I would recommend an IPSEC vpn connection through a firewall with MFA enabled for confidentiality of your companies data. The reason why you should not go for any 3rd party vpn lets say teamviewer or parsec is mainly due to supply chain attacks, not saying this would occur but it eliminates the threat.
Do you not have a firewall with capability?
First question you need to answer/clarify is what you are trying to access and why.
You don’t just set up a vpn without a reason
A vpn may not be what you need or want
What do you mean by VPN?
Most of the products you see advertised all over the internet and even on TV are primarily anonymization services. Yes, they do encryption but the data is unencrypted by the service provider; they are a man-in-the-middle with complete visibility of all your internet traffic. Fine for cheating on your Netflix subscription and similar. I am not aware of *any* current UK based provider.
What are the resources you are trying to protect?
What are you trying to protect against?
The enterprise providers will give you a list of the egress addresses they use - so potentially you can lock down specific access to these particular addresses on services you manage. It’s a simple way to make holes in your firewall. However IMHO the practice of considering end-user devices with third party networking software, even where encryption termination is inside your network, as part of your network is short-sighted and dangerous. It is certainly not considered adequate for generic access to highly secured networks like those used by the government or banks. And would likely be frowned upon by any accreditation auditors for privileged access in such a context.
It sounds like your boss wants you to implement something he read about which was state of the art 30 years ago. The world has moved on. You need to decide if you are going to give him something that looks like what he is imagining, or try to implement something secure.
Cloudflare has free plan under 50users. Easy to setup and really good.
Tailscale, overlay network. Don’t even need to pay for a boy 3 user’s
ITT people recommend subbing this out because experience. I disagree. The MSP that sets this up for you is probably even less capable than you are.
Use your firewall. I can’t think of a single firewall vendor that doesn’t also offer client-based SSL VPN as a feature. If you don’t have a firewall, I think you should get one and use that. I prefer a Fortigate, but I’ve also used ASA, Palo, Sonicwall, Checkpoint, Netgate, and Sophos. They all work fine.
OpenVPN CloudConnexa.
Netgate with openvpn ? Presuming you can route through current NAT box
If you want something that just works, use Tailscale.
The cheapest and also best (In my opinion) solution is SoftEther, a free and open source VPN host and client software from the University of Tsukuba in Japan.
You’ll need to know a LOT more though in order to pull it off correctly.
VPN Access Rules, 2FA, DDNS, NAT, Local Bridges, Firewall/Router Access Rules, and a server.
The server can be any PC that ideally is hard wired instead of wireless and is practically never off.
If you are not confident here (I don’t blame you) this is worth hiring out, but maybe give it a shot yourself if you can create a safe environment to test with. That’s how A LOT of learning happens.
Good luck!
Find a vendor to do it. Make sure to spec out that it needs to have MFA.
This depends on what they need to do, and how those things are done, while connected. Sometimes they just need access to a little thing or two, but they may well require a proper vpn.
I agree with others, I would not recommend learning this on the job so to speak. Its a pretty quick and small project that many people and firms could assist you with. I’d recommend outsourcing the setup, and if possible adding on a condition that you wish to be educated on the process before/during/after so that you 1) learn 2) can deploy it and 3) can troubleshoot the vpn at least somewhat before needing to contact someone for help.
That said, relatively simple project very focused scope and should be straightforward to maintain once implemented. Wireguard is IMHO the industry standard in many ways now but you cannot always use it, for various reasons too potentially complicated to list here in text. I contributed to wireguard and advocate for it all the time.
Either way, I advise opting for the relatively small cost of outsourcing this one.
I’m a fan of OpenVPN Access Server. It’ll handle a few users on a tiny VM. 1 core and 1 Gb of RAM is plenty.
tailscale or twingate
Headscale with the tailscale client,
twingate. zero trust vpn from the start. and its free for up to 5 users.
Vpn and then Remote Desktop once your on the vpn, most routers have vpn ability and if not their not expensive to replace, as you have ubiquity ap’s put in a ubiquity router then use open vpn, secure and reliable with no on going costs
I know he said he wants to pay, but Cloudflared is free for that many users, easy and it’s the same product you would pay them for if you were a larger company.