Loading...
The main feature of the modern Internet is its constant availability. There is no need to store data locally, which is quickly accessible over the network. More problems arise if this data suddenly becomes unavailable at an unpredictable moment. Most developers work remotely and may lack resources if they come from certain parts. In this article, we will look at how you can set up a VPN for your web development team.
What practically does the inaccessibility of an Internet resource mean?
- Some libraries are not downloaded - the development environment of the project is not going to happen. This is the main and biggest problem!
- Zoom, Slack, or Telegram doesn't work - you won't be able to contact colleagues.
- Some sites are unavailable, for example, GitHub - it is impossible to publish your work.
These are not all possible examples, but even they can significantly reduce the productivity of the team.
In practice, the restrictions described above are usually implemented by the Internet provider. And it makes no sense to blame the provider for them because the restrictions were introduced by the administrative acts of the states. The provider should be engaged in business, not political struggle.
But sometimes, the provider turns out to be a villain. For example, for some unknown reason, they can block traffic on specific TCP ports or modify unencrypted http traffic and change the html code of the page, add ads. This is what you expect from some scammers, but certainly not from a large company, so it is doubly unpleasant (if you are interested, google "advertising over other people's sites").
Once the scale of the problem made it clear that it should be solved at the company level and not left to the mercy of the team members, you can use VPN technology.
VPN is a virtual private network. This is the name of a group of technologies that allow you to create a virtual, non-existent physically (overlay) computer network based on an existing physical computer network.
This provides additional opportunities to increase privacy. In a physical network, as a first approximation, your traffic is available to all participants in the network exchange, all routers, etc. There are no additional participants in the virtual network, only you and the point to which you connect. If you are setting up one for your web development team, this is a VPN server. An encrypted tunnel is being laid between the two of you.
TUN virtual network interfaces are created on the client machine and the server. Encrypted data exchange occurs directly between them. Your data is effectively protected from man-in-the-middle (MITM) attacks. No one who has physical access to the equipment through which your traffic goes can intercept or replace your information.
It also allows you to access resources not available on your home network but are available from the VPN server.
With VPN technology, the client becomes part of the subnet of which the server is a part. And can access the resources of this subnet. This can be used to bypass restrictions and solve any other problem that requires a remote and secure connection to a subnet.
IPsec is a set of protocols for secure data transmission. It appeared in the mid-90s. It is large and flexible but difficult to configure and low-level. Too complicated for some purposes.
WireGuard is a young project (2015) aimed at quick preparation for work. Potentially faster in transferring data than different VPNs, uses more modern encryption protocols—cross-platform, available on all major systems. The disadvantage is the same as the advantage. To ensure a quick and easy installation, many low-level decisions are made at the core of the program. For example, the use of the UDP protocol, which might not be effective for all.
The most obvious way is to rent a VPS, connect via SSH and create a server following the guide. This is a rather lengthy process due to many commands and files that need to be manually moved.
With this method, every time you create a new server, you will have to do it again. To save time, you can use configuration management systems or containerization systems.
Configuration management systems are software that allows you to automate the configuration of remote servers (puppet, ansible, etc.). The advantage of this approach is that you can configure a remote VPN server in a couple of commands. And all configs, configs templates are explicitly placed in text format on the controlling machine. You can create a deployment script yourself or take a ready-made one, for example, on GitHub.
A slightly different approach is taken in containerization systems. The most common such virtual containerization system is docker. Installing a docker container with a VPN on a remote server can be even faster than installing a server via ansible, which is a plus. However, the list of available configurations may be limited by the image developers. Images are binary files, so it may not work if you need to fix some exotic config.
First, as already mentioned, VPN technology can be used to connect, for example, to a closed subnet through a computer that is part of this subnet and, at the same time, a VPN server. If you have valuable resources on your subnet, you would like no one to connect to the VPN server. To do this, most VPNs usually make it a separate machine, not linked to any network at all, perhaps in a safe (no kidding). And requests for signing and signed certificates are transferred to removable media.
To run the ansible script, you need to install ansible on your computer, rent a virtual server with Debian/Ubuntu and configure access to the server via SSH. When renting a server, keep in mind that some services do not allow you to create a tun interface or perform packet forwarding. Please check this before purchasing.
All interaction with the server is carried out by three commands:
1. Run the script for creating a server and certification authority.
2. Registration of a new user.
3. Revoke a certificate by client name.
The development of ways to bypass blockages is in many ways similar to the relationship between predators and prey in nature. For each new move, there is a counter-move. VPN connections are no exception.
When using a VPN, you can use a variety of network resources. But, since all data goes to you through the tunnel from the VPN server, for the provider, it looks as if you are exchanging data with only one IP address.
Copyright © . All Rights Reserved