Setting up a VPN between two small offices.
September 15, 2011 8:12 AM   Subscribe

Is the IT company I've hired ripping me off? I need to establish a VPN connection from my funeral home in one town to my main office. One computer, one server, one database that needs to be accessed.

After spending 20 minutes trying to convince me that I didn't need a VPN connection (even though the software suggests it) and that I could just use remote desktop, he told me that I would need to replace both of my routers, and my server and that I should be prepared to shell out at least $3000.

My feeling is that he doesn't know how to set up a VPN and that he's trying to price me out of my options. And I don't know enough to argue with him. I'm in rural Louisiana and there aren't many service techs who will come out to where I am to set this up for me. I know almost nothing about networking computers, but I know people, and this guy seemed to be brushing me off.

So:
1. Is $3000 a reasonable amount to replace two routers and a (less than five year old) server?

2. Is this something I could do myself or do I need a professional?
posted by ColdChef to Technology (44 answers total) 1 user marked this as a favorite
 
1) If he's trying to set up a point to point* VPN, well, that's not wildly out of line. Not sure why he'd need to replace your server though.

2) If you have to ask that question, you probably need to hire someone.


If you don't feel comfortable with this guy, get some other quotes. We've had good experiences using All Covered for stuff we don't have expertise for in-house.

*i.e., one that's always on, and doesn't need to be "dialed in" to.
posted by Oktober at 8:15 AM on September 15, 2011


$3000 could be a reasonable price if you need something relatively high performance but it sounds possibly overpriced for what you want.

You do not need anything new or fancy to set up a VPN. Whether you need a VPN or not isn't something I'm prepared to answer but it isn't rocket science, and if you want it, you should have it.
posted by RustyBrooks at 8:16 AM on September 15, 2011


A few questions:

What kind of routers do you have?
Why do you think you need a VPN?
What sort of database?
Specs of the server?

I mean, it sounds to me that you already have the infrastructure in place. Setting up a basic VPN is a pretty simple thing.
posted by Loto at 8:19 AM on September 15, 2011


Consumer-level home routers such as the Buffalo WZR-HP-G300N provide VPN client functionality out of the box. Expect to pay no more than $80.

For the server side, you can run a rock solid OpenVPN server on cheap (< $300) hardware for the price of a little Linux expertise. That expertise bit is always the sticking point, of course, but I don't think it adds up to $3k.
posted by whuppy at 8:31 AM on September 15, 2011


Also, knowing nothing about your application, I doubt you really need a VPN. An ssh tunnel + rdp would more than suffice.
posted by whuppy at 8:34 AM on September 15, 2011


Without knowing the equipment at each endpoint/etc it's hard to say, but my guess is if this is all you need, you can probably get away with Logmein Hamachi, which lives on the client and server machines.

I doubt you need to spend over 500 bucks for a consistent VPN tunnel but it depends on who will be fiddling with it/etc. Worse come sto worse you cn always buy a used mac mini, shove 10.7 server on it and use that as a vpn gateway in to the location where the db is.
posted by iamabot at 8:35 AM on September 15, 2011


I do this for a living, albeit at a more "industrial scale". $3000 wouldn't be insane if he in fact has to replace your routers and your server, and he's trying for reliability that's above consumer-grade.

That said, I can't imagine why he wants to replace your server. I'd quiz him very hard about that. Without knowing what sort of routers you have it's impossible to speak to the need to replace them, but I'd ask him about how he's balancing reliability vs. price. HHe shoudl be able to describe the hardware he wants to deploy.
posted by tyllwin at 8:35 AM on September 15, 2011


Response by poster: A little more information:

I have a database program to store information about the funerals we handle. It runs on three workstations in OFFICE A. They all save information to a server in that office. I will also run the program in OFFICE B. It will need to connect to the database on that server in OFFICE A.

The software company who makes our program says that a VPN is required to connect OFFICE B to OFFICE A.

The IT guy started suggesting work-arounds to the VPN right off the bat, which struck me as strange. It seemed like he was talking out of his ass. When I insisted that I think we should do what the software suggested, he started throwing the $3000 price at me.

I'm sure a great deal of my trouble is that I don't know what the hell a VPN does or how it is set up. Is a VPN a hardware thing or a software thing? (yes, I'm a dolt.)
posted by ColdChef at 8:36 AM on September 15, 2011


Thanks for the added info.

Is there any reason you couldn't use something like TightVNC to remotely control a preset machine in OFFICE A from OFFICE B, and do all your data entry that way? Seems like a much cheaper alternative.
posted by Sphinx at 8:44 AM on September 15, 2011


There are two classes of VPN, basically. Lan to LAn, and client/server. All the VPN does is take traffic destined to and from one point or part of the network and send it over an encrypted tunnel to another network or another machine/part of the network. VPN's are a very mature technology, mostly standards based and reasonably straightforward to implement, there are also nearly endless solutions available.

You can conceivably implement either a client/server vpn or implement a lan to lan tunnel. Lan to Lan tunnels tend to be more work upfront but expand better and would effectively connect your two offices.

Can you tell us what equipment provides the internet connection or firewalling at each site?
posted by iamabot at 8:45 AM on September 15, 2011


The VPN is a software thing, often running on special hardware. It links your two sites together across the internet as if they had a hard wire connecting them across a hallway. You could do that much without the VPN, but the VPN allows the connection to be secure by encrypting it and making sure that each side of the connection is really one of your offices, and not one of your competitors.
posted by tyllwin at 8:45 AM on September 15, 2011


The way he's describing it, remote control solutions aren't going to fill the bill are they? DB1 needs to talk directly to DB2. No "remote desktop" solution will really help, it doesn't seem. He really does seem to need a LAN-to-LAN link.
posted by tyllwin at 8:49 AM on September 15, 2011


Get a new IT guy. You aren't comfortable with him, there's probably a good reason for that. I don't agree with what he's recommending, either.

You can get a point to point vpn going with a couple of inexpensive sonicwalls (tz180s are $500 each), and you don't need a new server.

You might want to hire somebody to configure the sonicwalls for you (they aren't quite plug-and-play), but they aren't so complicated that you couldn't figure it out yourself and sonicwall phone support is pretty good.

Depending on what routers/firewalls you already have there's a chance they both already support VPN, though I assume your guy is at least competent enough to know whether they do or not.
posted by empath at 8:58 AM on September 15, 2011


Also, remote desktop is a much, much less secure option than VPN, as it's not encrypted traffic. I wouldn't recommend it for anything business critical, and I definitely wouldn't recommend leaving RDP open on your server to the outside world.
posted by empath at 9:00 AM on September 15, 2011


Oh and to answer you question about what a VPN is, a VPN is basically an encrypted link between two (or more) locations over the internet that lets you treat them as if they were all on the same local network without anyone on the internet being able to snoop on the traffic.

That means you could, if you wanted to, do something like print from one location to a network printer at the other location, without having to set up a bunch of complicated firewall rules to do it. As far as your computer is concerned, the printer might as well be just down the hall.

That goes for file and application servers as well, which is why you need it for the software you're running.

You could also, probably, set up rules on your firewall to accomplish the same goals, but it's much less secure that way -- people could listen in on the traffic, and you would have a port open on the firewall to the outside that people could use to try to break into your network that wouldn't be there if you used the VPN to connect to it.
posted by empath at 9:08 AM on September 15, 2011


Feel free to memail me if you want some more in depth discussion of this. As the gang has replied upthread there are a ton of ways to go about this, most of which cost under 3k, some of which can conceivably cost more than 3k, but you're probably not in that territory for some basic sql calls between two servers.
posted by iamabot at 9:16 AM on September 15, 2011


Empath has the right of it. Your IT guy is, at best, clueless. You need two firewalls that support point-to-point VPN, and that's it. There's no reason whatsoever to touch the server, from what you've described.

If I were doing this myself, I'd probably build a couple of firewalls from scratch, but the Sonicwall hardware that Empath recommended looks like it will do the job fine.
posted by zjacreman at 9:27 AM on September 15, 2011


Response by poster: I really appreciate all the explanations. This is all starting to make sense to me.

FWIW: my server is a ACPI Multiprocessor PC running Microsoft Windows Server 2003 for Small Business.

One of my routers is a Motorola 2210 and the other one is probably similar.

I don't mind replacing both of the routers. High performance is not a concern. Reliable connection is.
posted by ColdChef at 9:32 AM on September 15, 2011


Sonicwalls might be overkill, tbh. You can probably get away with a couple of cheap linksys routers running dd-wrt, but the problem is that finding someone who knows how to support it if you need it would be a pain in the ass.
posted by empath at 9:34 AM on September 15, 2011


I think that is WAY over priced. 2 pc's running pfsense and thats it. There is even a walk thorugh book to show you how to setup the vpn connection.

I use it at work on cablemodem connections with no problems.

$3000 is way overpriced.

It would only be not overpriced if they have to buy hardware. If its just for setup thats way more then it should be.

You can even do this with dd-wrt on 2 linksys routers if you needed to . At most it would cost $300 for the two routers to handle dd-wrt.

On the pfsense route pfsense itself is free. You would just need 2 pc's if you have 2 pc's not being used its also free.
posted by majortom1981 at 9:42 AM on September 15, 2011


For VPN:

I'd recommend the tz100s (the tz180s are discontinued). Plenty to handle the traffic between two offices without a problem. You don't get nifty load balancing features or other things, but if you are just replacing two linksys routers in both locations, then you wouldn't really notice the difference.

Also, the tz100's come with a single SSLVPN instance as well, which in short means that you can easily establish a remote VPN connection from your mac by logging in the web portal on the router from home, and then bring up a remote session on a machine at home.

I would pay for the 8x5 three year support, it would bring the sonicwall cost up to $460 or so per box, but I have had amazing experience with their support team, and worse comes to worse, you can setup a remote session for one of their engineers and they can configure (or reconfigure) everything for you.

As for why he was pushing for Remote Desktop over VPN:

Depending on the application you are using (I remember it being some PITA funeral home management software), it probably hates running over laggy connections between two remote locations, instead of using actual database calls, it might require reading and writing files off of a network share, or performing multiple heavy network calls all at once. All of that does become a problem to troubleshoot remote. By using Remote Desktop, you are having all the database calls, all the heavy network work happen locally on a workstation or server in the primary office, and then just sending the resulting graphic display back to your computer from where you are actually working.

Also: Someone trying to sell you a new server, with two new VPNs for under $3k is cutting corners *somewhere*. I would suggest that you look into setting aside atleast $3-5k for now for a real server (something not assembled from spare parts) that you might want to plan for replacement in the next 1-2 years. Usually something from dell or similar that actually has warrantied parts, and not just a whitebox PC leveraged to run as a server.
posted by mrzarquon at 9:45 AM on September 15, 2011


Response by poster: The Motorola 2210 is a modem, not a router. It might perform some routing functions, but it's not going to have VPN capabilities.

Heh. Thanks. Such is the level of my ignorance.
posted by ColdChef at 9:46 AM on September 15, 2011


PS we use pfsense here for our router/firewall and its just as good as the really expensive dedicated hardware .We use it on our 100/100 fiber connection with 100+ pc's behind it.

It sounds like 2003 server at office a might be running as a router. Does office b also have a 2003 server at the other end? IF so it might be as simple as using microsofts built in software to create avpn between the two.
posted by majortom1981 at 9:46 AM on September 15, 2011


Also, I'd make sure you can get a static IP / business line for your primary office location. For VPN to work (nicely anyway) you want to make sure at least one end always has a static IP address. Otherwise the VPN link can break if your ISP decides to give you a new one. This may be an additional $10-25 a month for your line, but if you are running Windows SBS at your current office (and I guess getting email on it), chances are that space has a static IP.
posted by mrzarquon at 9:47 AM on September 15, 2011


Response by poster: I can confirm that I do have Static IP Addresses at each of the offices.
posted by ColdChef at 9:49 AM on September 15, 2011


Oh yeah, if the Windows SBS 2003 server is doing everything (running as firewall, router, DHCP/DNS, etc) then it may get more complicated than just putting two VPN routers in both locations. But then it should be possible to setup at least PPTP vpn (which is not the most secure) access for the desktops at the remote office to each have their own VPN links to the main office. Of course, depending on the number of machines, it becomes more efficient to have a dedicated point to point VPN.
posted by mrzarquon at 9:50 AM on September 15, 2011


You need to look at the wire coming out of your motorola hardware where does it go ? Post What it connects to.
posted by majortom1981 at 9:53 AM on September 15, 2011


Two cheap routers will do this safely, securely, relably, and easily.

(I also respectfully disagree that you'll ever need to spend $3000 on a server. I've built three thousand dollar servers; They had redundant everything, obscenely high-end Xeon processors, state-of-the-art graphics cards, and enough RAM to never really need a hard drive. That's not funeral home class hardware. $1000 is more like it. If and when you need a new server. Which you don't at the moment.)

(P.s.: Have good backups of all data :) Ask whoever handles the router setup if they can look into setting up a backup system, unless you have those bases covered already.)

posted by krilli at 10:02 AM on September 15, 2011


Definitely see if you get information on your network layout and setup. If you have your Mac in the office, and can plug it into the ethernet and get online from it, posting the results of the command "ipconfig getpacket en0" in the terminal would give us a quick look as how your network is setup right now.

krilli- it depends mostly on the licensing issues at stake, SBS alone is $890 or so, depending on what is being used, foundation or essentials might be adequate, or a linux box.

And doesn't matter if the server is for a dot com or a funeral home, if it doesn't work for a week, how much does that cost in exchange? For my line of work, it costs significantly more to ever do emergency hardware replacement on a server than any savings that not being able to do that brings you. There is some value in being able to recover a windows server from a bad system update, or have dell overnight a replacement drive that a local receptionist can swap out, compared to billing the customer for four hours of travel time alone. You take chances with any server setup, I just try to spend the extra money up front to minimize chances of emergency or after hours calls later on.

posted by mrzarquon at 10:16 AM on September 15, 2011


mrzarquon he might already have a real server from dell or hp. we dont knwo the equipment yet. For a small business like this more likely then not its probably a dell or hp server that came configured with sbs already.
posted by majortom1981 at 10:21 AM on September 15, 2011


Response by poster: As often happens in my line of work, I have to drop all of this to go pick up a dead body. I'll get the information when I get back and I'll post it here. Thanks for all the help so far.
posted by ColdChef at 10:22 AM on September 15, 2011 [2 favorites]


A VPN is a good idea since the data should be kept private. It needs to be reliable and easy. There are some open source products, and they're likely good, but I think you'll be happier with something that has vendor support. If you find somebody who knows pfsense and untangle and can do a setup and then support it, great. What you need 1st is a reliable network configuration & support company. Not just 1 guy, but somebody who has backup when they go on vacation. You could certainly learn about this yourself, but I'd keep looking for a pro. Maybe even advertise on jobs.mefi, as this could largely be remotely managed. And, yeah, the current guy doesn't inspire confidence.

I think a small hardware + software solution, well configured, would work. Configuration is critical, so spend on the person who does it.

Microsoft Remote Desktop is an encrypted connection, but it's not a good solution for this. In addition, it has some really dumb setup issues; if it's not set up correctly, it's really not secure enough.

While you're setting up this vpn, ask the network specialist to take a look at your network and computing setup to make sure it's secure enough. Your routers should be providing you with firewall protection.

Some companies near-ish to you, googled, didn't research
http://www.youtube.com/watch?v=ytG_LtkTj_o links to http://www.cncllc.com/
http://www.itmgllc.com/index.html
http://www.aetechnology.net/

VPNs for Small Business
http://ask.slashdot.org/story/06/04/25/007206/VPN-Solutions-for-SmallMedium-Businesses
http://www.techrepublic.com/forum/questions/101-271418
http://www.technewsworld.com/story/59885.html
http://www.technewsworld.com/story/59948.html
http://www.smallnetbuilder.com/

Hardware - netgear and dlink are reliable small network hardware providers, should give you an idea of the starting point for spending.
http://www.netgear.com/service-provider/products/security/SSL-VPN-concentrators/default.aspx
http://www.dlink.com/products/?pid=563
posted by theora55 at 10:28 AM on September 15, 2011


Theora55 You can buy tech support for pfsense right from their website.
posted by majortom1981 at 10:29 AM on September 15, 2011


I have to drop all of this to go pick up a dead body

if I had a nickel for every time I heard that...
posted by theora55 at 10:29 AM on September 15, 2011


> mrzarquon he might already have a real server from dell or hp.

See above. Dell and HP both have pretty obvious boot / bios screens, compared to the generic acpi message that shows up otherwise.

ColdChef: can you look at the physical server when you have a chance and see if it has any noticeable brand names on it (dell, hp, etc).
posted by mrzarquon at 10:32 AM on September 15, 2011


mrzarquon that could also be from device manager or within windows itself
posted by majortom1981 at 10:35 AM on September 15, 2011


Do people think the IT guy is going to work for free here? You can do it yourself for the cost of the hardware, but that's because you aren't paying someone to set it up. Your mechanic bills out at $75 per hour, I'm sure the IT guy does too. So just looking at hardware costs doesn't seem valid.
posted by smackfu at 11:10 AM on September 15, 2011


Assuming the hardware is about a grand (a very high end estimate for a small business), it doesnt' take $2000 worth of labor to set up a point to point firewall. A couple of hours at the most.
posted by empath at 11:16 AM on September 15, 2011


> Assuming the hardware is about a grand (a very high end estimate for a small business), it doesnt' take $2000 worth of labor to set up a point to point firewall.

That's including a new server as well, in the original $3k quote, and we don't know if that is including any labor to do a SBS2003 -> SBS2011 migration (which takes at least a full day or two of labor for that alone, depending on the state of the 2003 server). At a usually $1k/day rate (cheap by some standards), if hardware was $3k, and seamless well maintained migration could happen during normal business hours (vs after-hours), it could be a $5-6k job, if not way more.

I don't know the state of ColdChefs networks, but I've seen what would be "smaller jobs" spiral more out of control because nothing has been maintained or updated recently.

And empath- the TZ100 sonic walls (i.e. the currently shipping models, not the discontinued tz180s which are actually slower in most accounts compared with the tz100) with 5x8 support are $460 a pop MSRP, so $920 for two VPN end points is not a bad price. You could get by with just a firmware/hardware warranty for less, but if you are trying to avoid extended hours being billed by local IT guy because of troubleshooting the VPN connection, being able to just get the manufacturer on the phone to fix the problem right away is worth the $330, compared to letting local IT guy poke around with it for two or three hours before then calling support.
posted by mrzarquon at 11:29 AM on September 15, 2011


I was recommending sonicwall more for the support than anything else. They have solid tech support that actually know what they're talking about and will help you configure stuff..
posted by empath at 11:46 AM on September 15, 2011


The solid tech support aspect was also what I was suggesting SonicWall as well.

Those Mikrotik boxes look cool, and if I were going to deploy my own low cost network, those might be a good solution if I wanted to keep an extra one on the shelf (for that price, its not a bad idea). But looking at their licensing / support contract (15 days for initial config, email only?), I don't know if I could honestly say they would be a cost effective solution for someone who doesn't have some IT chops of their own, or access to someone who isn't going to charge them out the nose for figuring out to manage those devices.
posted by mrzarquon at 12:22 PM on September 15, 2011


I would suggest buying a couple of cheap PCs (or using a spare, if you have one) and using Logmein instead of a VPN. Reason being that it's impossible to say without measuring exactly what sort of bandwidth your application will require for acceptable performance. Remote desktop solutions, on the other hand, provide a predicable and acceptable level of performance over even low bandwidth connections.

If you really want to go the VPN route, the Mikrotik routers are a good way to handle it. If you prefer a web interface so you can set it up yourself, the Cisco (Linksys) RV042 works reasonably well also, and can more easily handle multiple Internet connections for redundancy.

If you have even a modicum of understanding of networking, it shouldn't be hard to get a VPN going. These days, it's just a matter of knowing your IP addresses if you have static IPs or setting up dyndns or no-ip if you don't.

Logmein is even simpler, as it's just a matter of installing the software on the PC at your main office and logging on through the website at the other end. If you don't need to print (from the remote application, at least) at the remote location, you don't even have to pay any money. If you do, it's $70/year, so there is some ongoing cost that you don't have with a VPN.
posted by wierdo at 12:59 PM on September 15, 2011


You don't even need an extra PC if one of the ones you already have in your office is at least a little bit grunty; you could just install VirtualBox on that and RDP to it via SSL from anywhere.

But before you even think about messing about with crazy schemes like this or buying new hardware, you really want to put Hamachi on your existing server and on your remote workstation and see if your app works OK that way. Hamachi is free as in beer until you start asking it to do a lot more than you're going to.
posted by flabdablet at 10:25 PM on September 15, 2011


Response by poster: Utilizing the information in this thread, I've been able to cut my cost of implementation in half. They're now going to set up 2 ProSafe Wireless N VPN Wireless routers at each of my locations. The setup, equipment, and maintenance will now be a little less than $1500. More than if I did it myself, but worth it so that I don't have to maintain it. Thank you all for the support and suggestions.
posted by ColdChef at 8:06 AM on September 21, 2011


« Older Space MMO?   |   Identify this shareware Mac RPG, please. Newer »
This thread is closed to new comments.