN, using sonic wall or the windows built in VPN client, and control the mac mini via microsoft remote desktop or similar software.  I'd also like to be able to log in from my macbook pro using the same tools from any old wireless network at starbucks or wherever. 

My current network looks like this:


As i understand it, hardware wise, I will need to do something like this:


First, is my understanding of the hardware correct?

Second, what steps will I need to go through to set this up properly?  I assume the VPN router will have some software that i'll need to configure once I connect it all.  And I'll need an ip or domain or something for the VPN, and a name for the mac mini itself to connect remotely?

Thanks for your help all - I'm slowly becoming IT fluent lol.

Geoff

deanwebb

Do you need full access on all ports or do you only need access for a specific function? For example, is this Mac Mini performing a wide range of functions, or do you only need to use it as a file share?

This can provide an additional layer of security if you lock off access on areas you don't need to use.

The diagram looks good, assuming it's home use, so you won't need commercial-grade gear for the setup. With that in mind, will the manufacturer keep the gear up to date with updates? That will be important for the sake of security.

You'll also need the ability to set up a VPN to the VPN router, which means opening up inbound ports on the modem - and that means the ports are open for the entire world. If there is an ability to authenticate with multiple factor authentication in order to open up the ports, that would be preferable.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

gdgross

Quote from: deanwebb on March 27, 2024, 02:12:30 PMDo you need full access on all ports or do you only need access for a specific function? For example, is this Mac Mini performing a wide range of functions, or do you only need to use it as a file share?

This can provide an additional layer of security if you lock off access on areas you don't need to use.


Thanks Dean - yeah, I will indeed want full access to the mac mini; I'd like to log into the computer and use apps/etc just as if I was sitting at the keyboard. 



Quote from: deanwebb on March 27, 2024, 02:12:30 PMThe diagram looks good, assuming it's home use, so you won't need commercial-grade gear for the setup. With that in mind, will the manufacturer keep the gear up to date with updates? That will be important for the sake of security.

I was thinking of this as my router: https://www.amazon.com/dp/B08QTXNWZ1?psc=1&ref_=cm_sw_r_apin_ct_9R7YHFK9VWAJCZT370XF&language=en_US shows up more than once when I google "good wired VPN routers", and it's not too pricey :-D  Hopefully they'll keep current with future firmware updates!


Quote from: deanwebb on March 27, 2024, 02:12:30 PMYou'll also need the ability to set up a VPN to the VPN router, which means opening up inbound ports on the modem - and that means the ports are open for the entire world. If there is an ability to authenticate with multiple factor authentication in order to open up the ports, that would be preferable.

As far as opening up ports on the modem, perhaps frontier would have to help me with that?  Or is that something I could do on my own?  Also, it might be useful to restrict the allowed ports by IP address, or location, etc, since I'd be logging in remotely from a finite number of offsite locations.  I wonder if that can be done?  (Although MFA is acceptable too, I guess.)

Do you know of any guides for dummies on doing this?

deanwebb

If you know the external IP address ranges you'll use for your logins, that makes it much more secure if they're the only ones you permit to make a VPN connection from.

Setting up the Frontier router should be something in the user guide for the equipment, would likely be in the user interface under "security" or "networking". May also be a help file on their website on how to do it, as it's a common ask for things like gaming and media servers.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.