Skip to Content

Setting Up VPN for Your Team

Setting Up VPN for Your Team

Setting Up VPN for Your Team

Photo by MART PRODUCTION on Pexels

Now that you understand VPNs, it's time to set one up for your team. This lesson walks through a complete deployment using Tailscale (the easiest option) and OpenVPN (the traditional option), with practical examples and configuration steps that any small business can follow.

Choosing Your VPN Approach

For most small businesses with fewer than 50 remote workers, we recommend starting with Tailscale. It's free, takes minutes to set up, requires no networking knowledge, and uses state-of-the-art WireGuard encryption. If you need more control or have specific compliance requirements, OpenVPN Access Server is the fallback.

Complete Tailscale Deployment Guide

Phase 1: Admin Setup (15 minutes)

  1. Sign up: Go to tailscale.com, click "Get Started," and sign in with Google, Microsoft, or GitHub. This becomes your tailnet — your private network.
  2. Review the admin console: You'll see a dashboard at login.tailscale.com/admin showing zero devices. This is where you'll manage everything.
  3. Configure DNS: Under "DNS" in admin settings, add your company's internal DNS server if you have one. This lets workers use names like "filesrv.company.local" instead of IP addresses.
  4. Set up ACLs: Under "Access Controls," define who can access what. A basic policy: allow all devices to ping each other, but restrict access to sensitive servers to specific groups.

Phase 2: Office Server Setup (10 minutes)

  1. Install Tailscale on your office server: On Linux, run: curl -fsSL https://tailscale.com/install.sh | sh. On Windows, download the installer from tailscale.com.
  2. Authenticate: Run tailscale up and follow the URL to authenticate the device with your account.
  3. Note the IP: Run tailscale ip to get the 100.x.x.x address. This is how workers will reach this server.
  4. Enable subnet routing (if needed): If workers need to access other devices on the office network, run: tailscale up --advertise-routes=192.168.1.0/24 (replace with your office subnet). Enable "IP forwarding" on the server.
  5. Approve routes: In the admin console, find the server device and approve the advertised routes.

Phase 3: Worker Device Setup (5 minutes per worker)

  1. Install the client: Workers download Tailscale for their platform — Windows, Mac, Linux, iOS, or Android
  2. Sign in: Workers authenticate with the same organizational account (Google/Microsoft/GitHub)
  3. Verify connection: Workers try to access the office server using its Tailscale IP address
  4. Test file access: If using a file server, workers should try opening a shared folder

Phase 4: Security Hardening

  1. Enable device authorization: In admin settings, turn on "Device Approval" so new devices require admin approval before joining
  2. Set up key expiry: Configure keys to expire every 90 days — devices must re-authenticate periodically
  3. Enable logging: Turn on "Tailnet logs" to track who connects and when
  4. Create user groups: Organize workers into groups (e.g., "Finance," "Sales") and apply different ACL rules to each

OpenVPN Access Server Setup (Alternative)

  1. Install OpenVPN AS: On a Linux server, download and install the package from openvpn.net. On Ubuntu: wget https://openvpn.net/downloads/openvpn-as-latest-ubuntu22.amd_64.deb then sudo dpkg -i openvpn-as-*.deb
  2. Set admin password: Run sudo passwd openvpn to set the admin password
  3. Access admin UI: Go to https://server-ip:943/admin and log in
  4. Configure routing: Under "VPN Settings," ensure "Should client traffic be routed through the VPN?" is set correctly. For full tunnel, enable it. For split tunnel (recommended), disable it and specify only your office subnet.
  5. Create users: Under "User Management," create accounts for each worker with unique passwords
  6. Workers download client: Each worker visits https://server-ip:943 (note: not /admin), logs in, and downloads the OpenVPN Connect client with their profile pre-configured
  7. Connect: Workers install the client, import the profile, and connect using their credentials

VPN Monitoring and Maintenance

  • Weekly check: Review connection logs — look for unusual access times or unknown devices
  • Monthly review: Remove access for workers who no longer need it. Check that all devices are running the latest VPN client version.
  • Quarterly audit: Review ACL rules and ensure they still match your team's needs. Test that terminated employees can't connect.
  • On offboarding: Immediately revoke VPN access when an employee leaves — before their last day if possible

Free Tools for VPN Management

  • Tailscale Admin Console: Free, includes device management, ACLs, logs, and DNS configuration
  • PingPlotter (free version): Monitor VPN latency and packet loss to troubleshoot slow connections
  • Wireshark: Free network protocol analyzer for advanced troubleshooting

Key Takeaways

  • Tailscale is the fastest path to a working VPN — 15 minutes for the entire team
  • Always enable device approval and key expiry for security
  • Use split tunneling so workers can access local printers while connected to VPN
  • Revoke access immediately when employees leave — this is a critical security step
  • Document your VPN setup so it can be recreated or troubleshooted by anyone on your team

Setting Up VPN for Your Team

Setting Up VPN for Your Team

Photo by MART PRODUCTION on Pexels

Now that you understand VPNs, it's time to set one up for your team. This lesson walks through a complete deployment using Tailscale (the easiest option) and OpenVPN (the traditional option), with practical examples and configuration steps that any small business can follow.

Choosing Your VPN Approach

For most small businesses with fewer than 50 remote workers, we recommend starting with Tailscale. It's free, takes minutes to set up, requires no networking knowledge, and uses state-of-the-art WireGuard encryption. If you need more control or have specific compliance requirements, OpenVPN Access Server is the fallback.

Complete Tailscale Deployment Guide

Phase 1: Admin Setup (15 minutes)

  1. Sign up: Go to tailscale.com, click "Get Started," and sign in with Google, Microsoft, or GitHub. This becomes your tailnet — your private network.
  2. Review the admin console: You'll see a dashboard at login.tailscale.com/admin showing zero devices. This is where you'll manage everything.
  3. Configure DNS: Under "DNS" in admin settings, add your company's internal DNS server if you have one. This lets workers use names like "filesrv.company.local" instead of IP addresses.
  4. Set up ACLs: Under "Access Controls," define who can access what. A basic policy: allow all devices to ping each other, but restrict access to sensitive servers to specific groups.

Phase 2: Office Server Setup (10 minutes)

  1. Install Tailscale on your office server: On Linux, run: curl -fsSL https://tailscale.com/install.sh | sh. On Windows, download the installer from tailscale.com.
  2. Authenticate: Run tailscale up and follow the URL to authenticate the device with your account.
  3. Note the IP: Run tailscale ip to get the 100.x.x.x address. This is how workers will reach this server.
  4. Enable subnet routing (if needed): If workers need to access other devices on the office network, run: tailscale up --advertise-routes=192.168.1.0/24 (replace with your office subnet). Enable "IP forwarding" on the server.
  5. Approve routes: In the admin console, find the server device and approve the advertised routes.

Phase 3: Worker Device Setup (5 minutes per worker)

  1. Install the client: Workers download Tailscale for their platform — Windows, Mac, Linux, iOS, or Android
  2. Sign in: Workers authenticate with the same organizational account (Google/Microsoft/GitHub)
  3. Verify connection: Workers try to access the office server using its Tailscale IP address
  4. Test file access: If using a file server, workers should try opening a shared folder

Phase 4: Security Hardening

  1. Enable device authorization: In admin settings, turn on "Device Approval" so new devices require admin approval before joining
  2. Set up key expiry: Configure keys to expire every 90 days — devices must re-authenticate periodically
  3. Enable logging: Turn on "Tailnet logs" to track who connects and when
  4. Create user groups: Organize workers into groups (e.g., "Finance," "Sales") and apply different ACL rules to each

OpenVPN Access Server Setup (Alternative)

  1. Install OpenVPN AS: On a Linux server, download and install the package from openvpn.net. On Ubuntu: wget https://openvpn.net/downloads/openvpn-as-latest-ubuntu22.amd_64.deb then sudo dpkg -i openvpn-as-*.deb
  2. Set admin password: Run sudo passwd openvpn to set the admin password
  3. Access admin UI: Go to https://server-ip:943/admin and log in
  4. Configure routing: Under "VPN Settings," ensure "Should client traffic be routed through the VPN?" is set correctly. For full tunnel, enable it. For split tunnel (recommended), disable it and specify only your office subnet.
  5. Create users: Under "User Management," create accounts for each worker with unique passwords
  6. Workers download client: Each worker visits https://server-ip:943 (note: not /admin), logs in, and downloads the OpenVPN Connect client with their profile pre-configured
  7. Connect: Workers install the client, import the profile, and connect using their credentials

VPN Monitoring and Maintenance

  • Weekly check: Review connection logs — look for unusual access times or unknown devices
  • Monthly review: Remove access for workers who no longer need it. Check that all devices are running the latest VPN client version.
  • Quarterly audit: Review ACL rules and ensure they still match your team's needs. Test that terminated employees can't connect.
  • On offboarding: Immediately revoke VPN access when an employee leaves — before their last day if possible

Free Tools for VPN Management

  • Tailscale Admin Console: Free, includes device management, ACLs, logs, and DNS configuration
  • PingPlotter (free version): Monitor VPN latency and packet loss to troubleshoot slow connections
  • Wireshark: Free network protocol analyzer for advanced troubleshooting

Key Takeaways

  • Tailscale is the fastest path to a working VPN — 15 minutes for the entire team
  • Always enable device approval and key expiry for security
  • Use split tunneling so workers can access local printers while connected to VPN
  • Revoke access immediately when employees leave — this is a critical security step
  • Document your VPN setup so it can be recreated or troubleshooted by anyone on your team
Rating
0 0

There are no comments for now.

to be the first to leave a comment.