I’ve spent few days on corporate VPNs with few Linux and BSD distros and I’ve decided to write down some notes and publish few screenshots for practical usage, even for newbies.
I’ve read some docs but I’ve never found a quick guide with practical examples for newbies to create a VPN from scratch, in these episodes I’ll create VPNs with real examples. As you may know you can create VPN between two machines/networks by using a lot of different security mechanisms like:
-
IPSec (my favorite) IPv4 and IPv6 capable
-
OpenVPN (SSL/TLS based), nice for roadwarrior connections but you may have troubles with NAT and firewall policies
-
MPVPN, never used it, I’ve seen it during certification exams but I really don’t know who uses it
-
PPTP, Microsoft Point to Point encryption system, avoid it like a plague if possible, buggy and it had several security issues
-
SSTP, Secure Socket Tunneling protocol introduced by Microsoft with their Windows Server 2008 and Vista/7, seems to be nice but not so portable or available on third party systems
-
DTLS, mainly from Cisco Systems
There are even more VPN solutions but mostly proprietary based, this saga has several different achievements in mind:
-
It has to be portable. I’d like to use my favorite security mechanism with available hardware or software, we don’t want to rely on specific OS or platform. I even want to use it on very cheap hardware or embedded devices (read: high class smart phones)
-
It has to be secure, so we don’t want security issues or known troubles around us
-
It has to be free and publicly available so everyone may take a look at it
When you need to connect two different hosts/networks you may have different scenarios:
-
you need to connect a single host to a remote network
-
you need to connect a network to a remote network
-
you’ve public and static IPs on on both side
-
you’ve dynamic IP at least on one side
-
you’ve one or more firewalls in the middle with one or more blocking rules (and sometimes you cannot modify them)
As you may know from the top I’d like to use IPSec because that’s what I’m using now for these reasons:
-
It‘s available everywhere, from cheap DLink DSL routers to heavy BSD servers, it’s not tied to a particular operating system
-
It’s stable and solid
-
no security issues (yet) [http://bsd.slashdot.org/story/10/12/15/004235/FBI-Alleged-To-Have-Backdoored-OpenBSDs-IPSEC-Stack is it real or a fake ??]
-
IPv4 and IPv6 ready
-
few troubles with NAT’d networks compared to others
-
works great with static IPs (and that’s my case), but even with dynamic if you cheat something; by the way I’ll show you even something more from OpenVPN, that is my favorite roadwarrior solution
I’ll start with IPSec in different scenarios but I’ll go further with other solutions like OpenVPN or PPTP if you want, I’ll try to publish a single and detailed article for every case or you can suggest me your needs.
Resources
If you’ve a lot of time and you’d like to know everything on IPSec you may take a look at (http://www.ipsec-howto.org/), it’s a good guide for a Linux sys admin. Also read Openswan documentation (http://www.openswan.org/), Openswan is an implementation of IPSec for Linux. It’s quite hard to start from scratch with Openswan on the command line but this is the definitive guide (now) for it. If you’ve enough time to set everything up and fine tune every aspect of your connection I suggest you to use only these components: the Linux kernel, IPTables, Openswan. If you’ve limited time and you want to deal with ready made distros oriented to firewall/VPN solutions you may follow next articles.
Next Step:
IPCop to IPCop with IPSec
IPCop to PFSense with IPSec
Glad to read your comments
Andrea Benini
