Help this old dinosaur get on track with simple vpn setup

My apologies in advance if this is the wrong area for this kind of problem or if it’s too simple.

I’m an old dinosaur who used to set up office VPNs about 15 or 20 years ago. These were simple VPNs which allowed remote users to access their documents at their office.

The method back then was to set up a vpn connector on the laptop, point it to the public IP, and set up forwarding for a couple of ports in the router. Then IIRC I’d set up permissions in their account on the server.

I’ve been called upon to set up a VPN for someone, and it looks like things have changed remarkably. Whn I search in order to bone up, most returns are for commercial VPN companies who are focused on providing anonymity on the web.

Has my method of creating simple VPNs become completely outdated? I assume that security issues and methods are very different nowadays.

Are there any good resources out there to re-learn basic VPN principles and best practices? Perhaps as I’ve gotten older my search capabilities have dwindled, or else I’m so hopelessly out of the loop that I don’t even know what to search for within the context of small office VPNs. If anyone can steer this old coot in the right direction I’d greatly appreciate it. Again, I apologize of this question is not appropriate for this group.

Am I missing something or did you just do port forwarding? Forwarding ports on a router will allow external access to internal stuff, but it is very different than, and worse than, a VPN.

There are plenty of free SSL VPN solutions. Wireguaurd has been mentioned, OpenVPN is another. You may be confusing remote access VPNs with VPN services meant to protect your Internet browsing.

Any remote access VPN that allows connections between two private networks across the Internet requires client and server VPN software and configuration on both ends.

I recommend looking into WireGuard. I set it up for the first time a couple of days ago.

The “site” needs to have an IPv4 or IPv6 address that is reachable by the client. Dynamic Public IP address is OK if you setup dynamic DNS. CGNAT (Carrier Grade Network Address Translation) is not.

You need to learn zero trust network access. Set this up wrong and you’ll get them ransomwared. Client based SSLVPNs authenticating are getting compromised left and right lately, you don’t have the security background to be doing this safely.

Just go with Tailscale. It’s built on Wireguard, but with some stuff added to make it mindlessly easy. Install an app on every unit you want to connect to and it sets up a separate encrypted network on top of the Internet, basically. No port openings in the firewall required at all. Assuming this is a simpler smaller solution. Exceedingly easy to set up in its most basic form.

Otherwise you can still just set up an OpenVPN implementation on-prem; many firewalls have it as a built-in.

Mostly people are looking for VPN solutions to hide their tracks on the Internet now. Thus they rent one in the cloud so they’re not connecting from their own IP to web sites and the like; that doesn’t facilitate access into their own environments though, it’s a different thing.

What are you looking to achieve? VPNs to company resources are still 100% a thing (although reducing in popularity to ZTNA, which establishes secure sessions to internal resources with posture checks).
Googling for VPN will give lots of results for public VPN companies who give anyone access to internet resources that might be geo-restricted, or just want to anonymise their web browsing. This is the same technology that you previously set up, just used for internet access rather than internal application access.
If you have a manufacturer in mind then they will have some good documentation on how to set up their firewall/ router to set up a VPN

A simple corporate-network VPN is still the same as ever. We’ve gotten better protocols (like Wireguard) but there’s still lots of IPSec or TLS-based VPNs around, similar to what you’ve had in 15-20 years past.

The commerical VPN companies are technically similar, but serve a very different purpose. For your needs, you can largely ignore them.

The biggest thing that’s changed is what Google called beyondcorp, and what others have called Zero-Trust (architecture or networking), though the terms have become bloated in crappy vendor spam by now to mean whatever somebody’s selling. In your classic corporate-network VPN, you’d let somebody into the network, and that’s often about it. The beyondcorp paper is https://research.google/pubs/pub43231/, and NIST has a decent intro to ZT at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

First of all google your firewall and see what it support. Then google some more to see if any of the supported options have had any security problems in the past. Then Just configure it, there should be plenty of guides available. Either public or in the manual for the firewall. Do not use pptp, and use as high encryption as possible. For a few users that might be enough. Do not make it more complicated then it needs to be.

I’m an old dinosaur who used to set up office VPNs about 15 or 20 years ago

Out of curiosity, was that the whole job?

If you got a Windows Server, use RRAS, Routing And Remote Assistance.

Thank you guys. Every search return seems to be a commercial enterprise trying to sell something. That’s what got me a bit confused.

Can anyone tell me the two ports that need to be forwarded in the router? I forget them.

I’ve been using OpenVPN for many years but recently switched to WireGuard which is simpler and performs better. There are free servers and clients either built in or available for every major platform. If you run a WireGuard server in your router you don’t need to port forward any ports, but if you run it on a host behind your firewall you only need to forward a single UDP port.

This. We need to know what you are using to connect, and what you are connecting to. Each have their own specific configuration.

It’s a Verizon FIOS buainess-class router, though I don’t see any specific VPN settings in there. Back in the day I simply set it up on any router by using port forwarding.

I’ll look into wireguard. I want to keep it simple, though. He has a static IP.

Wireguard is the way. Don’t get locked into vendor specific nonsense

Wireguard can be a bit annoying due to how it’s stateless. The client thinks its always connected, irrespective of whether it can reach the VPN server. It also requires static IP allocation to each end point.

While it may not be in vogue these days, openvpn is still a solid choice. There are also VPNs built on top of wireguard that are more user friendly (stateful, dynamic IP allocation, good UI) though off hand I don’t know a good example.

Tailscale for the win. It looks like the simplest solution. Thanks to everyone for your great replies. I appreciate each one.

Looking to allow this guy’s laptop to connect to his office via vpn to simply open a few Word and Excel docs from time to time. Ultra-simple stuff. I used to set these up all the time, as I recall the router didn’t matter. I would just use port forwarding. I forget the two port numbers to use, though.

Thanks for the info and the links. My intent is to keep this real simple, because the scenario is this: I’ll set him up, he’ll open a document or two and then not even connect again until he’s out sick. Super-low utilization.