Udalenka. another self-isolation VPN deployment story

Another story about how it was necessary to quickly deploy remote access for a small company that went into self-isolation, but could not afford not to work further.

Like many others, the company that asked me to help organize remote access realized that they would have to leave for self-isolation just a few days before the president announced these measures. It was necessary to act quickly.

I have experience suddenly transferring employees to work remotely on RDP servers. This is a shock, all the usual processes break down, the effectiveness of employee interaction decreases for a while, and some processes completely stop. It takes time for all processes to work again. In general, the option to transfer everyone to an RDP server in a short time, given that the familiar work environment of employees is changing, is not suitable. Therefore, it was decided to provide access directly to the computers of employees. In this case, the usual working environment remains with the employee; practically nothing changes or breaks in him.

In the company, along with traditional user profiles, such as businessmen, sellers, accounting, etc., there are designers. It was necessary to make sure that designers could work through RDP in graphic applications. You also need to remember to allow remote access for employees on all PCs and set up an energy-saving scheme so that computers do not fall asleep at night.

To verify that designers can comfortably work remotely, a test OpenVPN was deployed, then several designers connected to their PCs and checked the operation of their applications. Remote access and an energy-saving scheme are allowed through group policies.

In order not to run into the VPN server performance, to be able to expand access capacities and perform server maintenance without stopping this access, it was decided to deploy a cluster of several OpenVPN nodes, access to which HaProxy will distribute.

Scheme:

We will authorize users in the Active Directory domain. To do this, create a group in the domain, for convenience, I called it COVID-19. In this group you need to add users who will be granted remote access.

For authorization through AD in OpenVPN, you must connect the module designed for this.
I didn’t work with openvpn-auth-ldap, there was no time to figure it out, so I used the script from this repository . It connects easily, just place it in the openvpn directory, add a line to openvpn.conf and specify the search parameters for the AD user.

It remains to write a minimum instruction for self-installation of the OpenVPN client and connection profile and send them to users.

As a result, within a few days, company employees were able to quickly switch to self-isolation mode and continue to work.

I will not give a detailed analysis of the server settings. Who wants to see and even deploy a cluster, I posted on GitHub a playbook for ansible, which deploys HaProxy and OpenVPN on three servers. Attention! I used FreeBSD, playbooks are written for this OS.

So that admins can see who is currently connected and to which server, he wrote a script that polls the server by crown and generates a simple html page. Information about employees is taken from the internal resource wiki, you can remove this block from the script, leaving just AD accounts or replace it with information about employees from AD, if such information is available there. The script is located in the misc folder, in the repository the link to which I gave above.

During operation, an unpleasant bug was detected in Windows 10 1903. When working remotely through RDP, 10 broke the connection and then it was impossible to connect to it. The bug will be cured by patch KV4522355

This is the whole story. Its purpose, perhaps belatedly, is to provide an example of how you can quickly deploy remote access at minimal cost. The implementation is suitable for both small and medium enterprises, with the ability to increase the number of remote connections.

Thank you for the attention.