3

I'd like to connect two remote sites via a secure point to point tunnel. I've been using OpenVPN, but it's a little flakey and really seems to be more for connecting lots of users rather than a point to point link.

Redhat seems to have some nice built in scripts for building Point to Point IPSEC tunnels, but I haven't found anything similar in Ubuntu.

Any guidance on what to use here and how to do it? I'd like to keep it as simple as possible, but still have basic PSK security.

Joel K
  • 5,853
  • 2
  • 30
  • 34

8 Answers8

3

ssh 4.3+ is capable of creating proper VPN tunnels. tun0 and all that.

  • This is pretty awesome. I found a link giving full details. https://help.ubuntu.com/community/SSH_VPN My link is pretty lossy, so I'm going to keep trying to figure out IPSEC, but your answer is great. – Joel K Jan 28 '10 at 16:20
  • While this is a nice tool and I for one would be playing with this on non production servers. This does bring up the point that one is creating a tunnel through ssh which is layer 7. Thus routing layer 3 packets (ie IP packets) over ssh which is also on top of TCP and again on top of IP adds a lot of overhead that ssh was not originally designed to handle. – Dwight Spencer Apr 22 '15 at 18:09
3

Assuming the following network settings:

Your public IP: 192.168.1.1
Your private network: 192.168.50.0/24
Remote public IP: 192.168.2.1
Remote private network: 192.168.51.0/24

1) Install StrongSwan using "sudo apt-get install strongswan"

2) Set up a secret key using "sudo vim /etc/ipsec.secrets":
192.168.1.1 192.168.2.1: PSK "secret_password"

3) Configure the routes using "sudo vim /etc/ipsec.conf":
conn partner
left=192.168.1.1
right=192.168.2.1
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
pfs=yes
auto=start

conn local_to_partner
leftsubnet=192.168.1.1/32
rightsubnet=192.168.51.0/24
also=partner

conn partner_to_local
leftsubnet=192.168.50.0/24
rightsubnet=192.168.2.1/32
also=partner

1

You can use openVPN to obtain a site to site configuration. You would need to setup each of the Linux machines as routers and create static routes on your internal networks to point to the linux machines. Here is the basic design:

Each local network needs to have its own IP subnet:
LAN1: 192.168.1.0/24
LAN2: 192.168.2.0/24

Say the IPs are such:
PC1 192.168.1.10
GW1 192.168.1.1
Linux1 192.168.1.100
---connected w/ VPN to other network with address 192.168.2.101

PC2 192.168.2.10
GW2 192.168.2.1
linux2 192.168.2.100

if you create static routes in each of your routers to point to the other LAN you should be able to achieve what you're looking for:
Route on GW1:
Destination 192.168.2.0/24
Gateway: 192.168.1.100

Route on GW2:
Destination 192.168.1.0/24
Gateway: 192.168.2.100

Then when PC1 pings PC2 the packet will be routed to the default gateway of 192.168.1.1 which will forward it to the linux machine(1.100) which will send it through the tunnel to LAN2.

einstiien
  • 2,568
  • 18
  • 18
  • Yeah, this is what I'm doing now. We frequently see the tunnel start to drop traffic. I haven't found any root cause. Traffic outside the tunnel stays clean. I've tweaked OpenVPN settings until the cows come home, but the problem keeps coming back. (UDP and TCP, TCP kernel windowing, UDP transmit windows, compression on/off, keepalives, even using tc to try to give priority to openvpn traffic...) I was hoping for something similar that still gives basic PSK encryption. – Joel K Jan 20 '10 at 16:25
  • We use OpenVPN successfully between a few remote sites with a fairly simple/plain config. Maybe it's worth posting a separate question to try and debug the OpenVPN flakeyness you're seeing? – James Jan 26 '10 at 17:34
  • If you haven't moved away from OpenVPN, you may even try using "proto TCP" instead of "proto UDP", there may be some time-out issues between the two sites that will work better with TCP, instead of the "stateless" UDP connection. On a bad connection, I was able to get a more stable tunnel using TCP instead of UDP. – samt Feb 24 '10 at 02:08
0

Why can't you use what works for Redhat on another linux system? It's not like they're different OSs at heart.

Let me expand on this.

I have used IPSEC to tunnel all traffic between two sites before, and it was not difficult to set up even without tools to do this. If there are scripts that work on redhat, can't you just steal those and run them on your other linux variants? Surely they are not that dissimilar.

Michael Graff
  • 6,668
  • 1
  • 24
  • 36
  • After you've got about 50 machines, it starts to hurt my old brain to have more than 2 or 3 OSes. :) When everything is the same it also makes debugging a lot easier. – Joel K Jan 20 '10 at 16:22
  • The redhat scripts are all smashed in with the ifup/ifcfg wrappers and not so easy to port... Still trying. :) But hoping there was a better way. – Joel K Jan 20 '10 at 19:20
0

You can use SSH's Tunnel feature for that. If you already have SSH set up (very likely) then this will be much easier than the alternatives for just connecting two hosts.

Peter Eisentraut
  • 3,665
  • 1
  • 24
  • 21
0

I would also suggest using SSH tunnels feature. It is easy to set up and since you alluded to running ubuntu, there is even a SSH Tunnel Manager.

Justin S
  • 350
  • 3
  • 15
  • http://ubuntu-tutorials.com/2008/06/18/tunnel-web-and-dns-traffic-over-ssh/ explains how to set up the proxy and direct firefox and DNS through it. Other programs that support SOCKS proxies should be able to access it as well. This should include your email, IRC, AIM, ICQ the list goes on. – Justin S Jan 20 '10 at 05:38
  • My understanding is that SOCKS will only work for TCP traffic, and this requires host modification. (the end points aren't actually user hosts, but small linux routers) – Joel K Jan 20 '10 at 16:20
  • It still may not fit what you need, but SOCKS can handle TCP and UDP traffic. – Justin S Jan 20 '10 at 22:02
0

OpenVPN is really one of the most common, best understood and documented methods to link server hosts together like this.

Amandasaurus
  • 31,471
  • 65
  • 192
  • 253
-2

I've gotten a lot farther using the openswan and strongswan packages. I still don't have the tunnel up, but these seem to be the tools I want to use. Both are pretty poorly documented, and there seem to be a large number of options with no clear reasons to use one over the other.

So to reframe. has anyone setup openswan/strongswan successfully on Ubuntu using ubuntu debs? Any advice with regard to "IKE vs IKE2", "Encryption method", "PSK configuraton", dynamic port changing, etc.

Thanks..

Joel K
  • 5,853
  • 2
  • 30
  • 34
  • This is NOT the way to use Server Fault. Edit your question at the top of the page, don't add answers that aren't answers. – boatcoder Jul 21 '22 at 23:18