xTuple.com xTupleU Blog & News Customer Support

Remotely access xTuple while in the field

What are my (best security) options for field access clients?
I don’t want to use remote desktop.
I want to use Windows laptops (with xTuple client installed) connected either through customer LAN’s or cellular mobile data to connect to xTuple database on our LAN.
Laptops have xTuple client, and database currently on Windows 10 PC, but will be moved to Ubuntu or FreeBSD host.

If you’re dealing with an SSL connection to the database and the database is already hosted outside of the LAN, I would just connect directly from the client.

If you want to go a step further, or if the database is hosted locally in the LAN, then you could put a VPN into the mix.

If you go the VPN route, then I probably would use Remote Desktop. I like the performance better with RDP in this situation. I understand the hesitation with RDP, it’s not secure, but that should be covered by the VPN.

The key here is having the SSL properly configured.

Lot’s of variables at play here.

Hello Szuke
Thanks for your reply.
I want to stay away from Remote Desktop. To me that implies a PC on our LAN being taken over by Remote Desktop (similar conditions also for TeamViewer, isOnline etc.)

I was hoping for something along the lines of RADIUS connectivity. I see there are options in PostgreSQL (via PgAdmin/ pgconfig file) to accept RADIUS connections

A couple questions could be important. szuke’s idea of a VPN is really good. also if your customer has a static IP address you could always do Static PAT.

Hello caleb194

I require a little more information about VPN usage. My experience of VPN has been mostly with remote desktop, and to a lesser extent remotely connecting to Unix/Linux devices to run an application on that host. I would like to understand how I can use VPN without remote desktop, or taking control of another host within our LAN.

I am not sure of your meaning re using Static PAT and customer. Can you elaborate a little further please?

The xTuple ERP is for our company’s use.
When we visit a customer’s site, we may want to look at xTuple for status of customer salese orders, quotes etc. Depending on each customer site we have varying methods of internet access courtesy of the customer from the basic of grabbing an ethernet cable and plugging in through BYOD or guest network access. I think each time of all the above we are assigned a dynamic IP

Thanks

The VPN is simply to create a connection to the network (the “tunnel”). This connection could then be used to connect to a remote desktop or other host. I understand you don’t want to do that. There’s no reason you cannot run your own client, either a sql session or the actual xTuple qtclient over the connection. VPNs are often a little unstable, which is why I prefer to work on a machine on the “true” network rather than over a VPN.

Once you vpn to the host network, you will get an IP address and it will be as if you are plugged in at their location.

If you don’t know where to start on the VPN path check out OpenVPN. https://www.youtube.com/watch?v=9LNC393pqyE The general idea is that you log into the VPN and then you are connected Virtually to your Private Network. so you can use what ever resources are on the LAN at your office.

1 Like

Thanks for the youtube link. I am not sure how OpenVPN will help me compared to other VPN methods. The link did enlighten me about how OpenVPN requires connections to another site to gain access - not sure if that acts as a security measure for our postgresql side though (we were considering it for our NAS connection)

I can see it’s possible to use the postgresql file pg_hba.conf to manage which IP locations can access the database. This gives a level of security so that only our users can login with previously designated IP address .
This narrows down who can login and from which hardware (BOYD?)

I guess my quest at present is to understand how I can get my xtuple client to connect to the database as if I was on our LAN (my laptop direct to database, with maybe a login requirement to get inside our LAN)

OpenVPN is simply one VPN service. Caleb was providing a simple example. You can certainly host your own VPN, but VPN services are making this very easy. Instead of knowing the IP addresses of each client, you can adjust your pg_hba.conf file to include the range of IPs provided by your private network/VPN. This makes BYOD much easier.

Connonr,
If your company has a local internal network and a static public IP address is available then the VPN solution may provide you with what I believe you are wanting to accomplish.

I work in that environment frequently and once the VPN connection is established your laptop that is out in the field will be able to access all the assets within you work location local network. There are multiple ways to accomplish that configuration and it CAN be a very secure way of extending access into your local area network. It is difficult to explain the details but “OpenVpn access server” is a proven provider of that sort of connectivity. Once it is installed and configured it just keeps working. With that setup you could be in a meeting at your clients office and with your laptop you could click a button and establish a secure connection to your office resources within a matter of seconds. The only requirement would be that you could reach the internet to establish the connection to your VPN server. I’d be happy to give you free advice on some of the specifics if you would like. Just drop me a note via the forum chat system and we can exchange contact info.

Jim WIrt

Hello Jim

Thanks for your input. My experience with a VPN connection in the past has been to enable me to connect a remote host and take some control of the remote host, either at the $ prompt or using Remote Desktop. So my use of a VPN connection to date has been to take control of another host remotely.

It seems the consensus based on replies to my initial question is to use a VPN.
Now what do I do with a VPN connection so I can connect my xTuple client to the PostgreSQL database. I don’t want to take control of another host on our LAN to access xTuple.

Once the VPN is established, should I use something like SSH and port forwarding, or some other method?

Once you are connected via VPN, you will be on the same network. You should then be able to put the IP address / hostname into your server setting and connect directly. It really is that simple.

connonr. You seem to have a miss-conception of what a VPN is. This reply is targeted at the idea of a vpn. VPN is an acronym that stands for “Virtual Private Network” it essentially works as LAN once it is set up. It is not some sort of remote desktop software.

lets say hypothetically that at your office you have a LAN ip address of 192.168.1.0 with a Subnet Mask of 255.255.255.0 and a Default gateway of 192.168.1.1. Your postgresql server is on 192.168.1.2. When you log into the VPN on your laptop at a customers site. it will give your laptop some IP address. we can call it 192.168.2.10. You will be effectively connected to whatever network your VPN server is running on. And you would connect to your Postgresql server with the private IP address of 192.168.1.2. The packet’s sent from your computer would be encapsulated and sent to your VPN server on the LAN at your office and unpackaged there. Then they would be sent to your PostgreSQL server. Instread of using a host name for the “Server”, you would probably have to use an IP address of your Postgresql machine like such image
The VPN software would create A completely secure connection between yourself and your LAN over WAN. No one would be able to view your unencrypted traffic unless they could log into your VPN.\

Its the perfect solution to what your problem is, As it does not rely on remote desktop, its completely secure, and I can personally verify its functionality with xTuple as I have set up VPN’s to do exactly this.

Hello caleb194

Thanks for confirming that I don’t know how to use a VPN.That’s why I mentioned I had only experience with rdp and taking control of another host. That’s why I asked how to solve my problem on this forum. If I knew what to do , I wouldn’t be here.

If someone had responded with similar information as your 2nd paragraph and image, I would have been on way to happiness.

Once again thanks for your help.
My problem is solved