Hacker News new | ask | show | jobs
by LinuxBender 1324 days ago
Every business implementation of a VPN I have seen in my career were self hosted by the business so they could document and audit all of the controls and firmware versions. I do not foresee many businesses trusting 3rd party VPN solutions, though I am sure some do. third party data processor legal controls

Do you have an existing relationship with network gear providers such as Cisco, PaloAlto, Fortinet, etc?

[Edit] Or if your business is very small and just starting out perhaps you could set up an isolated zone with Linux or BSD VPN nodes and use something like Wireguard, Tinc, Strongswan, OpenVPN, whichever suits your needs. Then create firewall rules in your company to permit the VPN nodes to reach the required services.
1 comments
seekingsolution 1324 days ago
Thank you. No, this is for a small business, so there aren't any enterprise equipment relationships.
link
LinuxBender 1324 days ago
In that case another option may be setting up a couple of VM's or physical servers in an edge zone of your network and use an open source VPN. The latest popular solution is Wireguard. There are some github repos that have examples of how to set that up for mobile roaming devices. The downside of these solutions is that they trust keys bound to a device vs having per-person authentication but one could always have additional controls just past the VPN.

Another thing I have seen people pushing here lately is tailscale, though I am not a fan of cloud solutions for remote access. As the company grows that would have to be factored into 3rd party controls and I am personally too lazy and like to keep audits short and sweet.

A smaller and more old school solution is to have a hardened SSH bastion and do port forwarding through it. This is very unpopular among developers though and that machine must be kept up to date and ideally have mandatory access controls such as SELinux or Apparmor enforcing policies.

link
DerekBickerton 1324 days ago
> Another thing I have seen people pushing here lately is tailscale

Came here to mention Tailscale. OP said: 'And most of them appear to be operating outside of my country's legal jurisdiction (the U.S.)'

Tailscale is Canadian though, so is that within OP's scope?

link