 Tom here from Lauren Systems and we're going to talk about open source working from home. So what open source tools you can use for remote working popular topic here in March of 2020. So let's dive into it. If you want to learn more about me or my company over to lordsystems.com, if you'd like to hire short project or see hires button up at the top, if you want to support the channel out in other ways, just affiliate links down below for products and services that we talk about on this channel. And I have talked a lot about PF sense. So obviously PF sense and using a VPN, great way to work from home provided your corporate network has PF sense and many corporate networks do that we've installed. So with PF sense, open VPN is built in, there's no license, no restrictions. You're only limited by the bandwidth and the hardware you have as terms of how much speed you can get out of the VPN and how many people can be connected. And with a lot of people jumping in, yes, that bandwidth gets sliced up. But you know, as long as everyone's not pulling all the day at the same time, you can still, even with a reasonable internet connection at a corporate office, have quite a few people logged in and we're seeing it work perfectly fine and hold up quite well. But then the question comes up about security. And this is one of the things I wanted to bring up specifically. So I've already done a video, so I'm not going to walk you through, even though this video is a little older and I will be doing some new one soon. How to set up open VPN for mode access on PF sense. I did this video several years ago and it's still accurate. The wizard is still there. They've updated a few menus, but you know, it still works. You can follow this and have no problem getting open VPN set up. And they've updated some of the client software as well that you download. So everything's a little bit newer, a little bit fresher, but the buttons are in the same places. But for locking things down, this is one of the things that's really important. And what I did this video, it was to highlight the fact that you can go and take free radius with another plugin for PF sense and use it for authentication with open VPN. And then it goes to that further. You can restrict because you can assign per IP rules. You can restrict where that person can go that's promoting it. This is an important factor because you always want to practice principles of least privilege because you're eliminating the ability for lateral movement to systems they may not need access to. So the default and when I did this video here is going to be like, hey, open up the network so someone can remote in. But this video is kind of that pulling it back and saying, all right, we want to restrict them to only the essentials that they need. It's a little bit harder when you're authenticating someone from home to know that they're actually the person on that computer. Therefore, it's always good and best practice to limit the scope of what they can access. So you can even limit it to a single computer. And in many cases, people have remote desktop enabled and they want to open it to the world, which we implore that people do not do, do not just turn on desktop and open to the world. But by combining these two videos together, if you watched open VPN set up, combined with 4GDS and you could even restrict it. So the only desktop they can get to is their desktop. And now you've limited the exposure to the world. Open VPN is a very safe and reliable protocol. It's very well vetted compared to some of the other ones out there. As someone always asks me, what about these newer protocols available? I'm like, as soon as they've gone through solid code audits, great, we can start implementing them. Until then, open VPN has been, you know, it's been around for a while and it's like I said, it's gone through two code audits. So we know it's a solid process. So I don't have to worry about potential flaws in a product. But once you have these things combined, you now have a solid way for somebody to get in and you can restrict their movement. Now, obviously the restrictions on their movements are going to be based on what they had access to when they had access to that computer when they're physically in the office. But obviously these, those rules still apply. None of that goes out the door. You just really want to be able to get them back to their desktops. Now that being said, another question that comes up with a lot of our clients right now is, well, can I just use the laptop that my kids usually play games on or my kids gaming desktop? And the answer is always no, if we're securing the office computers, we need to apply the same level of security again to whatever devices they use to remotely access them. This is a really important factor because you don't necessarily want to go through all the trouble of sitting all this up and, you know, locking everything down to then have a computer that may have some potential problems also accessing the network because now you're allowing them to access remotely. And as of course, any threat actors dream is to get access to that computer. So we do require that the same tooling and same restrictions that we may have on desktop, same monitoring tools will be loaded on the clients, desktops or laptops, whatever they're using and any devices that are accessed remotely. This is why, you know, frequently we tell them to get a separate computer or maybe a separate laptop that they use for remote work. So even ourselves, my employees have separate work computers versus their home computers that they may use for gaming. This is just basic hygiene restrictions that we very much enforce that way these computers are, you know, all the same rules apply. They're, however, the encryption needs to be set up, whether they're Linux using Lux encryption with a boot password or BitLocker because they're a Windows computer, whatever those circumstances may be, all the same rules still apply just because remotely doesn't get it exempt. So those factors are really important. Now, the next thing is when it comes to it, and I mentioned open source because we're going to cover some of the open source topics on this, but obviously, if you're using Google Docs, G Suite, those, just web browser based, once we've secured the computer, they can log in. Same thing with Office 365. A lot of clients use Office 365 along with OneDrive, no big deal. It's kind of business as usual. They log into the account on the computer and all their files get synchronized. What if you're an open source advocate and you don't want to use either one of those tools? Well, the one that's come up quite a bit is NextCloud. And NextCloud I had a video on. I need to do a new one because they changed the way the installer works. So I will be doing a new NextCloud video. But NextCloud on FreeNAS is a nice solution. And because I've done a lot of FreeNAS videos, I've seen a lot of emails and forum posts, people asking about this. Yes, you can set this up, but I've been encouraging people not to just open it up. And the reason why is frequently people who load this based on the plugin. So right here is NextCloud 17.01 and it's loaded from the plugin. And I went through the setup and it works great, except it's a little bit older version. And people that are doing this may or may not have the skills to mitigate threats that come at them. Also, the default out of the box configuration is not secure, as in not HTTPS. There's one of the challenges. Now, I just did a series of videos on how to secure things using that have either no certificate or need a certificate using HA proxy. That's great for the security side in terms of adding the proxy to it. And I can link to those videos. But those still don't mitigate the problem if there's a flaw inside of this. You are reliant on the GitHub repository for the IOCage plugin that updates this to keep this up to date. So if you have decided just to publicly expose NextCloud and someone finds a flaw in it, how good are you at getting that mitigated and getting that flaw? That's really what it's going to depend on. And if you're not up to date on this or you're like a set it and forget it kind of person, this can really cause a problem for you. So one of the things I had mentioned before was sync thing. And this is something we use. And one of the reasons why is because it reduces threat surface. And what threat surface is is when you do things like open up NextCloud, which like I said, a great solution, I just really encourage people to put it behind a VPN that way if there's any type of flaws, they would have to be on the inside of the network, a threat actor would, which is less likely. Therefore, you're helping reduce your threat surface as opposed to publicly expose where any botnet can attack it. But that's where we get ourselves to sync thing. Now sync things are really impressive tool. It's actually been a little while since I did a video on it and they've added some more features. I love all the new features they added, including really simple revisioning that goes right on inside the browser. But these videos from a few years ago are still relevant in terms of how to set it up and how to get it going and how to get rolling with it. And you can actually see my server backups. This is actually my production system. It just sent the server backup off site. And those server backups go here to synchronizing to here off site. What this allows me to do is I have my business documents and my LTS graphics documents. I was just playing around, updated test.txt file. This creates a really nice open source synchronization between all the different systems that are in here. So we actually use this with some of the computers inside of here. We use it off site with getting data off site that needs to be synced hourly because when you want to mitigate problems every hour, we backup our databases that are critical to the company. They're encrypted prior to their even backup. So by the time you're dropped down to the sync thing, they're already encrypted and then it synchronizes between all the different syncing devices. What this is is very much like, let's say an open source version of Dropbox. They bring up Dropbox because so many people are familiar with the product. But sync thing runs as a desktop app on my computer here. That means, this one right here, it's this Tom sync thing. If I edit anything on my computer, it instantly synchronizes my business documents folder and my graphics folder. So if I need to edit a file, I can synchronize it instantly as soon as I save. Now the other advantage of sync thing is QuickBooks. And I bring this up because I know at least a lot of you really like QuickBooks but really any program that needs large file access. And this is where it gets to be a really big challenge. If you're using something to edit files, even graphics files, the problem of doing that over VPN because VP people have asked me, well, can I just do my shares over VPN? Is VPNs occasionally can get disrupted, the internet can get disrupted or they may not have the bandwidth. So opening a large file and trying to do a share across VPN and QuickBooks being one of the things that a lot of clients have asked us about, it will have problems. If that VPN drops at all, it can crash that file and get it corrupted. The way sync thing works, it's creating a copy on your computer. And as you save that file, it then synchronizes that copy all the other locations. The good and bad with this though, if you do this and two people try to edit the same file at the same time, you end up with a conflict. So that's something you have to be conscious of but in terms of having a local copy of all your files and having them replicated, that's a pretty good way to do it. So if you set this up and set up sync thing and synchronize it with, let's say you set it up on FreeNAS like I have these set up and you have all your files on sync thing and then you were working from home and you have it remotely synced, that would be great. Now, I still recommend syncing it over a VPN but the good news is if you choose not to do that, sync thing itself, the transport layer of sync thing is completely encrypted. Therefore, if you do set up two sites to synchronize all the data to or synchronize all your business documents or graphics files to, you at least are sending them over an encrypted channel. Like I said, VPN is preferred but encrypted channels are good too. So it's kind of a fallback. And sync thing has added and they do have some discovery services where you can have these things connect and they will proxy through sync thing in order to have discovery of different devices but the obviously the even better way to do this. And if you look at the way I connect to each one of these I'm actually connecting directly to IP address. So you can do the auto discovery and I have that covered in a video of how to set up sync thing. I'll be doing some new videos on it but auto discovery works, so does direct. So these are a couple of ways that you can easily work from home. Like I said, sync thing, I talk about it because it reduces the threat surface and things like that. But if you want some of that nicer file sharing I think NextCloud is a great service but you have to make sure you're keeping up to date and you just open yourself up to quite a bit of exposure if you just open the ports up. And unfortunately a lot of people did and when there was a flaw not that long ago that was in specifically engine X but then exploited by people who had publicly exposed NextCloud instances it kind of created a lot of disasters for people who go, oh, I thought I could just expose it and I didn't get around to hitting that update button and yeah, now a lot of people ended up with a real problem. So you don't want to do that. You don't want your strategy to work from home to cause you further grief. You want it to hopefully go really smooth. VPNs are easiest way to keep everything lock and key back there. File these videos if you're on a larger network and yes, for those wondering yes, you can go through and use other authentication methods besides free radius. I haven't covered them in a video or would link to them but I will leave link to these videos here cause I know some people asked about will PF sense authenticate against like an active director network? Yes, it will. That is possible and it can be done if that's what you need. So I'll leave links to all this so you can hopefully get started on this cause like I said, pop out our topic here in 2020 and leave comments and concerns below or head over to our forums so we can have a discussion about this. All right and thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out. If you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you wanna carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general even suggestions for new videos that are accepted right there on our forums which are free. Also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time.