Hey, We need to restrict access to an online service to a whitelist of IP addresses, but looking for an option for mobile devices, we could put a vpn router in the office and get them to connect to it but all we need is a vpnservice with a static ip, I have looked at Nord VPN are there any other obvious choices, I have also seen some Zero trust options but not sure if they route out a static ip
Thans in advance
I’d recommend looking at Timus Networking, they are channel-only, and it’s a full firewall, as granular as you need. Jared is awesome to deal with! Jared Epstein [email protected]
SASE. You can whitelist the datacenter / point-of-presence IPs the connections are routed out from.
This is not exactly the solution you asked for, but I had the same problem (IP whitelist with cellular connected laptops) and tried using VPN services with static IPs.
For various reasons I just wasn’t happy with how the VPNs worked out for this purpose (cost, subscription management, multiple users not using the same IP, etc.).
I ended up using two cheap VPSs from two different providers and installed ShadowSocks. It creates a local proxy server that routes traffic through the VPS. You can route all traffic through the proxy or configure individual applications to use the proxy. You can also have it load balance or failover between multiple servers.
In my case the two servers are in a failover configuration and I configured SSH and a secondary web browser to use the proxy. All other traffic uses the cellular connection directly and bypasses the proxy. Other than using the secondary browser to access the IP locked sites I wouldn’t even know it was there.
Why bother with IP addresses?
Just use a VPN or an X.509 client certificate. No certificate, no access.
Keep it simple.
Permiter81 for a good cloud solution ZTNA.
Cisco AnyConnect for mobile is awesome. So any firewall that supports it.
Have you thought about a Cloud hosted firewall? That will give you full control over the VPN, it’s pretty cheap and it would provide the Public IP address you need and you can assign a persistent private IP to each VPN user so that you can also apply additional policies specifically to each user.
It then gives you a platform to grow. eg. you might have your office connected to that firewall as it’s main internet path which would give your remote users access to any internal servers if relevant.
Then you might have some resources in Azure/AWS which you can also pull into the mix also.
Check out the 0 to SASE in 60 minutes on demand webinar from Cato Networks. They cover this literal use case (with testing and validation) in a full stack SASE deployment, configuration and validation exercise. If you want to skip the marketing lead in, you can fast forward to the mid point of the webinar. They actually do the full deployment, config and validation in 30 minutes.
https://catonetworks.easywebinar.live/registration-0-to-sase-in-60-minutes
SASE
(Just not Datto SASE it’s horrible)
We use Cytracom, it’s been pretty good for us.
Cytracom is pretty cool, it does this and more. Can do sites as well
I’d second this recommendation. Jared is great to work with as is the whole Timus team. The client works well, and firewall is powerful.
Ideally one which combines both, a zero trust overlay which uses x509 for authenticate-before-connect with outbound only connections. I work on a commercial solution for this, but the tech is also open source - https://openziti.io/
Could you please explain what You find bad about Datto Sase
We are looking at Cytracom right now. It seems like a really good one- visual dashboard, their own hardware device for main office. Did you by any chance compare to Todyl? That’s the only other one we are looking at currently. I feel like Cytracom is the better product, though.
It literally just didn’t work. The client is absolute garbage. Constant connection issues. Or reconnection issues. It would just refuse to connect all the time. Especially after coming out of sleep/hibernation. We spent 2 months working with their support, got access to multiple alpha versions of the client that were supposed to fix the issues. Finally just told our rep we’re throwing in the towel, there’s no way we can possibly use this. I honestly have no idea how they’re even selling this product. We’re a Kaseya shop and use a number of their products and don’t overall hate Kaseya like some… but man this one was just horrible.
Plus it has silly limitations as well and the configuration and options are super basic when compared to other SASE products. Such as you can only create a single site-to-site VPN tunnel from the cloud gateway to a site - we needed multiple tunnels. There’s also a 50Gb per user data cap that it doesn’t mention ANYWHERE and we only found out when a couple of our techs hit the cap and it starts throttling their bandwidth to 2Mbps for the rest of the month until it resets. Their reasoning behind this? They claimed it’s because “SASE is intended just for business related traffic and you should set all your other traffic to bypass the SASE client.” Umm… no? The entire point of SASE is to keep all our traffic going out through a central gateway that we can monitor and control. What’s the point of having a content filter for various stuff if we simply set all that traffic to bypass the gateway anyways?
Unfortunately no. When we started using Cytracom I wasn’t aware of Todyl at the time. So can’t tell you much there. Just that we’re please with Cytracom overall. They’ve been adding in new features fairly regularly too.
Hmm Thanks for the details.
We run Todyl now and we face a lot of connection issues… so we are about to give Datto sase go…
Why do you say that? A colleague of mine who I trust a lot is ALL in on Todyl. Personally, I feel like Cytracom has a better product, but I’d like to know more about Todyl. I have a trial setup with them for later this month
What did you all end up going with?