Linux VPN solution

[DarkTXKnight]

Does anyone know of aoms Linux based VPN solutions that don't require much hardware and are similar to smoothwall?? I am looking for something free or inexpensive that will allow a friend of mine to VPN into her office from time to time. Ive got her set up on a win2k3 domain, but would prefer a linux or appliance approach to the VPN that si completely sepearte from the windows network.

Thanks!!

 

[foxkm]

http://www.PoPToP.org- Works well, Just can't figure out how to properly get the encryiption part working. The readme/instructions SUCK on the web site for that.

foxkm

 

[drag]

You can roll your own easily enough with Debian or Slackware. It's easy to install them with minimal requirements and especially debian has a veriaty of VPN software pre-compiled and maintained for your use.

The simpliest thing I do is to setup a tunnel thru ssh. You can run commands using ssh so that instead of connecting and openning up a entire shell on the remote computer you simply execute the command on the remote computer and the output is displayed thru standard out. Well you can use this to create a SLIP or PPP connection between the two machines.

That way you create a virtual point-to-point network over ssh. If you use PPP then it requires that you have root on one of the machines, which is bad, but I don't know how to work SLIP very well. It has the advantage that as long as you can establish a ssh connection you can have full network connectivity between the two machines and with some simple router rules (Linux has especially good router capabilities) you have full access between the two seperate networks thru a encrypted wan link without much effort.

Then you have other VPN technologies aviable to you. Like that PoPToP, and other PPTP servers, or you can use OpenVPN and get a SSL encrypted tunnel, and then you can use the kernel's native IPSEC implimentation and KAME tools to create a VPN or do a different implimentation of IPsec using something like OpenSwan.. All sorts of stuff.

The biggest concerne is what sort of client your going to have on the other end, like you want to use Windows to connect directly to a Linux VPN server you have to know that you have a client aviable that can do that.

I'd probably check out OpenVPN first personally, but I am just guessing.

 

[DarkTXKnight]

Thanks for the input so far....

The clients will all be window XP boxes attaching to the VPN via outside dynamic IP's

Basically I am trying to set up a linux based firewall and VPN solution to allow 5 or 6 salespeople to connect to her server in the office

 

[drag]

Well in that case you have a few choices (as I see it, I am NO expert, beleive me)

Microsoft's (flawed) VPN PPTP protocol. This is what PoPToP PPTP server is for. There were 2 major PPTP versions that came out of MS, the first one was severely messed up and the second one put a lot of effort to fixing most of the bad things, but it still has some flaws and...

It's common, your going to get maximum Windows compatability.

MS knows it's weakness and have moved onto Cisco's L2tp/IPsec VPN technology. This also has wide support, not only in Windows 2000 and Windows XP Home/Pro, but also in Linux and OS X 10.3.x and it's something that works especially well when you have cisco networking hardware in many cases. It also has the advantage of being very secure when done correctly.
Here is a howto for setting up a Linux L2tp/IPsec server.
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

The main advantage is that with Windows XP clients includes clients (or at least downloadable clients from MS) that work correctly and easily out of the box. The disavantage is that it moves the complexity to the server and it can take some effort to setup. For example with mobile users you have to use and setup a security token unlike PPTP which only requires a password.

Then there is OpenVPN which creates SSL encrypted tunnels. It works with a wide veriaty of OSes and such and looks relatively easy to setup, but I beleive that it requires you to install software on the clients. But it's not something that is huge.

here is a nice article about it:
http://www.linuxjournal.com/article/7949

Of course if you still want a nice "linux appliance" style install there are customized versions of Linux out their that have VPN abilities as part of their feature set and would be easy to use.

 

[DarkTXKnight]

this open vpn stuff counds interesting. I am not determined to go in any particular direction on the linux box vs appliance as my linux skills ar limited... Im kind of using this as a way to beef them up...I will learn by doing do you have any reccomendations on a linux distro that has this stuff fairly configured??? I have been looking at the smoothwall stuff a bit so far

 

[cmv]

I also recommend checking out OpenVPN (http://openvpn.sourceforge.net/).

 

[cmv]

Originally posted by: DarkTXKnight
this open vpn stuff counds interesting. I am not determined to go in any particular direction on the linux box vs appliance as my linux skills ar limited... Im kind of using this as a way to beef them up...I will learn by doing do you have any reccomendations on a linux distro that has this stuff fairly configured??? I have been looking at the smoothwall stuff a bit so far

My 2 cents is your #1 priority is easy to keep up to date for security patches. For ease of use and security patches, I would recommend Debian.

 

[drag]

Smoothwall's free version is nice, but by looking on their website I don't beleive the no-cost version provides the VPN functionality you need.

Smoothwall has 2 versions, a Smootwall.net website for the commercial and officially supported version and a Smoothwall.org for the no-cost community-supported version.

The pay-for version has several add-ons designed to increase functionality and one of those is a VPN Gateway version. It uses L2tp/IPsec so that Windows "road wariors" can connect seemlessly.

Since your new to Linux and all this stuff it would be nice since this is all preconfigured and if you run into installation and setup issues then you have somebody you can call or e-mail to get a fix.

Their VPN description is here

This can be usefull for not only you, but because they have configuration wizards and other configuration tools (or at least LOOKs like it, keep in mind I am going off of their website) that non-technical users can deal with this stuff in a reasonable way when your not around.


For a Debian solution the first thing I'd probably shoot for is to install Debian Testing (although it may be a good idea to stick with stable for something like this)

The standard Linux firewall uses the "iptables" capabilities out of the Linux Kernel. Almost all Linux distros have very powerfull networking and routing capabilities built into it by default.

For example I use old celeron box running Fedora as a Wireless gateway. After installing and setting up a wifi card (Prism54 based, check out prism54.org) setting up a bridge between the two ethernet lines involved like 5 commands in a script.

The downside is that iptables is a bit difficult to understand and put together complex rules for a secure connection. So thats were things like Shorewall come in.

So for Debian you would do a minimal install. Setup apt-get and do
apt-get update
apt-get upgrade
apt-get install openvpn shorewall

And that should provide the basic functionality you need to create a nice little NAT'd (masquaraded actually) firewall device for OpenVPN-based vpn networks.

If you need more then that for your routers you can setup static routing rules and you can install packages like Quagga (fork from Zebra) that will provide the ability to deal with routing protocols such as a few versions of RIP, OSPF and BGP. Then there are scripts to deal with traffic shapping rules for Quality of Sevice management. (such as setting it up so that certain types of protocols (such as VoIP traffic) get priority over web surfing and such.)
Although all that is probably overkill for you. Nice to know it's there, though, if you need it.

here is a link to a site that has lots of links.

There are a few other dedicated Linux type applicaces to check out, too. Such as ClarkConnect, IPcop, the LEAF variations, or Devil-linux among others. Some have commercial support, others don't.

OpenWall is very popular, I think the free version will include some VPN support, and even if it does you could probably install OpenVPN on it anyways just like you would with any other distro, so that is always a possiblity.

here are a list of Linux distros designed specificly for firewalls and broadband routers.

Also don't forget OpenBSD. That OS is generally more secure then Linux and is popular for router/firewall stuff.

 

[DarkTXKnight]

whew... my you guys are handy.. Im goign to spend the weekend reading up on this stuff and getting it going one way or the other. I have the chief developer biting at the bit to get some way for her to manipulate her databases from home so she is getting a tad impatient. Im thinking that if I can get something in there to simply appease her so that she can get her work done before her expected vacation, then I can also be working on a more permanent solution.

BTW, we do have VOIP traffic so anything that mentions that is certainly worth consideration.

I am normally a windows guy, and I am comfortable setting up win2k3 for all of this, but I am not so in love with MS that I refuse to look at other options, especially if they might be more cost effective. Besides we do half of this stuff in order to learn right??

Thanks for everyone's help..if there are other suggestions I welcome them as well.

 

[Sunner]

I played with Engarde a while back, seemed pretty nice, and they have a "Community edition".
Might wanna check it out as well, http://www.guardiandigital.com.

 

[drag]

Well for VoIP I don't know to much.

But for Linux there is the OpenH323 project. It's a free software (mozilla license) implimentation of the H.323 communication protocol. You can find it at here. H.323 is used in stuff like Netmeeting. It has other projects like a PTSN gateway to connect it to POTS.

Then there is a compatable Linux client called "gnomemeeting". (Which includes integration with Evolution 2.x. if you want. Some new features of Evolution 2.x is now-free plugins for Exchange servers and includes spamassasin integration.)

Of course a free implimentation isn't worth much without, I am guessing, a "gatekeeper"?

and that is called gnugk. For gnu OpenH323 Gatekeeper.

All that together will allow you to use transmit video, data, and voice over the internet.

here is directions on how to make it work with Netmeeting.
hereis a list of hardware that is currently been successfully used with Gnugk.

Something interesting, I guess.

I have all this stuff aviable thru apt-get on my PowerPC Ubuntu install, so it should be avaible for debian at least pre-compiled. With most other distros too.

Another thing you can use telephony crap and Linux with is hylafax

With that you can set it up to do things like use a modem to receive faxes electronicly, convert them to pdf's and e-mail them to the person who is suppose to receive them. Also people can e-mail ASCII, TIFF, PostScript, and PDF files to a hylafax server. Or you can have clients to simply view the fax without messing around with e-mail, or send the fax to a SAMBA share, or to a printer.

You do that with extra stuff like faxmail and such. Lots of different options. At my work they have it setup so that people receive faxes via e-mail and then they usually print them out themselves. But I figure it would be nice if you have lots of people on the road all the time.

Whatever.

I never used it myself, but it's interesting. Once I recover a bit from Xmas spending I am thinking that I am going to get a nice external data/fax/voice modem and a mini-itx machine and play around with setting up a personal communication server, or something like that.

 

[xyyz]

m0n0wall

while it's not linux based... it's still a good and very light package.

it has openvpn support built in the latest beta version.

btw, does your solution have to be linux based? if so, why?

 

[DarkTXKnight]

Oh by no means does it HAVE to be linux based. I just want something that I can put onto this PC that isn't being used. It's an P3 based HP vectra with 256 MB of ram and a 20 GB HDD. My thinking was that if I install another NIC and some non ms OS I can turn it into a firewall \VPN box insead of having to buy another appliance like a zywall or something. These folks are a startup and Ive already had them spend enough money buying other infrastructure stuff that was more crucial. This is only going to be for a handful of people as well as myself to remotely manage the other servers etc.

 

[xyyz]

the nice thing about the m0n0wall solution is that you don't need a HD. it boots of a CD and establishes a live system in ram. you'll also find that it's nice featured firewall that even gives you the ability to turn your device into a captive portal for wireless devices.

the configuration file is pretty straight forward. i believe it's in XML, so you can manually configure it (by altering the configuration floppy).

 

[DarkTXKnight]

looking at the m0n0wall installation guide it appears to be the easiest of the lot to get running, and she's getting kinda antsy so I think it is worth starting out with this.I intend to play with some other solutions when there is less of a resource crunch. I thank everyone for their input