beginner's question around VPN and Imatch Anywhere

Started by Conrad Vispo, February 19, 2021, 03:50:12 PM

Previous topic - Next topic

Conrad Vispo

I am part of a small natural history organization. We have a relatively large (400,000+) photo collection, which have long managed with IMatch (thanks Mario!). We don't try to make that collection available publicly, but each of us does use images in various reports, outreach and the like.

Using an Imatch Anywhere trial edition, I have been able to make that database available on our home network, but that only helps my wife (our staff botanist) and me. This would be ideal for our office network, but with COVID, our four other colleagues are all working from their homes. I am looking for a solution that would let them access the photo database from their own locations, at least for browsing and downloads. Presumably, their access could be password protected.

I am no IT whiz; for example, I had to look up the meaning of VPN. I DO NOT expect Mario or anyone else to tutor me on VPN set up, that research is my responsibility. However, I do want to quickly summarize my understanding and pose one question.

As I understand it, the following are true:

- For security reasons, even if I don't want to make this database publicly available, making it available to anybody outside of our home network poses the risks of an 'open port' and hacker access.

- The only semi-secure way of making the database available with IMA outside of network is to do so through a VPN.

- A VPN could potentially make my entire computer, where IMatch, IMA and the database function, available to my colleagues.

- A VPN will likely slow down any browsing.


So, my questions:

- If I do set up a VPN, can I make it so that only IMA is accessible through it?

- Alternatively, if I do go through the trouble of setting up a VPN and I trust my colleagues, wouldn't it be just as easy to let them access IMatch2020 directly through the VPN without any need for IMA?


I apologize for my ignorance on key issues, but am trying to determine how to invest my learning time.


Thank you.


David_H

Quote from: Conrad Vispo on February 19, 2021, 03:50:12 PM

- If I do set up a VPN, can I make it so that only IMA is accessible through it?

- Alternatively, if I do go through the trouble of setting up a VPN and I trust my colleagues, wouldn't it be just as easy to let them access IMatch2020 directly through the VPN without any need for IMA?

Yes, you can configure a VPN to only allow those connected in to talk to one specific machine (ie the IMatch Anywhere server on port 80 or 443 or whatever) - perhaps consider something like pfsense (pfsense.org).

Accessing Imatch2020 directly would be more problematic.

Conrad Vispo


Conrad Vispo

Just want to make sure I do this correctly. As explained above, my goal is to have safe remote access to IMWS.

-I have installed a VPN on the computer running IMWS (in this case, ExpressVPN)

-In that VPN, I have set the split tunneling so that only the Imatch Web Services Controller is using the VPN

-In my firewall options, under apps allowed through firewall, I have set Imatch Web Service to "Public".

-In IMWS, I then activate authentication, and create a password-protected ID for each user.

Am I missing a step?


herman

Quote from: Conrad Vispo on February 20, 2021, 09:31:07 PM
Just want to make sure I do this correctly. As explained above, my goal is to have safe remote access to IMWS.

-I have installed a VPN on the computer running IMWS (in this case, ExpressVPN)
[...]
I have no experience at all with IMWS, but I think I know a little bit about VPN.

In my understanding you need a VPN server on the machine running IMWS so that remote browsers can access it from somewhere outside your own local area network.
The machines connecting to your VPN server then need to connect via a VPN client.

As far as I can see ExpressVPN on your IMWS machine is a VPN client. It allows you to connect to an ExpressVPN server so that you can anonymously browse the web. This is not what you need.

Windows has VPN services available, you don't need a commercial third party to achieve what you want to do.
You need to configure the VPN services on the machine running IMWS as well on the remote machines.

There are various articles on the web on this topic, two examples can be found here:

https://www.howtogeek.com/135996/how-to-create-a-vpn-server-on-your-windows-computer-without-installing-any-software/

https://pureinfotech.com/setup-vpn-server-windows-10/

I hope Mario will chime in, I am sure he knows much more about this topic than I do.
Enjoy!

Herman.

Conrad Vispo

Thanks Herman,

Very helpful. So I set up a VPN server on my computer through Windows and then my remote collaborators need a client service such as ExpressVPN to connect to it. I think I've got it.

Conrad.


herman

#6
Quote from: Conrad Vispo on February 21, 2021, 02:43:07 PM
Thanks Herman,

Very helpful. So I set up a VPN server on my computer through Windows and then my remote collaborators need a client service such as ExpressVPN to connect to it. I think I've got it.

Conrad.

Almost there  ;)

Again, as far as I can tell ExpressVPN is a commercial service which allows you to surf the interweb anonymously, to hide your IP address etc.
In order to do so you install a client (provided by ExpressVPN) which will connect to the ExpressVPN server(s).
Once connected you connect to the internet through the ExpressVPN servers so that their IP address is presented to a website you visit.

That is not what you nor you co-workers need.

You need to configure a VPN server on your IMWS machine using Windows services.

Your co-workers then need to configure VPN clients which will connect to your VPN server, not to the Express VPN server(s).
Windows has utilities / services to do just that.

The links I posted in my previous post provide guidance to configure the server-side as well as the client-side.

Hope this helps....

Enjoy!

Herman.

Conrad Vispo

Thanks very much. This is starting to actually makes sense (which is dangerous!). I'll work with those links and see how far I get.

Mario

I'm sorry that I cannot help with the specifics, but I'm no VPN expert and hence I keep my mouth shut  :D

The general idea is to NOT open your PC / router to the general Internet. To avoid than all the bots and hackers infiltrate your PC and local network and do bad things.

If you really must allow others to access your PC, a VPN allows you to create a secure and encrypted tunnel between one or more client devices and the computer running your IMWS instance.
Only the clients which are allowed to connect to your VPN and have the correct credentials can access IMWS. And this makes this safe.

You still have to open a port in your router to allow the VPN to work.
Like with all things related to security, make very sure that you understand what's going on and that your configuration is sound.
Usually setting up a VPN is done by skilled IT folks specializing in this kind of security infrastructure.

IMWS is designed to be used in secure home or private networks (e.g. inside a corporation or a library network).
Access from the general Internet should always be either routed though a VPN or through a hardened proxy server.
This problem is not specific to IMWS, it applies to all software which requires direct access from the Internet.

Quite a number of people who've carelessly opened a port in their router / firewall to access e.g. their home NAS while on vacation have learned new terms like "encryption Trojan", "botnet", "spam mail slave" afterwards... :'(
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

herman

Quote from: Mario on February 21, 2021, 06:16:04 PM
[...]
The general idea is to NOT open your PC / router to the general Internet. To avoid than all the bots and hackers infiltrate your PC and local network and do bad things.
[..]
Usually setting up a VPN is done by skilled IT folks specializing in this kind of security infrastructure.

I fully agree with your concern Mario, configuring a VPN server is not my cup of tea either.
For what it is worth: I have some experience in setting up and using a VPN client, the server side is foreign territory for me too.

But thinking about all this (and perhaps complicating things for Conrad for the moment, sorry for that!): for security reason could it be an idea to hire a Virtual Private Server somewhere in the cloud and use that as the IMWS server?
It would still be required to run a VPN server on that cloud machine, but you would not have to open a port on your router, your local machine would remain unaccessible from the internet....

I remember that Mario once mentioned something about VPS and their low prices these days?
Enjoy!

Herman.

Mario

A rented Windows PC in one of the big clouds (Azure, Google, AWS) (event on an hourly basis) with a database, cache and IMWS installation is more secure - you wan just wipe and re-install it often.
But protecting your home PC via a proper VPN is also secure - if done right. Setting up a VPN client to access a VPN is not hard. Doing the server part requires more know-how.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

Conrad Vispo

Thanks all. Sounds like I'm playing with fire and should just wait until conditions allow us to all be back together on the office network. (May that be soon for many reasons unrelated to my little IT problems.) The benefits of trying to VPN seem to be outweighed by the potential risks, especially for novices like me.

Mario

#12
The Windows (and Linux and MacOS and ....) firewalls 100% block access from the Internet by default for good reasons.
It's a sad a fact that there are hundreds of thousands of <really, really bad swear words> out there which try to hack into your local network, steal your data, encrypt your data to get a ransom, install malware to abuse your computer for sending SPAM mails, make your computer mine Bitcoin etc, use it for DOS attacks and whatnot. It's a cesspool.

Even big companies like Adobe, Microsoft, Microsoft, Facebook or Google get hacked...
And they have high-paid and experienced IT staff.

VPN's are save. Most coorporations use this technology to allow their employees to connect to the coorporate network during these challenging times.
Installing and setting up a VPN client to connect to an existing VPN server is quite easy.
Installing and running and maintaining a VPN server which is safe to use and protects your computer from all the bad things on the Internet is a lot more challenging.

IMWS would happily work when you just open port 80 or 443 in your router/firewall and tell your friend the IP address of your PC.
But this way all the bad actors on the Internet could access your PC, and you definitely don't want that.
VPN done right is OK. All else is...
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook