To keep this short, the seniors at the company I work at have set up a private VPN, on which you must connect in order to access different company resources. Everyone has their own profiles and secret pins they have to enter in order to connect to their VPN profile. The private company resources deny ALL IPs except for the VPN IP.
I really liked this setup from day 1 and I wanted to get to know how to set up a VPN like this on my own just to learn how to do it, maybe to use it on a side-project someday. Any resources you could point me to?
Thank you for your time!
Setting up a VPN manually on Linux can be a bit of a faff, especially if you’re not clued up on the command line. Personally, I reckon FreeBSD is much more straightforward for this sort of job.
If you fancy doing it properly, why not set up a pfSense or OPNSense firewall appliance at home? Both are based on FreeBSD and come with a tidy web-based graphical interface, so you can dodge the grief of fiddling about with the underlying OS. The hardware (or virtual machine) requirements are laughably low—nothing fancy needed, really.
They’re cracking tools—versatile and completely free. Loads of small businesses, universities, ISPs, and cloud providers use them as firewalls or VPN servers to keep their networks and users secure.
Give OPNSense a look: OPNSense.
Check out the concept of “Zero Trust VPN”. We use perimeter 81 and it’s great.
For a “research” solution, you could use tailscale since it is free. Using their ACL’s you can create zero trust policies by saying “user X has access to IP xxx.xxx.xxx.xxx/32 (or a specific device)”
If your company is whitelisting only the VPN IP, then they probably are using a tunnel where everyone connects to and enters the infrastructure from the same path.
Just read the docs and man pages of WireGuard VPN, it’s a damn good VPN solution which uses modern cryptography, has small codebase and is actually included in the Linux kernel (don’t remember, but I think starting from 5.x kernels).
To play around with the concept and keep it simple you make like Pritunl.
-
Install pritunl-server on a machine in your DMZ
-
Delegate access, accounts, network mapping to your needs, within pritunl admin dashboard.
-
Connect in with pritunl-client, using your accounts downloaded .tar profile and use your pin if you set that up.
-
ping/curl network resources to confirm your connection.
Check out GitHub - trailofbits/algo: Set up a personal VPN in the cloud
Super easy to deploy a VM that is your own configurable VPN that you can tinker with.
Open VPN has this, you can use SSO or Private Key profiles to connect. AWS’s VPN service is essentially this. There are other solutions on the market too like Pulse VPN or Microsoft’s solution, I think it’s built in to Defender.