VPN Solutions for Distributed Installations? 85
merreborn asks: "I work for a very small software company (10 employees) that's developing a Point of Sale solution for a small retail chain (~20 stores in several states) on the other side of the country. We're going to be shipping Debian systems with our software installed to these locations -- all of which are connected to the Internet via consumer-grade DSL, and inevitably behind some sort of NAT box. Our office is similarly connected, and we've got a couple of dedicated, co-located servers off-site with static IPs. We'd like to be able to access these systems remotely for maintenance from the office -- what would that entail? Which VPN solutions are best suited to this situation these days (IPSec, PPTP, vtun, ssh, ssl/OpenVPN)? Are there any detailed, current books on the subject? (O'reilly's VPN book is 6 years old now)"
Yes. (Score:5, Informative)
Seriously, OpenVPN would do the trick, and I do it right now. The only thing that bugs me about OpenVPN is that you either have to set up a key signing authority, or use pre-shared keys. The key signing authority process is well documented, it's just that I've never actually been able to make it work. Pre-shared keys works just fine though. The protection isn't as good however.
Once I get key signed OpenVPN working then this solution is a no-brainer.
Re:Yes. (Score:2)
Re:Yes. (Score:1)
Dude, seriosly. Pay the phone company the extra five bucks a month for an IP at each site. You'll thank me later.
Re:Yes. (Score:1)
Re:Yes. (Score:2)
Re:Yes. (Score:2)
In Verizon land, it's $30 / month nearly doubling the cost of a business line. Still worth it IMHO.
Re:Yes. (Score:2)
As it was explained to me, by my good friend Jim (who wrote the thing) Both connections will attempt to reconnect and rebroadcast the return IP. (presumably this is configurable).
AIK
Re:Yes. (Score:2)
OpenVPN operates very much in a Client-Server style, similar to many commercial VPN Concentrators. The server has a fixed IP address, and the clients connect to the server. After authenticating and establishing a connection, the server gives the client a DHCP-style assigned VPN IP address. Any communication done through the VPN is done between that IP and a tunnel-specific IP on the OpenVPN Server.
If you have fixed Peer-to-Peer tunnels, IPSec is the standard, and it works
Re:Yes. (Score:2)
Re:Yes. (Score:5, Informative)
Advantages:
Caveats:
Re:Yes. (Score:2)
Re:Yes. (Score:3, Informative)
If you use transport mode IPSEC
Re:Yes. (Score:2)
"OpenVPN uses an industrial-strength security model designed to protect against both passive and active attacks. OpenVPN's security model is based on using S
Re:Yes. (Score:2)
ESP per its RFC definition is a protocol in its own right. It is not over UDP.
Granted, OpenVPN UDP frame format closely resembles the payload part of ESP in uncompressed mode (no point to reinvent the wheel). IIRC the source correctly, once you start using compression the format differs from for both compressed and uncompressed frames (lzo versus deflate compression). In addition to that keying and keepalive are inband on the same UDP conn
Re:Yes. (Score:2)
Now, I've been using OpenVPN for a long time, but I will readily grant that I've never dug into the nitty gritty details of it's protocol, so I don't know for sure if this is what OpenVPN is doing. When I saw the comment on the OpenVPN page, I assumed they were using ESP over UDP for the transport protocol, though.
Re:Yes. (Score:2)
Many vendors support L2TP/IPsec.
(By the way, it's IPsec, not IPSEC).
Re:Yes. (Score:1)
Re:Yes. (Score:2)
As far as the CPU it is not the limitation by any means. At least with TCP the client gets to its max throughput long before the CPU ha
Re:Yes. (Score:2)
I love how you can customize each client connection's routes and stuff, but this only works if you use the certificate method. Our vendors are allowed only to the 2 subnets they need, while us employees and admins get full run
Re:Yes. (Score:2)
Because I managed to setup a new OpenVPN server from scratch, using certificates for authentication, in less than an hour this afternoon. Admittedly, I've used OpenVPN quite a bit in the past, but I did this setup from scratch, using the provided scripts, and it was *really* easy. Everything "just worked".
Additionally, OpenVPN also supports making use of PAM for authentication, giving you lots of other options. You can even setup OpenVPN to a
Re:Yes. (Score:2)
Debian... and PPTP (Score:2)
Re:Debian... and PPTP (Score:2, Informative)
Re:Debian... and PPTP (Score:2)
Re:Debian... and PPTP (Score:2)
IPCOP Works Well (Score:2, Informative)
Re:IPCOP Works Well (Score:1)
To the parent (or anyone else): any suggestions or links for suitable diskless/alternative hardware for IPCop other than a standard PC? I don't like the idea of a hard drive in the box running for years, being reset occasionally by people used to unplugging linksys 'routers' etc
Re:IPCOP Works Well (Score:1)
IPCOP then runs from CF-cards (>=128 MB), the whole box pulls about 5 W max and is QUIET. I run a few of those for clients, and one for my own office.
WRAP-hardware:
www.pcengines.ch
Xpapa's IPCOP-images:
http://www.xpapa.de/modules.php?name=Downloads&d_o p=viewdownload&cid=1 [xpapa.de]
Re:IPCOP Works Well (Score:1)
IPCOP brings IPSEC-based VPN, but is also able to do OpenVPN (even in parallel with IPSEC-VPN) by using the Zerina-Addon.
Re:IPCOP Works Well (Score:2)
Tinc (Score:1)
Also for your NAT boxes, if you want to do it cost effectively, get some Linksys WRT54GL's and install OpenWRT. You can then run your VPN (openvpn or tinc) on those routers, which would make a much cleaner VPN network.
Re:Tinc (Score:2)
http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_v pn.txt [auckland.ac.nz]
Really, OpenVPN must be the best thing since sliced bread. Runnable as non-user, chrootable, interfacing with standard tun/tap devices, certs. None of the complexity of IPsec. I love it.
My 266MHz Geode WRAP [pcengines.ch] can handle 6Mbps which is enough to connect a LAN wirelessly. Faster boxes should handle more than that, despite someone else saying 5Mbps would be a limit.
Re:Tinc (Score:1)
Please read http://www.tinc-vpn.org/security [tinc-vpn.org]. I agree that OpenVPN has better security, but it is focussed on a centralised client-server model, while tinc is focussed on a decentralised peer-to-peer model. So if the latter fits better, and you can live with a protocol that is not as secure as the current SSL protocol, then you should definitely give tinc a try. It is unfortunate that OpenVPN hasn't copied tinc's distinctive features (yet), and personally
ssh could be good enough (Score:5, Informative)
If you need constant monitoring and interaction a real VPN may make more sense, but
Re:ssh could be good enough (Score:2)
It's peculiar that this is the only post that recommends ssh for remote administration. It is very easy to setup and make work, in contrast to VPN in general.
Re:ssh could be good enough (Score:2)
one word... Hamachi (Score:1)
Re:one word... Hamachi (Score:2)
This might be adequate for gamers and equally "sophisticated" user groups. Using it for a company? Bad idea.
Re:one word... Hamachi (Score:2)
Re:one word... Hamachi (Score:2)
compartmentalize! (Score:2)
Re:compartmentalize! (Score:3, Insightful)
Actually the way the OpenVPN server is configured by default, each machine is put onto its own network basically (ie, you get a 10.8.0.9, with netmask 255.255.255.252), and the server will not route between clients. If you're running the VPN
Re:compartmentalize! (Score:2)
AIK
Re:compartmentalize! (Score:2)
You are wrong in that belief. OpenVPN uses OpenSSL.
Re:compartmentalize! (Score:2)
Try SSH (Score:1)
Re:Try SSH (Score:2)
"Some sort of NAT box" (Score:3, Insightful)
Buy some small, even older, used, Netscreen firewalls for a few hundred each. If you do the preshared keys trick, and put them in aggressive mode, they'll all connect back to the central hub firewall, a Netscreen 10, or whatever model replaced it.
It just works, no dicking around with
Re:"Some sort of NAT box" (Score:2)
Re:"Some sort of NAT box" (Score:2)
The total cost on the concentrator side was 30K but it's redundant and the cost of the remote routers are $250/$400 respectively.
Re:"Some sort of NAT box" (Score:2)
OpenVPN rocks for this (Score:5, Informative)
Quick breakdown of obvious options (Score:1, Interesting)
I use IPSec pretty extensively. If you're dealing with inter-Linux-server communications where each end has a static IP address, IPSec is hard to beat. It's simple and pretty easy.
PPTP is mainly a Microsoft thing. Not applicable here obviously.
"Everything else" breaks down into application-specific protocols for specific applications. This is what I would recommend. Go take a look at OpenVPN. When you don't know
ZyWalls (Score:2)
Oh, and... (Score:2)
Easier (Score:3, Informative)
On your client box, run a script that hits the web site (wget) and fetches the IP address. If that has changed, post the new IP address, and installation name.
Now you have the clients and the assigned IP addresses. You can then use SSH to build whatever infrastructure you need to the client box, securely. No need to worry about the brand of router used, etc. About the only problem is if the client uses a dialup on demand connection. To accomodate this, the "poll for IP" can be modified to always submit information, and ask if the connection should be retained.
If the connection should be retained, the remote operator can be notified.
I used this approach to securely administer remote Linux machines over direct connection and dialup for years. Now I find none of my users use dialup anymore (finally).
Ratboy
Re:Easier (Score:2)
#!/bin/bash
[[ ! -f
ifconfig eth0|grep inet |awk -F: '{print $2}'|awk '{print $1}' >
diff
[[ $? -eq "1" ]] &&
cat
mv
Set it to run every minute, and you'll always know what the IP address of your remote site is. On the receiving end, you co
Re:Easier (Score:3, Insightful)
Voila, DNS is my "db", I don't run a script every minute and still get better time granularity, because the update is only done when a state change on the interface occurs.
Re:Easier (Score:2)
That is cleverer, I'll have to go that route next time something like this comes up.
Re:Easier (Score:2)
What you want is the IP address assigned to the router. To get that: use SNMP to the router. Yes, but SMC Barricades (and others) don't do SNMP. Hit the configuration web page for the router, and figure out how to get its status. Different for every NAT router. Hit an external computer: easy!
The reason to make it a web page: ease of local debugging.
Once the IP a
Groove (Score:2)
OpenVPN (Score:3, Interesting)
We use Intel-based Linux server at our datacenter as VPN server. It runs several instances of OpenVPN on different UDP ports (OpenVPN can use TCP as well) for different customers. Endpoints are Asus WL-500g Deluxe routers with OpenWRT Linux and OpenVPN installed. Maximum throughput is 3Mbps with blowfish encryption and authentication (limited by 200 MHz CPU). These devices are small, silent, inexpensive and reliable enough. Endpoints are connected using various types of Internet access -- DSL, Cable, LAN, WiFi etc. Some customers have ~70 endpoints without problems.
If you insist on using Debian computers as VPN endpoints, do not use harddisks!!! They will die. Use IDE flash, for example. Use fanless CPU and PSU if possible.
Re:OpenVPN (Score:1)
Wait, what? Why?
(I always thought those "don't blame us if it blows up your computer" disclaimers were exaggerating!)
Made in Japan - The Teriyaki Experience (Score:3, Interesting)
Re:Made in Japan - The Teriyaki Experience (Score:1)
For that matter, which company do you work for? I am terribly curious.
Very tasty food, BTW.
Thanks.
John
Re:Made in Japan - The Teriyaki Experience (Score:1)
Re:Made in Japan - The Teriyaki Experience (Score:2)
Feel free to email me if you prefer. ray AT sonictech DOT net
Re:Made in Japan - The Teriyaki Experience (Score:1)
Hardware (Score:1)
This approch can even be taken to the open source "fanboys" Just download a firewall distro like smooth
m0n0 baby!!! (Score:1)
http://img.m0n0.ch/gallery/brandon_kahler/01_19_06 _WRAP_Wireless_DSL_Large_Text.jpg [m0n0.ch]
They run off of compact flash and the WRAP boards + case are ~$200. They will act as your NAT firewall behind the commodity broadband interface (dsl/cable) and have a great number of features, including a capti
OpenVPN all the way! (Score:2)
Router-based (Cisco 800) (Score:4, Informative)
For my part, I also started with linux-based VPN (openvpn, ipsec) for private use (3 sites), but then, I come to the conclusion it wasn't worth the effort & time spent. I switched to the Cisco SoHo routers (the 800 series [cisco.com]) who are just working. I have automatic tunnels between all sites, and can to VPN connection directly to any of the sites, plus many other funny things (IPv6). All this with just simple configurations, mostly through the wizard (SDM [cisco.com]) or by copy, adaptation & paste of sample configs.
Of course, these routers may be a little bit too much (of configuration or price) for you, so you may also want to try consumer-grade solutions (e.g. Linksys BEFSX41, Netgear FR114P,
Disclaimer : I wish I could get a percentage of Cisco sales
PS : oh, and port tunneling with SSH is, from my experience, an awful solution for VPN.
Openvpn & hardware solution (Score:1)
i've run an openvpn solution between corporate LAN and datacenter, and it worked okay but i'll take a look at some dedicated hardware box for the next implementation. maybe netscreen or so.
why?
Well first off, when one doesnt yet have a linux router/fw available one has to buy that. this'll probably cost as much as a cheap netscreen box.
second, when running openvpn on a nondedicated box openvpn has to fight over resources with other
vtun devices (Score:1)
FreeSwan (Score:1)