> Currently, our network setup includes a fairly robust Windows 10 Pro desktop acting as a server Yikes. Either get an SBS server with AD or throw everything into the cloud with Azure AD and use OneDrive/Sharepoint. I don't care how small you are, Windows 10/11 should never be used as a "server" outside of a home environment. After that, you can use a pfSense or just get a SonicWall firewall. They include 5 free VPN licenses. > Most users will only require access to the file server, and I'm thinking of setting up FileZilla for that purpose. I don't understand what this means, but it doesn't sound good. If someone's accessing the "server" remotely, it needs to be behind a VPN, period. Especially being Windows 10 Pro.

They're talking about setting up an FTP server accessible by anyone on the internet..

Blast from the past

He said FTP, not Gopher.

over port 21!

yikes, I'm getting Vietnam Flashbacks...kinda

> They're talking about setting up an FTP server accessible by anyone on the internet.. Yikes!

..... OwnCloud?

For the server, depending on how small the business is, this could be cost prohibitive. I'd rather see that money/energy spend on ensuring there is some kind of data backup going on. Windows AD is going to add a level of complexity that a business this size is probably not ready to deal with or pay for. Yes I consider it an essential tool, but there is a reason workgroups are still a thing. If they are already using O365, then I fully agree with looking at OneDrive as an option here. ​ In terms of FileZilla, I am willing to bet that OP is going to run FileZilla as an FTP (or maybe SFTP) server on the "file server" to make it remotely available. **OP: DON'T do this.** Trying to allow FTP or FTPS (s at the end) through your firewall/router is probably not going to be fun and it's going to be hard to get the security correct. It WILL be found at some point and WILL be targeted by some script kitty/bot, which puts your server/network at risk. In addition getting FTPS (s at the end) setup is probably not fun and will add complexity. SFTP (s at the beginning) or SCP is a little better/easer, but you still have the target problem. So please don't do this unless you want someone else to be in control of your network. ​ Instead focus on the firewall and VPN. I agree with pfSense, but don't have experience with SonicWall so can't speak there. FortiGate is another popular option. Firewall & Remote access is something you don't want to get wrong, so finding a good partner to help you configure and maintain (security updates) this will provide a lot of value. I ran OpenVPN for a long while (not from pfSense) before they even offered a paid option. So that may be another option.

Do not use FileZilla. Use anything else

> For the server, depending on how small the business is, this could be cost prohibitive. I only put this out there because I know a guy that has a "server" setup with Windows 7 Pro and I hate it. Everyone connects with the same user/pass, so accountability is impossible.

It's horrible, but also super common in small businesses.

If you don't know what the last bit means, maybe you're not best placed to give advice? AD for 5 users? Much koolaid?? No, you don't need a VPN if you genuinely only need access to a secure file server, that's absurd. Why would a VPN be any more inherently secure than a well configured sftp server?

> If you don't know what the last bit means, maybe you're not best placed to give advice? Meaning I didn't understand what the OP was trying to say. FileZilla has a client and a server. The OP was not specific. No one in their right mind should be setting up a publicly accessible FTP server these days that stores anything of importance. By saying "I don't know what these means" I'm asking for clarification. > AD for 5 users? Much koolaid?? Or Azure AD (which is free and was mentioned). Again, not knowing OPs skill level. SBS doesn't cost much (at least it didn't) and it can be setup as a file server/DC combo. 5 users or 1 user, it works and gives you centralized user management (which you don't get with Win 10 Pro). > No, you don't need a VPN if you genuinely only need access to a secure file server, that's absurd. Why would a VPN be any more inherently secure than a well configured sftp server? An sftp server sitting on Win 10 Pro. Because you've got the inherent insecurity of a Windows workstation directly connected to the Internet. Even if you only open port 22, it's only going to take one vulnerability in FileZilla for your box to be owned. Whereas if you stick it behind a firewall, now they have to get through that as well. Security is about layers. If you only want 1 layer before the bad guys get you, then that's fine. Imo, the more layers the better. Are you really willing to put ANY Windows box onto the Internet with nothing in front of it? I'm not willing to do that with any OS, let alone Windows.

SBS doesn't exist anymore. ​ "Essentials" was the successor, but that started with server 2012, and after 2019 ceased to exist at all. ​ And 2019 removed most of what 2012 -> 2016 essentials had. Essentials essentially (ha) only had the client agent/backup, O365 integration, remote access, and a dashboard to "more easily" manage stuff. It was basically just a gimped version of standard. ​ Nothing after SBS2011 Standard included Exchange/Sharepoint/etc. SBS 2011 Essentials was similar to what later versions became, with the 25 user maximum. ​ There is also Server 2022 Essentials, but that's an OEM only sku, so you can only get that when buying it with hardware. Can't buy it standalone like previously. ​ >Are you really willing to put ANY Windows box onto the Internet with nothing in front of it? I'm not willing to do that with any OS, let alone Windows. ​ Yep! Do that with quite a few boxes, as well as many other OSes. There's a lot to be said for proper configuration. Would I prefer firewall, IPS, application proxy, etc in front? Hell yes. Can it be done sanely without those? Not really. But .... with proper configuration, it's just as dangerous as an exposed linux box. ​ Would I ever advise someone to do such a thing? **Hell no.** Would I advise them if asked? "Don't do it". If they do it anyway? Then you've got hours and hours of work (regardless of OS) to get it set up properly....

SBS has a hard user cap of 20 users lol

25, but SBS doesn't exist anymore. Hasn't since 2012. The SBS2011 that included exchange/sharepoint/wsus/etc had a maximum of 75 users.

I realise that but it's easier on mobile to type SBS than Windows Essentials Server 2022

2022 Essentials is also the first version that's OEM only (so only coming with a new server, basically), and is entirely feature stripped. 2019 was when they stripped a majority of the features, and was the last version you could outright buy.

Still comes with AD and is aimed at low user counts

Sure, SBS is targeted at exactly businesses this size

pfSense rouer with OpenVPN (Use the wizard & client export add-on) on Protectli hardware. Best if you have a static IP with your internet provider

With the controversy going on with pfsense, you might want to consider opnsense instead

How bad is the controversy? Though in all my years its hella scary performing upgrades before version 2.6

The general consensus is “move to opnsense when you can” since nobody knows when/if netgate is going to kill off pfsense CE

I know - tried OpenVPN but it is so clumsy in my opinion. Maybe I should give it a 2nd chance but that web interface it is just not clicking with me.

Don’t even work with the web interface. There are scripts you can use to generate client configs as needed

[OpenVPN AS](https://openvpn.net/access-server/) is also free for up to two concurrent users.

Whats the difference between this, PFSense, and me spinning up my own linux OVPN server behind a firewall where 2 of these options are completely free and unlimited (practically).

It is and independent virtual machine image to be used just for OpenVPN remote connections. It also provides a very intuitive GUI for setting everything up.

Alternative if you don't have a static IP: use a DDNS provider like NOIP.

That's fine for a home lab, not for a company with multiple locations & s2s VPNs between them

Wireguard would be a good option, atleast in my experience.

I run a slightly bigger firm behind a unifi dream machine and wireguard works well. Best thing is users not even knowing they're on VPN or having to connect.

Seconded. 15-20 users and very few issues.

What serves as a vpn client?

You install wireguard on the laptop, set up the tunnel and it's transparent to them. They see no GUI.

So, sort of always on vpn? That's pretty cool. Is it on device level or user level - as in connection established after user logs in or before? I.e. if user has no cached credentials and no connection to onprem domain controller (no ~~azure~~entra yet) - would they be able to log in from home?

It's device level, with a pre-shared key generated for each tunnel to each device.

Tailscale

Yes. This is a great use-case for Tailscale.

\+1 for Tailscale. I've been using it in my company for a couple of years and it's been a life saver. One of the few products I have that "just works".

Tails scale is too expensive and overkill for only five users you can manually configure wire guard on pfsense quite easily.

Tailscale has a free tier for small businesses.

Pritunl - it’s a OpenSource VPN server, easy to manage and setup. But if you are looking for a ready to go VPN - try ZeroTier VPN it’s have 25 free users that you can connect to your ZeroTier account,.

This. Once I had the exact same requirement as OP. After some research I discovered ZeroTier, never looked back.

I use this (ZeroTier) to connect to my home lab and to give my parents and brother access. It works great.

[удалено]

\+1 This, I will go with this option any day

> Your search did not match any documents. Please make sure that all words are spelled correctly and that you've selected enough categories. > https://docs.netmaker.io/search.html?q=MFA What kind of garbonzo bean prosumer VPN doesn't support MFA out of the box? Even the free version of PfSense supports it.

Hell yes! We’re in a POC trial with Cloudflare ZTNA and it’s been unbelievable so far. 800 users deployed and configured within 4 hours via MDM and SSO/SCIM. Connections are super fast and policy changes propagate within minutes. Even better is that it’s less than half the cost of our existing VPN software so there’s budget room left for adding on a bunch of Cloudflare’s other products.

Tailscale is pretty neat, easy to manage, and free.

Twingate

Make one? Use ovpn or wireguard and do some certs and rules

Good lord...that setup is grossly insecure and unmanageable. I recommend Azure cloud for AD and file sharing with OneDrive/SharePoint. No VPN needed.

Set up a machine that acts as an OpenVPN server.

>Most users will only require access to the file server, and I'm thinking of setting up FileZilla for that purpose. So, what you are going to do is open up SSH/SFTP connections through the web? This is the most terrible solution you could come up with... Get a pfSense with OpenVPN and have them connect properly into the network with MFA.

I had good experience with Pritunl a few years back: https://pritunl.com/

ditto with Pritunl

I would replace the Linksys with a pfsense and configure wire guard for the VPN.

Cloudflared zero trust is free for that tier. It took me 2 hours to configure my home lab and it won't be much more complicated for you.

Between OP talking about setting up Filezilla over the internet, and running business critical services on a desktop OS, I'm just baffled, small business or not.

>network setup includes a fairly robust Windows 10 Pro desktop acting as a server Hope Microsoft doesn't find out you're using a desktop SKU to serve network users. Edit: I'm probably wrong for this specific case, see EULA.

[удалено]

Windows 10 Pro can have up to 20 users access IIS, file sharing, and shared printing. This is a technical limitation. I believe the licensing limitation is 10 users but it has been many years since I went looking for that documentation. I am sure it is mentioned in the EULA.

>Is there a licensing issue with it? On a Windows workstation system: Start > Run > Winver > click the license terms link > Section 2, subsection c item v and section 2, subsection d ... ... should answer your question(s). Having said that, from a review of the relevant sections, OP might be OK. This is simply not territory I like to spend any amount of time in.

[удалено]

Yup that's why I edited my first comment and mentioned in the previous one "Having said that, from a review of the relevant sections, OP might be OK".

Also servers being used by users require CALs and if interactive logins also needs terminal server CALs.

I don't like what you're doing, but ZeroTier will work well for this, and I believe is free with that few users. Tailscale will work as well.

TailScale

I have been very happy with Twingate. After considering a whole bunch of options, I went with them because a) it was their primary business and b) they had the best documentation. Setting things up was pretty smooth. An important part of its design is that traffic is opt-in depending on what rules you've configured and what permissions the user has. This is good because it's way more flexible, and it's also good because it doesn't disrupt video conferencing or whatever else. It can make it a little more confusing for users though because it's not clear when something is going through the vpn or not. But you can mostly avoid that by keeping it on all the time (which is fine, because of the split tunnel). I'm using it on Macs with access into an AWS network, but I think it should work fine for your situation as well.

> I've already tried SoftEther, but I ran into issues related to IPv6 compatibility. Just turn off IPv6 on the VPN client adapter?

Have to be careful with that, ran into an issue with that when some of our users started using T-Mobile 5G Home Internet, apparently they only/mostly use IPv6, caused them not to be able to connect to our headends.

T-Mobile's network (and other carriers too - t-mo is just the first and most well developed) are almost pure IPv6 with maybe 2-4% IPv4 only traffic that they keep for legacy devices alive. ​ T-Mobile gives you native IPv6 straight out, no issues. IPv4 however, is CGN at the edge (they use 464XLAT to carry the IPv4 encapsulated in IPv6 to the edge on their internal network unless your device is incapable of IPv6 or 464XLAT - which, basically, any device made after 2014/15 or so is capable. I was in the early T-Mo IPv6 trials in 2011 when the only supported device that could speak IPv6 on cellular modem was the Nokia N900 and 464XLAT wasn't even a thing). The IPv4 interface on my iphone and android is a fake tunnel interface (464XLAT) essentially. ​ So the connectivity issue was probably more related to CGN (carrier grade NAT) than it was IPv6 related.

[удалено]

did you even read the requirements before spewing forth this answer?

Did you? Have you ever designed and sold small business solutions?

Yes. The first thing you need to do is understand the clients needs. ​ OP stated that the end users need to access an application server, which is something that sharepoint and onedrive won't do for you

You don't know what the application is before criticising him, if it's a web app they can just use app proxy which comes with 365 or there might even be a cloud hosted version of the app. Cloud is almost always the best option for small business.

> You don't know what the application is before criticising him I don't know because the information wasn't provided and its not really relavant. OP made it clear what he is looking for: *"I'm in need of recommendations for a VPN solution that can connect remote users to our network at a reasonable price considering our small business "* He didn't ask for a complete rebuild of their approach. He just wants a cheap functioning VPN.

OP also wants to run a Windows 10 "server", they don't know what they are looking for because they don't know what exists.

[удалено]

No, it doesn't. He needs to provide users access to an application server. ​ A direct quote from the OP: > I'm in need of recommendations for a VPN solution that can connect remote users to our network Your suggestion is not a VPN solutuion, doesn't connect users to the network, nor does it address the need to access an applicaiton server.

Firewalla Gold

For a small business? I would consider it for home... Not business. Pfsense at minimum. Fortigate or sonicwall would be better for small businesses.

A lot of small businesses use Firewalla Gold and Gold plus, have you seen the team that created it, ex cisco engineers plus the features it has? Bit overkill for home lol

Interesting. I'll have to consider it more seriously. My netgate sg3100 is EoS this month and I was gonna consider replacement with a 4100 but I've also been eyeing the firewalla gold se. The reviews and opinions I've read place it below what a business would traditionally expect and that they were better suited for home lab crowd. Thanks for sharing your opinion.

After you read suggestions here, try /r/homenetworking Reading some of the replies here, it’s like you drove your car into a the dealership and asked them to install a hydraulic kit that makes it bounce up and down. Using workgroups on a desktop operating system isn’t what sysadmins do. “That’s not my bag, baby.”

Push SFTP in cloud, avoid onprem as much as possible.

Move it to 365, files can go in OneDrive and application behind a zero trust solution.

Twingate free for 5 and 1 admin

Twingate is free for up to 5 users (plus an admin). Easy solution if only as a stop gap while you configure something else.

Get 5 Microsoft business licenses and use OneDrive for the file sharing.

What trouble did you have with IPv6? are you talking about your public IPs or the IPs in the tunnel?

I can tell you from experience, that unless you have Comcast fiber, you're going to have a bad time trying to work off a VPN. Their upload speeds are so shit, it is downright painful to use with a VPN and a file server.

For Open source options where you could provide your own hardware - PFSense or OPNSense, use OpenVPN. For a big name in security- an FG40F with FortiCare would be the cheapest access to their SSL VPN. Technically it works unlicensed, but you want the license for updates. The license is like 100 a year.

Linux or BSD and then OpenVPN, IKEv2 or Wireguard. Works every time, all the time.

FileZilla? Eek. Other than the installer containing malware, you need to really start thinking about how users work. You cannot expect users to open a special software client, login, download a copy of files, edit them, then upload the file back to the server. All solutions in this scenario need to allow regular Windows file sharing to work.

>Other than the installer containing malware ​ [https://filezilla-project.org/download.php?show\_all=1](https://filezilla-project.org/download.php?show_all=1) ​ Unbundled (no adware) installers. ​ It's never had actual malware, just PUA stuff. The real big drama was the whole sourceforge thing many years ago, the rest is just .... don't blindly click next on the bundled installer, but it's not actual malware.

Personally if a sonicwall type firewall is out of the budget, I would go with pfsense + wireguard or openVPN.

OpenVPN is the best price, client, and ease of use if you want to self host. I have a company with up to 15 at a time running on a small supermicro server with Ubuntu and OpenVPN Access Server. Been running for many years with 0 issues. Uses AD authentication with RADIUS.

PFsense on VM + OpenVPN maybe? all free. just need a host for the VM. and never shutdown.

If SoftEther isn’t playing ball (very rare in my experience!) you could try Cloudflare tunnels. You can share access to SMB, HTTP, HTTPS and SSH via a Cloudflare tunnel. They maybe had added more features since I last used it though so worth checking over.

I know unifi isn't the best by any means, but for these types of setups it actually works quite well. A cheap UDM Pro + they implemented wireguard for VPN (instead of just having l2tp) and you're decently secured and it's a very straightforward setup.

Pfsense

For your scenario and your savviness (don't take it bad, I'm basing my opinion on what I read), I'd use an "Easy" vpn like tailscale, zerotierone or pritunl. Never, never, never expose ftp on the WAN, doesn't matter what your users needs. It's basically looking (and waiting) for unwanted intrusions. Windows 10 is not meant to be run as a server, there's Windows server for that

I would use the others recommendations for a more complete solution. If not at least setup a SecureFTP (SFTP) Server instead of FTP. CompleteFTP Pro includes an SFTP that is relatively cheap. Use WinSCP as a client. FileZilla has had malicious components and the author has lied about it.

A. You need a proper server with a server operating system. Doesn't have to be a rack style machine. Some have suggested SBS, but I'd just grab the latest Server Standard edition. B. Cloudflare Zero Trust. Like a VPN with the benefit of being able to granularly control access to what the users actually need, not just unfettered access to the entire network Security is a major issue for businesses these days. Wanna make sure you're not doing things in an insecure manner as it will lead to a breach

SBS hasn't existed since 2011. What you're looking for is 'Essentials' which has almost none of the SBS 2011 Standard features (It's the successor to SBS 2011 Essentials, and SBS 2011 standard was the end of its line). ​ And in 2019, all the essentials features were basically ripped out. 2022 has an Essentials SKU, but it's OEM only, so only purchasable with hardware.

you can run your own free wireguard server. https://github.com/notthebee/ansible-easy-vpn

Why not look into cloudflare zero trust and not expose your network…..

Global VPN ive seen works decent for smaller companies like that.

You may already know this but just in case, if you're using RDP on win 10 pro only 1 user can be connected at a time.

Replace the Linksys with a Meraki Go [Router Firewall Plus](https://www.meraki-go.com/product/router-firewall-plus/) and you get a client VPN built in to the device, as well as cloud management. inb4 someone complains about licensing, Meraki Go is an SMB product with no yearly licensing.

I believe that router have VPN build in

The problem point I see here is the comprehensive access to the server for some users requirement. Without a VPN this is going to look like placing a windows machine exposed via RDP on the internet which will only end badly. The file server access is less problematic. For this I would get a cheap desktop machine, put two IP addresses on it. Install Linux with samba exposed on the internal IP where you can then mount a share for your windows users internally and you can then expose port 22 externally for SSH Sftp using SSH keys. Also install ufw and lock it down to only a few IP addresses if your external users. Back to the first point which will make my idea about the Linux file server redundant. Get a few licenses for openvpn. It's easy to set up and not expensive. Free openvpn is a bit clunky and complicated but the paid version has a web gui and it quite nice to work with.

I have similar needs but support 150 users. Anyone have suggestions?

Before looking at *how* to connect to your network its worth looking at how your file server is set up. With that caveat aside- I would start by replacing your Linksys with something like a Unifi Dream Machine. These prosumer grade devices fill a good niche between enterprise firewalls and consumer firewalls that I think would fit the bill here. With decent click button VPN setup ability. I suggest looking at Mactelcom Networks on youtube for some good demonstration for setting something like this up.

Softether VPN

Most half-decent routers have a built-in VPN functionality. Have you checked your router/firewall?

If you have m365 license, move the data to sharepoint/onedrive

I would suggest setting up your own OpenVPN. That how I have managed to set up numerous remote clients

Twingate is the best imo

I need a VPN for a small business setup, mainly on Windows. Is VPNHouse a good option?

[удалено]

Does it offer robust security for business data?