I travel for work and want the ability to access my Home lab on the road. I understand SSH and VPNs and am running both OpenVPN and Wireguard. However my company says that I cannot install any client VPN software on my work laptop. (Intel 13" MacBook Pro)
Ideally I would like remote CLI and web access, but could live with the latter only. I have two solution ideas.
Bring another tablet or laptop that does run VPN software (Heavy!)
Bring an external router like a glinet device that can transparently provide VPN access (Less heavy but more annoying)
Does anyone else have any other suggestions on how to tackle this? I would even be okay with some kind of VPN that runs only in a browser.
I chose 1 even though I would lug two laptops through airports but the Company scanned the work laptop regularly and if unauthorized software was found, I would get fired.
They have a free tier that lets you set up a proxy on your LAN using an argo tunnel. Then you configure an application you want to expose , ssh or web, to the internet and it will be protected by cloudflare login (if setup that way), either local or saml if configured.
Benefit is you dont need to install the warp (vpn) client, can just connect to the provided url
I have it setup on a raspi and integrated with Azure to further lock it down. Also have Apache Guacamole behind the argo tunnel to grant RDP over browser.
Would definitely recommend it.
Are you allowed to run VMs on the work laptop? You could use your preferred VPN client from inside a VM session without impacting the work configuration.
I have a few pieces of this puzzle solved myself. But I have something I can use that you haven’t named. So I use openWrt on my main wifi router/edge device. I have it using dynamic DNS to always keep a specific DNS name up to date. So I can always get my home IP.
If you can open port 5900 (VNC) or 3389 (RDP) up to the current IP address where you are, you can then VNC/RDP in from whatever egress IP you’re on. So I am scoping out the shape of the solution but not giving a paint-by-numbers solution.
Figure out your current egress IP
Figure out your home’s public IP
Modify an inbound rule on your firewall to permit your current egress IP to connect to your home IP.
Use SSH, VNC, RDP or some other protocol to get in. Both RDP and VNC can be tunneled over SSH.
Now in between step 2 and 3 you have to get into your home router from outside. That’s the bit where I have something you didn’t name. I have access to a VPS on a public IP that I can get into from anywhere. My home wifi trusts THAT IP, so that’s basically a jumpbox I can use from anywhere. So for step 2.5 I ssh into my jumpbox, and then I go to my home wifi and add my current egress IP to an allow list.
If you don’t have some public jumpbox, you can put a hardened VM with MFA-based SSH into the DMZ on your home router and then open it up to the Internet. A little scary, but not impossible. You can run it on an usual port like 63222 or something so it’s a little less likely to be picked up by robotic scanners looking to attack ssh daemons listening on the internet. But if you get yourself a hardened, trusted SSH bastion in your DMZ, you can do whatever you need from there.
If you have a recent Samsung phone you can use Dex to turn your phone into a desktop and takeover the laptop. I do this at work all the time to manage my lab.
Google chrome has a Remote Desktop feature. That’s good. I use a cheap used Mac mini for the house Ava what ever device I bring with me.
You can even use it on your phone
I use RDP with other than default port to jump from a VM on a separate VLAN then jump to whatever I box or device on other VLANS and at work RDP is always allowed and no install needed.
I did gli-net thing, it is interesting as it is not only a VPN gateway, you can hide your device on a limited hotel wifi etc. I like this small box. Pro: as soon as it is configured it is magic. Cons: depending on the hotel wifi settings you could have sometimes some issues. You must bring it with you.
Another solution for your is clientlesss vpn. Depending on your devices you have in lab it could provide what you want. Pro: always work, no device installation required, no transportation, classical https page. Cons: depending on your lab and needs, it could reach some limitations
That’s the bit where I have something you didn’t name. I have access to a VPS on a public IP that I can get into from anywhere. My home wifi trusts THAT IP, so that’s basically a jumpbox I can use from anywhere. So for step 2.5 I ssh into my jumpbox, and then I go to my home wifi and add my current egress IP to an allow list.