You could create a your own VPN using a cloud service provider such as DigitalOcean. Such a VPN would be nearly indistinguishable from a network used by a small web based business. Easy VPN install
You could also SSH tunnel into a Linux or Unix server using putty.
That's one way to go about it!
Personally, my parents handed over the computer and network responsibilities to me years ago. I hold the administrative/root passwords and they could care less, so my network activity is not monitored by them.
I do host a Prinunl VPN server on my DigitalOcean VPS for a few buddies and myself. IMHO, having root access to the machine you're tunneling through makes coffee shop and hotel visits less worrisome.
If your looking to setup a home VPN there are several options.
I use the 3rd one and its been flawless so far. I did make a few tweaks to the script to allow a password and and to not route all my traffic over the VPN but it worked with out issue.
The two connection limit is OpenVPN Access server which is not free. You can setup the free version of OoenVPN to use ldap using openvpn-auth-ldap plugin.
Also checkout Pritunl. I had tried it once and it was pretty good. It has a GUI for user management and configuration. A lot easier than free version OpenVPN file based config.
OpenVPN for sure. Either setup a pfsense firewall in your lab and use the openvpn system built in to that, or alternatively have a look at pritunl (https://pritunl.com/) and set that up in a VM. Very easy to maintain and manage.
SAML and OIDC implementations are much larger code bases than VPN software like Wireguard, so don't expect VPN authors to look too kindly at it.
Have a look at Pritunl, which has a number of SSO integrations:
GitLab should satisfy your base requirements and would be great to show off. If you need that masterless design you can try checking out Pritunl, likely possible to switch workloads using Terraform, pre-baked images for given provider, and db backups/restoration without much difficulty. As a bonus with Pritunl you can also show off open source, easy to manage, VPN solution with LetsEncrypt if you have any cients licensing OpenVPN Access Server.
I've had great success with Pritunl since learning about it on other posts here. It's OpenVPN underneath a slick UI. The free version doesn't limit users but does limit features. Check their site to see if they paywall something you can't live without.
Since this is /r/homelab I'd imagine most people want to run their own VPN server instead, in which case pritunl is pretty awesome
Hamachi is good if you don't want to deal with your own server though
There are several turn key/virtual appliance Linux installations that include OpenVPN. One is actually called TurnKey Linux. I use one at home called PriTunl. Depending on how many users you have and bandwidth requirements OpenVPN doesn't have to run on high-end hardware.
Does your firewall have built-in VPN capability? That's another option although usually you have to pay for licenses for that. Depending on how much work you want to put in you can set up OpenVPN for free, but there will usually be more management overhead for any free option.
Windows always on VPN is another option. There are a lot of instructions out there on how to set that up. You of course have to have available Windows Server licenses and hardware to support that as well.
Links to products mentioned above: https://www.turnkeylinux.org/vpn https://pritunl.com/
The best is (IMO) to set up OpenVPN/Wireguard from scratch so it's easier to fix if anything goes down. There's also premade solutions like Pritunl and Turnkey Linux. I think turnkey is where proxmox pulls in the images so you could just find an OpenVPN image there and launch it.
It's not open source but Pritunl works well. Single signon. Supports openvpn, ipsec and wireguard. You can use native clients or theirs.
Admin pretty easy. You can setup organizations that have different network access.
100% SSH, both at home and at work.
pritunl.com as the VPN server and a "roadwarrior" setup for my phone, laptop, and portable router help me route all my traffic through to my home network and out again when I stay away from home.
You could try Pritunl (https://pritunl.com/) there's a paid version but there is also a free version. Easy to deploy on an instance in AWS/Azure and allocate a static public IP to the instance. It's a nice wrapper to OpenVPN.
Every device on a WireGuard network is the same from the protocol's perspective. There is no concept of 'server' or 'client', except what you -- the administrator -- makes of it.
Every device needs its own key pair in order to secure communications. Only the public part gets distributed to other devices.
So if you want to set up a traditional hub-and-spoke VPN, need to make one key pair for your server and one for each of your clients. All the devices need to be assigned static IP addresses. The clients should be configured as such:
[Interface] Address=<Client assigned IP>/32 PrivateKey=<Client private key from wg genkey>
[Peer] AllowedIPs=<VPN subnet> Endpoint=<"Server" address>:<"Server" port> PublicKey=<server public key>
Since the client private key would differ among clients, each client needs their own, but the 'Peer' part of each client configuration stays the same.
The server would look something like this:
[Interface] Address=<Server IP>/32 PrivateKey=<Server Private Key>
# One peer section is needed for each client [Peer] AllowedIPs=<Client 1 IP>/32 PublicKey=<Client 1 Public Key> # No Endpoint directive on the server, because the client can connect from any IP
[Peer] ...
Keeping all these up-to-date can be difficult. There are solutions available that can do this for you, such as pivpn or pritunl or my own product, WireHound.
if you want a free open source web UI to control it, and only plan to use it on like your phones and computers, Pritunl is perfect. I use it for my vpn and hacked together a way to get the chromeos vpn to work.
> Literally any amount of engineer time spent on it will cost more than it would cost to just pay for the AWS managed service.
Yeah, right. A semi-educated monkey can install Pritunl server for free in under 30 minutes. After that, the running costs are a single EC2 instance plus bandwith. That's way, wayyy cheaper than AWS Client VPN, 30 minutes of engineer time included.
I'd say that Cognito is quite a big solution for a VPN and it's quite hard to migrate from, if you move in the future. Wireguard is an option but I'm not familiar with its setup. OpenVPN is another option that has a docker container's you can deploy to an EC2 and elastic IP that then use that as your whitelist. One VPN project worth looking at is is pritunl that lets you setup a VPN and manage users.
I am using https://pritunl.com/
It gives you a nice gui with easy setup and user management. Switch to this from PiVPN, because I did not want to use ssh for user management.
Pritunl also using openvpn but they have very good web interface to manage user accounts, on top of this, they also develop client software for more stable connection.
I personally like it compare to self built openvpn, only few lines of code is required.
The website is here https://pritunl.com.
I had a lot of issues with OpenVPN AS. To this day I can't get it to actually care that I entered a bogus 2FA key and I've yet to find a good Linux client for it.
We've switched to Pritunl.
My 00.2p. You won't ever win the argument with the ISP, and frankly its not worth effort. They either don't have the knowledge to understand what's going on, or they know full well and are trying to pull a fast (slow?) one. From what you've said either is possible. Dynamic QoS is a Myth? Tell them you think their service is a Myth as they aren't providing any and take your business elsewhere. If MGMT respect you enough to bring you into the conversation, you've a much better chance of winning that fight.
Incidentally, any chance that the outages could actually be someone spoofing the MAC of the default gateway? That's about the first thing I'd do with an open WiFi Network. If all else fails, cloud based VPN? https://pritunl.com/
Edit: words
On that note I found Pritunl the other day and was mind blown by how complete it is. Shame the enterprise features are way overpriced for home use but even the base (free) package is insanely polished and worked like a charm with my devices.
I would go with OpenVPN with RDP, as a bonus you will get access to the rest of your network, so you can ssh linux VM's from the outside as well as VNC if you need graphical access.
This will be many times more secure way as you will be in control at all times. You can check out https://pritunl.com which is overkill, but has quite nice UI.