VPN

From ThorstensHome
Jump to: navigation, search

This page explains how you can set up a VPN solution on Linux. There are different approaches:

  • the user has a graphical login for his Internet Explorer and he can work via a webpage on a computer
  • the user uses his VPN client to dial in to a VPN (see "tunnel")
  • the administrator sets up port forwarding on the gateway host

Contents

Tunnel

The following software can help you to set up a Linux VPN solution:

  • webmin
  • pptpd
  • OpenVPN
  • OpenSWAN
  • FreeSWAN

OpenVPN

These tutorials helped my build up my knowledge:

How I start

I am using two machines in the same subnet, ls3122 and ls3132. ls3122 shall become the server, ls3132 shall become the client. Both are on SLES 10. The addresses for the hosts are 10.20.77.14 and 10.20.77.15. The addresses for the VPN shall be 10.3.0.1 for the server and 10.3.0.2 for the client.

ls3122:~ # SuSEfirewall2 stop
ls3122:~ # modprobe tun
ls3122:~ # killall openvpn 
ls3122:~ # mkdir vpn
ls3122:~ # cd vpn
ls3122:~/vpn # openvpn --genkey --secret mykey.key  
ls3122:~/vpn # cat >client.conf
remote ls3122.wdf.corp
dev tun
ifconfig 10.3.0.2 10.3.0.1
secret mykey.key

I type CTRL_D here to tell the system EOF.

ls3122:~/vpn # cat >server.conf
dev tun
ifconfig 10.3.0.1 10.3.0.2
secret mykey.key

I type CTRL_D here to tell the system EOF.

Next step is to copy over the folder vpn

ls3122:~/vpn # scp -r ../vpn root@ls3132:

Next step is to change computers:

ls3122:~/vpn # ssh root@ls3132
Last login: Thu Dec 21 13:45:59 2006 from ls3523.wdf.corp
ls3132:~ # SuSEfirewall2 stop
ls3132:~ # modprobe tun
ls3132:~ # killall openvpn

Now both computers are ready.

On the server, I start:

ls3122:~/vpn # openvpn server.conf

On the client, I start:

ls3132:~/vpn # openvpn client.conf

Now, I can use the VPN. The vpn has added an IP address range that did not exist before, that I can ping now:

ls3132:~/vpn # ping 10.3.0.1
PING 10.3.0.1 (10.3.0.1) 56(84) bytes of data.
64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.455 ms
64 bytes from 10.3.0.1: icmp_seq=2 ttl=64 time=0.300 ms 

--- 10.3.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.300/0.377/0.455/0.079 ms
ls3132:~/vpn # ping 10.3.0.2
PING 10.3.0.2 (10.3.0.2) 56(84) bytes of data.
64 bytes from 10.3.0.2: icmp_seq=1 ttl=64 time=0.068 ms
64 bytes from 10.3.0.2: icmp_seq=2 ttl=64 time=0.023 ms

--- 10.3.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.023/0.045/0.068/0.023 ms

This is a VPN using a static key, allowing to connect only one client. For advancing further now, read http://openvpn.net/static.html.

How to get help

irc.freenode.net, channel #suse

Status

Connection works (see tutorial above), still having a static Authentication, but help is at irc.freenode.net, channel #suse and http://openvpn.net.