VPN
From ThorstensHome
This page explains how you can set up a VPN solution on Linux. There are different approaches:
- the user has a graphical login for his Internet Explorer and he can work via a webpage on a computer
- the user uses his VPN client to dial in to a VPN (see "tunnel")
- the administrator sets up port forwarding on the gateway host
Contents |
Tunnel
The following software can help you to set up a Linux VPN solution:
- webmin
- pptpd
- OpenVPN
- OpenSWAN
- FreeSWAN
OpenVPN
These tutorials helped my build up my knowledge:
- http://openvpn.net/static.html
- http://www.onlamp.com/pub/a/security/2004/10/21/vpns_and_pki.html
- http://openvpn.net/howto.html
How I start
I am using two machines in the same subnet, ls3122 and ls3132. ls3122 shall become the server, ls3132 shall become the client. Both are on SLES 10. The addresses for the hosts are 10.20.77.14 and 10.20.77.15. The addresses for the VPN shall be 10.3.0.1 for the server and 10.3.0.2 for the client.
ls3122:~ # SuSEfirewall2 stop ls3122:~ # modprobe tun ls3122:~ # killall openvpn ls3122:~ # mkdir vpn ls3122:~ # cd vpn ls3122:~/vpn # openvpn --genkey --secret mykey.key ls3122:~/vpn # cat >client.conf remote ls3122.wdf.corp dev tun ifconfig 10.3.0.2 10.3.0.1 secret mykey.key
I type CTRL_D here to tell the system EOF.
ls3122:~/vpn # cat >server.conf dev tun ifconfig 10.3.0.1 10.3.0.2 secret mykey.key
I type CTRL_D here to tell the system EOF.
Next step is to copy over the folder vpn
ls3122:~/vpn # scp -r ../vpn root@ls3132:
Next step is to change computers:
ls3122:~/vpn # ssh root@ls3132 Last login: Thu Dec 21 13:45:59 2006 from ls3523.wdf.corp ls3132:~ # SuSEfirewall2 stop ls3132:~ # modprobe tun ls3132:~ # killall openvpn
Now both computers are ready.
On the server, I start:
ls3122:~/vpn # openvpn server.conf
On the client, I start:
ls3132:~/vpn # openvpn client.conf
Now, I can use the VPN. The vpn has added an IP address range that did not exist before, that I can ping now:
ls3132:~/vpn # ping 10.3.0.1 PING 10.3.0.1 (10.3.0.1) 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.455 ms 64 bytes from 10.3.0.1: icmp_seq=2 ttl=64 time=0.300 ms --- 10.3.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.300/0.377/0.455/0.079 ms ls3132:~/vpn # ping 10.3.0.2 PING 10.3.0.2 (10.3.0.2) 56(84) bytes of data. 64 bytes from 10.3.0.2: icmp_seq=1 ttl=64 time=0.068 ms 64 bytes from 10.3.0.2: icmp_seq=2 ttl=64 time=0.023 ms --- 10.3.0.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.023/0.045/0.068/0.023 ms
This is a VPN using a static key, allowing to connect only one client. For advancing further now, read http://openvpn.net/static.html.
How to get help
irc.freenode.net, channel #suse
Status
Connection works (see tutorial above), still having a static Authentication, but help is at irc.freenode.net, channel #suse and http://openvpn.net.
