cara> I'd also be interested in how people are self-hosting their VPNs
(and john stoffel's view may be similar, I can't say, but hi anyways!)
me/doug> I'm struggling with what's the benefit/motivation?
My take which started long ago:
20-30 yrs ago as a sysadmin supporting remote access/workers,
my (very not-genius-level) brain learned that a VPN...
a box/product I'd install on "my"/work network,
handing out INside-access to outside-workers for a session....
adds (pops up during session) a virtual interface
on home-computer network stack, so
while in a VPN session the home worker can magically
"have an ipaddr on the inside of workplace network"
thus allowed into not-public work servers (or drive their work desktop)
BUT! on server setup, I+bosses must decide if yes/no allowing split-tunnel
(policy set on VPN server which the VPN clients suffer with usually? if "no split")
If yes/split-tunnel allowed, client gets a 2nd! default gateway = route to 0.0.0.0
giving best home-computer network performance (mixing work and play works well)
BUT smart?/paranoid-workplace setups choose NO split tunnel, and
force home-user's (ISP-given) default route to either disappear?
or become unused via route metric/preference adjustment? so that, either way
"don't let the home worker's unsafe world anywhere to tunnel near/into work network".
Thus the downside! When workplace uplink is wimpy/ancient (e.g. T1/56kb then),
and all home-user's internet traffic gets tunnelled in+out via WORK network pipe,
envision as I had to discover, how that stinks awfully:
adding+forcing+slowing-down home/play traffic via busy work pipe/route-to-0.0.0.0!
Sorry to ramble, later I joined WPI netops, but not deep into security/VPN.
(Frank/Chuck/Ben/John+more: I miss you all bigtime, I learned so much)
So (now retired) I see endless TV ads for VPN's
preaching the benefits of their secure VPN, and I don't get it, ....
assume buyers/sheep are fooled. Real value = ? I may be blind,
but lacking a VPN, my outside/web traffic is still https / encrypted,
are they selling some enhanced default-gw world
featuring bad-guys-blocked-from-hacking-you? I trust my home router,
though I'm open minded to how "wide open" that might be, relative to some ideal.
=====side rant, but I can tie it in :)
One guy at work, long ago not WPI, did inappropriate
network/chat/etc things on lunch/etc time,
and ALL his internet traffic thru my/work router
was directed to/from at a service/server which he subscribed to,
with the benefit of anonymizing himself and hiding his uncool chat rooms
(appearing to be elsewhere, tunnelling unsafe habits for work desktop
whether sysadmin=netadmin=I was blocking them or not)
Too bad for him though:
cubicle wall height = below boss's eyeball from adjacent cubicle,
and he got canned, while I helped his boss figure out what was going on.
So, maybe or maybe not, that's the kind of VPN I suspect they're selling,
but I don't see the value for normal folks....or maybe anyone. (educate me!)
Unless their hosted-server-world-route network security is a win.
Thanks for listening, and my thursday's look better than usual this month,
so hoping for WLUG virtually dec 14. -doug