3
  • Does someone have first hand experience with creating a UNIX-based Virtual Private Network?
  • What are the best VPN clients / tools available for accomplishing this?
  • Are there any common pitfalls that I should avoid?

In my particular case, my primary interest goes out to Debian-compatible solutions. My main goal is to get it working simply because I have not done it before but I can see some possible benefits in cases where I'd rather not use a SSH connection.

Aron Rotteveel
  • 8,449
  • 17
  • 53
  • 64

6 Answers6

12

in linux you have two major options:

  • ipsec compatible vpn - use freeswan/openswan/strongswan. as i remember it was quite chellenging to set up...
  • not-standarized [ but really good ] sslvpn - openvpn. very easy to set up.

2nd one is really great, i've been using it in production for a couple of years. it's available in debian as standard package. it performs quite well for capacities of tens of megabits [ hundreds as well, but i dont have that fast internet connections between offices ]

some tips for openvpn:

  • to be more secure do not use 'shared secret' type of keys, create cert authority and use keys signed by it instead.
  • if possible use tun mode instead of tap [ route traffic via vpn instead of bridging two ethernet segments over it ]
  • if you go for cert authority solution - keep in mind that keys expire. set couple reminders for yourself to re-generate the keys.
  • to be on the safe side use software watchdog built into opensvn [ ping-restart option ] + put additoinal simple bash script that cyclically checks if openvpn process is running. openpn died for me ~2 times in the last 3 years.
  • use tunneling over udp whenever you can [instead of tcp]. i had problem with vpn from office behind nat [ where linux box was behind cheap dlink router i could not control ] where udp packets after some time ware blocked - in that case i was forced to use tcp.
  • enjoy openvpn from behind firewalls / nats.. as long as one side has public ip and can be reached over tcp or udp on one port - you can establish vpn to it, the other node does not need to have public ip!
pQd
  • 29,981
  • 6
  • 66
  • 109
  • OpenVPN goooood... *Swan baaaaaaad... – womble Jun 17 '09 at 10:42
  • +1 for OpenVPN, ipsec is really not worth it... – rkthkr Jun 17 '09 at 11:18
  • *sigh* I've had problems with OpenVPN on Windows7 (even using Vista compatibility and run-as-administrator privileges) and on OSX using either tunnelblick or compiling a native client out of ports. Since those are the two OSes I use most when I'm away from work... it's kind of left me out in the cold. – Karl Katzke Jul 29 '09 at 19:25
  • You should be using Viscosity for OpenVPN on MacOS, it's really great. – Antoine Benkemoun Aug 26 '09 at 12:53
4

True IPsec is nothing but a headache. The protocol stumbles across different network topologies. The clients are universally lacking no matter what the OS. Unless you require hardware endpoints that will only do IPsec, then avoid it at all costs.

OpenVPN is however straightforward to setup, rock solid in use and has very intuitive clients for Linux, Windows and Mac.

Consider how you are going to manage new users and revoke old ones. This will depend on how many users you are anticipating to support. Personally we use x509 certificates placed upon two-factor tokens, which scales very well, but does require some way to manage PKI if you grow.

Dan Carley
  • 25,617
  • 5
  • 53
  • 70
  • @Dan C - nice one. what two-factor tokens do you use - secureid from rsa? openwikid? something else? – pQd Jun 17 '09 at 10:52
  • 2
    We use Aladdin eTokens which are a USB form factor. The PKCS integration works out of the box since OpenVPN 2.1 and we've never had any complaints. Not like the years of trouble that IPsec caused me. – Dan Carley Jun 17 '09 at 10:58
1

Another vote for OpenVPN here. We used it at my previous job and it was rock solid and we had fewer issues with it compared to the PPTP and IPSEC VPN tunnels we use at my current job. It's also hard to beat the flexibility that OpenVPN offers. But OpenVPN does have one weak spot in my opinion. It currently isn't supported by many smart phones. In fact I don't know of any that do. I do know that there are people trying to port it to the iPhone but I'm not sure where that project is.

You didn't mention what type of clients your vpn solution needed to support. So with that in mind if you need to avoid 3rd party clients or need smart phone support then PPTP may be a better fit. Windows, OSX, and many smart phones all have native PPTP clients. Poptop is the Linux project that implements PPTP.

3dinfluence
  • 12,449
  • 2
  • 28
  • 41
  • Depending on your definition of a smartphone (with or without touchscreen) I've had the PPC port working before. – Dan Carley Jun 17 '09 at 14:12
1

The two tools I can recommend having a look at are OpenVPN (mentioned before) and Adito (which has recently been renamed to OpenVPN ALS). http://sourceforge.net/projects/adito/ http://adito.wiki.sourceforge.net/

Niels Basjes
  • 2,196
  • 3
  • 19
  • 26
0

One very flexible and well documented solution is OpenVPN (http://openvpn.net/) This is available as a package from the standard repository in Ubuntu and should be in Debian too.

Russell Heilling
  • 2,557
  • 19
  • 21
0

I've used OpenVPN in my company for about 2 years now. Had very few issues with it.

We are using client-specific configuration to assign users IP in different sub-networks. From then, we can limit access to internal resources thanks to a firewall.

What is less comfortable is the PKI management (we use certificate to authenticate clients). But with 2 or 3 scripts, this become bearable.

rolaf
  • 568
  • 1
  • 4
  • 8