« Mac OS X “Tiger” vs. Vista Beta 1 | Main | 3D Fun with Maya 7.0 »

Who needs a VPN?

I've been looking for an effective VPN solution for my home for so many months I've lost track. My goals were simple. From work and anywhere else with an Internet connection, I wanted to access various resources on my home network occasionally: securely, easily, quickly, and without a lot of fuss.

I tried setting up a VPN using Windows 2003. After pulling out far too much hair, I gave up for a couple of reasons:

  1. It wasn't easy to configure. Given I wasn't patient enough to read through every best practice document, etc., I considered my implementation fragile at best.
  2. It didn't function when trying to connect from work. Probably some firewall was getting in my way
  3. It didn't work well with my Linksys wireless router consistently (blamed on the router, not Windows)

I looked for hardware options. Oh, there are plenty. Especially if you have a lot of money. The best options were many hundreds of dollars. The best option I encountered came from US Robotics actually, the USR8200. It was extremely capable, but averaged around $300 retail. It was however available at Sam's online which almost pushed me over the edge (as they have a buy online, return to a store policy).

I couldn't find any other decent options that were reliable and inexpensive. I gave up. Several times.

One day I stumbled across WinSSHD however from Bitvise. I downloaded a copy after reading quite a lot both in the forums and the various FAQs. It seemed to offer everything I wanted. This is a brief review and overview of the functionality. Check out their website for more information though as I try to capture just the basics of what got me interested and excited about their product.

  1. Inexpensive: $39 for home users
  2. Easy to set up.
  3. Secure
  4. Little fuss

WinSSHD runs as a Windows service, so it's always available. It's configured from their control panel (shown above).

I said that WinSSHD is easy. That's not entirely true. It's easy to get it running, but there are many many options that you'll likely want to configure that it can quickly become overwhelming. I started by installing it in a virtual machine so as to not mess up my primary 2003 server. One thing that I would warn you about: it's not configured "secure" by default. It seems to default to a mode where any authenticated Windows user can connect to the software, which I was unhappy with and immediately deactivated. By default, the software shouldn't allow anyone to connect without specifically making that choice. Bitvise can make that an easy wizard step after installation, but I believe it should be a conscious choice on the part of the user. Default secure.

The WinSSHD settings interface can be intimidating.

WinSSHD allows the administrator to use either Windows accounts and groups or 'virtual' users and groups. I opted for the latter in my installation.

In addition to standard user-name/password authentication, WinSSHD can be configured to require a specific certificate in order to logon to the system. I too am using that feature, which further secures the system. I've imported the a public key from my laptop into the local WinSSHD server and require that it be presented, along with the user name and password I've assigned before allowing any user to make a connection. This is very similar to what I wanted from a VPN connection.

The system can also be configured to refuse IP addresses after a set number of failed attempts.

Through port mapping and tunneling (which often is done through their free corresponding client application, Tunnelier), I can use a variety of services on my home network from anywhere! Through a single port (often port 22), virtually an unlimted number of 'virtual' ports can be established to remote servers and services all securely! As an example, I was on a business trip recently connected back to my home network, remote desktoped to one of my machines downloading some files I wanted to have available when I returned today (as my connection at the hotel was slower than the connection I have at home). Along with an easy one click remote desktop button (it connects easily to the machine hosting WinSSHD, but through port mapping any machine can be a target for remote desktop), the software also has a nice file browser for uploading and downloading files securely.

Although the server can prevent tunneling, the actual tunneling configuration happens on the client. It's a bit weird at first, but after getting one working, it's easy to get many services running. The weird part is that to remote desktop to a remote client machine on your private network accessed by WinSSHD and Tunnelier, you'll end up connecting to localhost (127.0.0.1 and some port you choose). Tunnelier maps that port and redirects the traffic down to the WinSSHD .server, which in turn sends it to the final destination (which doesn't necessarily need to be the same machine as is hosting WinSSHD. I've setup a connection using VNC to my Mac mini for example.

I usually don't find too much shareware that I want to buy, but this is a must buy for me. Once the trial runs it's course, I'm definitely buying a copy of WinSSHD. I'm glad I can stop looking for a VPN solution for Windows.

Posted by Aaron on December 1, 2005 9:36 PM |

Comments

Hello Aaron,

thank you for your review. :-) It was found by my colleague Nina through Google.

I appreciate your comments about wanting WinSSHD to install with all access denied by default. I have also been having concerns about that, but on the other hand, I also believed it's important for the product to work right out of the box so the user can immediately explore what it does.

On the other hand, WinSSHD doesn't automatically open a hole in your firewall exactly because I don't want it to. I think the user should open the port in the firewall consciously and only after they have already secured all the settings they wanted to secure.

I'm thinking of ways to make, in a future version, access denied by default, while still making it easy for people to get WinSSHD up and running while getting acquainted with the configuration. For example, perhaps there could be something like tooltip balloons that would guide the first-time user through what needs to be done in the configuration...

Thank you for the post and the nudge in the above-contemplated direction.

Best regards!

denis

Posted by: denis bider | December 9, 2005 7:18 AM

Thanks for the comment.

My suggestion/idea is to have an initial configuration wizard AFTER the installation has completed where you ask the handful of simple questions that could guide the user through choices like you're describing above. By default, if they take the defaults which should be "No", the system would be secure and essentially unchanged from however it behaved and was secured prior to installation.

Posted by: Aaron | December 9, 2005 7:46 PM

The problem with wizards is that they hide the actual structure of the program. They create a chasm between beginner users and intermediate users and make it difficult from someone to graduate from the beginner level up.

The problem is that, as soon as the user is confronted with the program, they start learning, and if their first exposure is to a wizard, they will learn a fake interface that's very shallow and very useless for any kind of intermediate or advanced configuring.

For this reason I reject wizards in principle. Instead I look for ways not to hide the true structure of the program, but to make it intuitive and to provide tools that make it easier for the first-time user to understand what they need.

The integrated help that's part of WinSSHD settings is part of this. It is there for intermediate users who need to learn about the impact of various features that they contemplate configuring. However, we lack something for complete beginners, something that is not a wizard, but more like an interactive demo or a tutorial. And I'm still pondering about what this is.

Posted by: denis bider | December 9, 2005 9:10 PM

Although I agree in principle with your comments about wizards, I'd suggest an initial simple configuration *tool* would go a long way to helping many users. Part of the issue I see with your software is that with some simple configuration and creation of users, there really isn't much more to do. It's that easy. But with the current mode, it's hard to tell without a significant examination of the options. It's not a 'positive' experience where one can feel sure that it's configured correctly. I was quite concerned as a matter of a fact that I had misconfigured it for several days -- wondering if hackers might be getting into my network, etc. Not a good feeling.

I'm not sure about an interactive demo. Seeing all the options still is intimidating.

A review summary might help -- where the user can see the effect of their changes all in one place. Maybe.

Posted by: Aaron | December 10, 2005 9:15 AM

Help support my web site by searching and buying through Amazon.com (in assocation with Amazon.com).