Thought I would share a recent project where I utilized Nethserver as an integral service with a client’s recent need to work remotely with minimal fuss. This client is traveling to a remote state for an extended period of time but requires access to large database files at the office. With ~ 5 users on site they have business class internet using a common cable modem/router and a mix of Win 10 Home/Pro machines.
Putting this all together I needed to target the following needs for this project:
Simple remote access to Windows device
Central account provider for identity management
VPN access
Reasonable security enforcement
Scalable user/resource needs
I chose to go with @mrmarkuz’s work with Guacamole for remote access using the SAMBA account provider backed for user identetity management. Accessing Guacamole over the web required a valid SSL certificate and this company had their own domain name. Instead of using this automated ACME-DNS Let’s Encrypt script I chose to go with PfSense VM for the job to manage my certificates, firewall/networking, VPN and proxy connections. Cloudflare is used to proxy & separate desired HTTPS traffic and 2fa enabled for Gucamole users with Fail2Ban remediate & notify multiple login failures. This project request came last Friday and had to be live today so I chose to virtualize NethServer and PfSense and configured Guacamole within 3 hours on a HP ProDesk 600 G3 i3-6100T/16GB RAM mini desktop.
Finally and probably the most important thing I did was to go over and purchase a subscription because Nethserver needs to eat too. In the future I may demo some of this via video but most would be repetitive. I’m still waiting for Threat Shield to become a more stable/developed product with reliable lists. It easily has the potential to replace PfSense as my edge service. Fun note I was able to use LDAP authentication against Nethserver with my OpenVPN PfSense service.
Why do you use Pfsense instead of the Nethserver builtin firewall? Nethserver with Suricata/Ntop/fail2ban/ThreadShield is a very good solution.with easy management.
This came down to a couple of things for me. Firstly, I knew I was going to virtualize this project for the scalability so having mutliple VMS and not putting Nethserver on bare metal was justified in my head. Beyond that I have had previous experience PfSense and chose to use it because it was built for the job.
I agree that you can get NS with all the other services working well for an easy to manage solution. I tend to use Nethserver more as a software vehicle (especially with recent Docker work) rather than a gateway device.
I have OpenVPN setup and ready to go as a backup like you are suggesting but the above is so much more simple and in my opinion elegant. I have been finding that with small business they tend to want to use their own personal equipment to remote into their office equipment causing me headaches worrying about configuring their end devices, making sure their OpenVPN software is up to date, teaching them how to use said software ALONG with 2fa and additional security problems. For me I point anyone to a URL and provide login credentials walking them through their first time usage and what to expect. From a sysadmin point I have just 1 port at the edge to worry about and set a firewall rule to drop all traffic except those on a Cloudflare whitelist.
I also have nethserver virtualized (with proxmox) and use two nethservers, one for applications like samba, webtop, etc and one as the gateway. At another place, I use just one server for everything.
The gateway, firewall, IPS features of nethserver are really very good. especially the integration of evebox, suricata and ntopng is much easier and than pfsense. So you should really consider ns here to (I also switched from pfsense to ns).
I love to see such a testimonial. Thank you for sharing this @royceb
Showing that setting up all services in more or less than 1 weekend is impressive. And part of that is because NethServer is that intuitive and modular.
I can see your choice for pFSense. Despite the objections of a part of the opensource community, pFSense still is doing a great job as a Firewall/Gateway. If you make sure your external interface is exclusively available for pFSense, all traffic has to go through pFSense.
Since you went the virtualization route (which I would strongly recommend too) you could choose to have a separate instance of NethServer as Samba4 accountprovider and a 2nd NethServer for all other services. But that’s about it what I would do different.
Can you give some info in a few weeks about your client’s feedback regarding guacamole and other NethServer services?
