How to encrypt the Internet channel?

Evgeny Lavrentiev2015-04-01 20:31:06

Encryption

Evgeny Lavrentiev, 2015-04-01 20:31:06

Good evening, comrades, there was a need to encrypt the communication channel from the office to the server and vice versa.

Let's say there is a server with installed corporate software located in the data center and several offices with an approximate staff of ~50. I would like to make private access to a remote server only to offices and their workplaces by means of channel encryption. If the workplace is not configured to work with a remote server, then the server should not be available, so that even ping is not available before it.

I know one scheme that I have come across and worked with for a long time (CryptoPro CSP + Zastava + Cryptographic keys + VPN) I will say that the option is interesting, well, very time-consuming and there is practically no stability.

I'm just not particularly familiar with such tasks, but I'm sure that there are analogues of the scheme written above.

Thank you!

Answer the question

In order to leave comments, you need to log in

6 answer(s)

Boris Syomov, 2015-04-01
@lavrentiev

There are a lot of VPN solutions that can be suitable for this, depending on the operating system on the server, for example, budget, equipment, etc.
We need more data to advise something concrete.

Vladimir Goncharov, 2015-04-01
@mikluha

Well, depending on the OS of the server and the OS of the clients, there are a number of options.
The simplest is PPTP, it is built into Windows.
There are more interesting options, but their configuration is more complicated, such as IPsec, L2TP over IPsec, OpenVPN, Tinc.
If you write in more detail about the OS of the server and clients, about the required level of security, then perhaps I can suggest something in more detail.

Maxim Kudryavtsev, 2015-04-01
@kumaxim

I used to work with the VipNet hardware and software package. So, they have HW100 / HW1000 pieces of iron there. In fact, these are routers, only with advanced VPN support and are certified according to Russian standards. So, this piece of iron allows you to create half-tunnels, i.e. your LAN => "open traffic" => HW100 => "encrypted traffic" => server in DC.
Plus - no need to deploy VPN clients on a local PC in offices, which, as I understand it, you want to avoid.
I won’t tell you the details of the implementation, tk. I worked with these solutions 3-4 years ago, but the key word for communicating with technical support / Google is "Polutunel"

Disen, 2015-04-02
@Disen

Evgeniy Lavrentiev : OpenVPN can implement both password and certificate authentication. You do not need to contact the CA, you can issue certificates yourself using easy-rsa, for example.
PPTP has security issues + difficulties when passing through NAT, so it is highly discouraged to use it now.
If you want to get a VPN without installing additional software on clients, then look towards L2TP + IPsec.

Andrew, 2015-04-03
@MMrrTT

Any inexpensive VPS/VDS hosting + instruction habrahabr.ru/company/infopulse/blog/183628 adjusted for L2TP/IPSec.
---
Or OpenVPN:
x64:
1. wget swupdate.openvpn.org/as/openvpn-as-1.8.4-Ubuntu10....
2. dpkg -i openvpn-as-1.8.4-Ubuntu10.amd_64.deb
3. passwd openvpn
x32:
1. wget swupdate.openvpn.org/as/openvpn-as-1.8.4-Ubuntu10....
2. dpkg -i openvpn-as-1.8.4-Ubuntu10.i386.deb
3. passwd openvpn

younghacker, 2015-04-07
@younghacker

I am using OpenVPN.
On the server side, OpenVPN is running in server mode. It PUSH-it to clients all necessary routes in a network where there are servers. Of course, the client will not have access without a VPN. Only one UDP port opens outside.
On the client sides of OpenVPN in offices, I put it on routers like Mikrotik or TP Link with OpeWRT firmware. On mobile computers that need to work with the server outside the office, the OpenVPN client is used.
The solution works stably for years on end (more than 5 years)