I am looking for some advice.
I have a relatively small office Active Directory setup. We have pfSense with openVPN & WireGuard. I am the only remote user so far and can easily turn the VPN on and off on the laptop as required.
We are now looking to add some users who will be working from home. I would like them to be able to access their mapped drives and other resources with as little user input as possible.
In my mind it would be as simple as joining the laptop to the AD, setting up the VPN connection and that would be it. I decided to look at getting an external IT person to do it for us as I wanted to make sure it was done properly and securely. Any of the people I have spoke to have said it is likely to take days to understand the exact requirements and understand the current environment and operation model. In my mind it is a much simpler task. Our whole network is only about 20 machines. In my mind the proposed timeline seems overly drawn out, an I wrong? I would love to hear thought from people who are involved with this stuff on a day to day basis.
It’s just a matter of setting up OpenVPN on pfsense and then the users will have access to their resources. The only more involved part would be if you wanted to tie together OpenVPN and have it use the AD server for user auth. Companies hire us for this work all the time.
Do they have computers at the office? Just wondering if you could set up Apache Guacamole to have them connect to their office machine from “any” web browser. Either RDP or VNC from Guac to the office PC. You could maybe do the same with VDI, but I have no VDI licenses, and have not tried it. But I did try RDP with video editing and it worked surprisingly well over my connection from home (70mbps down and 6mbps up) as long as the video files were already on the office storage. The only issue I had was that I could not “record” audio from the remote mic, that was something to do with Chrome and not using a proper certificate for HTTPS There are published fixes for HTTPS and maybe already integrated into Guac.
If planning Guac, figure one core/thread per user for best performance. Normal office type of work could be a lot less processor. Also if planning, a physical computer for the server is best, but it can be run in a hypervisor.
Alternative running this on a local server would be to set up the server in the cloud, and then VPN back into your company. But the largest bandwidth is going to then be over the VPN. This is something you don’t normally care about when the server is running locally.
Since you are running pfSense I think Tom’s recommendation is the way I would go too, OpenVPN with AD auth integrated.
Don’t over complicate doing so only creates more problems. Hire Tom if unsure.
This is what I have used: 1. Open VPN into the network; 2. No Machine Enterprise on the remote and desktop. NM supports ssh as well for that extra security.