Software VPN for client/server connections?

[scumdogmillionaire]

Hello!

I am a small ISV that deals with SQL Server. Typically when a user wants a remote connect (i.e. from home to their business) we secure a TCP port and configure their router. This has become a massive headache and realize from a security perspective it's not great. Luckily the database does not contain any critical information, but even so...

What would be the least friction for setting up a VPN for users who do not know much. This way they could just VPN to where their server PC is, and no additional configuration needs to occur on the client software.

Any suggestions? Easy to setup and cost effective are considerations.

 

THanks!

[C:Amie]

If they are dialling into Windows Server, you can enable RRAS and SSTP/L2TP/IKE, but you still need to configure the router and the idea of VPing into a SQL Server is a fairly poor one to be honest - you really want a dial-in server and proper intermediate security into the core network.

If you have a standardised WAN router, you might find that they support direct L2TP VPN.

If the remote user has a static IP address, you could lock down their port access to the static IP

Finally, you could look at a remote access solution like Team Viewer, Chrome Remote Desktop, AnyDesk which do not require any firewall punch through as they use rendezvous points.

[scumdogmillionaire]

Thanks for the reply. No, mostly these guys are small businesses just on Windows client machines.

I don't want to VPN to SQL server specifically, but just the PC that hosts it. This seems more secure to me than the current method of direct SQL connections? They are starting to have issues with things like credit card compliance issues because their network has that port open, even though we have nothing to do with credit cards. So I'm looking at ways to eliminate those types of things

I guess the L2TP is maybe the way to suggest. was hoping one of these like Express VPN things or something had some software installed on some end that created that VPN server so to speak that they could establish the connection to that network and do what they needed to do.

[C:Amie]

Unless you are saying that the 'host PC' is just running a copy of SSMS, that would be a direct connection to the SQL Server. You don't want other things running on SQL Servers. It isn't great design or security posture. It really doesn't matter what VPN service you use, be it built-in, RRAS, OpenVPN etc. Unless the VPN server is on the WAN router, you still have to config it and then reconfigure the router, port forwards and monitor it. One compromised password, one weak account on the VPN system. Someone has to police it.

[scumdogmillionaire]

Yes, i get all of that... but this is SQL Server express for very small businesses. They don't have the resources to build out dedicated SQL servers . It's a fat client that's being sunset more or less. looking for ways to bridge some gaps for me on the support side and make things a little tighter/easier on this end of things. it seems to not exist like i was hoping.

[Joe User]

For small offices, when I'm working with a shoestring budget, I usually get an ASUS router that's compatible with third party firmware like Merlin WRT and run a VPN server on it.  

[C:Amie]

On 24/04/2023 at 22:06, scumdogmillionaire said:

Yes, i get all of that... but this is SQL Server express for very small businesses. They don't have the resources to build out dedicated SQL servers . It's a fat client that's being sunset more or less. looking for ways to bridge some gaps for me on the support side and make things a little tighter/easier on this end of things. it seems to not exist like i was hoping.

Then I would use something like team viewer and forget about port forwarding entirely. It'll  give you a console connection without the mass security implications.

[+InsaneNutter MVC]

Perhaps ZeroTier would work in this situation, you can essentially build a virtual network over the internet that consists of any device with the ZeroTier client installed.

You'd install the ZeroTier client on the SQL server, along with any client PC you wish to remotely connect. Essentially all these devices are then on the same virtual local area network, so can talk to each other.

Ideally you want to lock the SQL server PC down down so only remote connections are allowed on the SQL server port, nothing else like RDP. From what you have said you can't really trust the devices that are going to be sat on the same ZeroTier network and have the ability to connect to this SQL server.

The end result is you have limited the people who can connect to the SQL server to just the people with the ZeroTier client installed and are a member of the virtual network you created, not the whole internet.

The more proper way to do this would be to run a VPN on premises. You'd have the SQL server in its own VLAN, have the users VPN in and be isolated in another VLAN. Finally a firewall rule to only allow connections from the VPN VLAN to the SQL VLAN on port 1433 for example. However from what you have said the hardware is probably not in place to support this.

[scumdogmillionaire]

On 25/04/2023 at 05:33, InsaneNutter said:

Perhaps ZeroTier would work in this situation, you can essentially build a virtual network over the internet that consists of any device with the ZeroTier client installed.

You'd install the ZeroTier client on the SQL server, along with any client PC you wish to remotely connect. Essentially all these devices are then on the same virtual local area network, so can talk to each other.

Ideally you want to lock the SQL server PC down down so only remote connections are allowed on the SQL server port, nothing else like RDP. From what you have said you can't really trust the devices that are going to be sat on the same ZeroTier network and have the ability to connect to this SQL server.

The end result is you have limited the people who can connect to the SQL server to just the people with the ZeroTier client installed and are a member of the virtual network you created, not the whole internet.

The more proper way to do this would be to run a VPN on premises. You'd have the SQL server in its own VLAN, have the users VPN in and be isolated in another VLAN. Finally a firewall rule to only allow connections from the VPN VLAN to the SQL VLAN on port 1433 for example. However from what you have said the hardware is probably not in place to support this.

Ah! This is closer to what I was looking for! Thank you!

I need some network tunneling that I don't have to manage/maintain so this looks like it may fit the bill!