Topic: OpenVPN as an alternative to PPTP & IPSec

[Maggard]

Lots of e-smith/SME users want to connect networks. Between offices, between offices and homes, even between groups of homes. IPSec has been the preferred means but it has issues with the dynamic IP addresses many folks have. PPTP has been problematic for many of late as well as being a bit complicated to set up two-way.

So here's a 3rd alternative: OpenVPN.

From it's blurb: "OpenVPN is an easy-to-use, robust, and highly configurable VPN (Virtual Private Network) daemon which can be used to securely link two or more private networks using an encrypted tunnel over the internet"

Among it's features are:

* tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,
* create cross-platform tunnels between any of the operating systems supported by OpenVPN including Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP,
* choose between static-key based conventional encryption or certificate-based public key encryption,
* use static, pre-shared keys or TLS-based dynamic key exchange,
* use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,
* tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,
* tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules, tunnel networks over NAT, and create secure ethernet bridges using virtual tap devices.

(more at http://openvpn.sourceforge.net)

Basically it's a flexible, easier way of connecting LANs to each other. It works through NAT's, traverses firewalls, handles dynamic IP addresses, supports compression & traffic shaping, and can authenticate against lots of standard services.

Technically it is built on a solid foundation, doesn't require recompiling the kernel or modifying the TCP stack, and is easily extendable. It's GPL'ed and has excellent documentation.

What I'd like to hear is other folks experiences with it. Also to encourage someone to write a panel integrating this into e-smith/SME's template architecture, bundle it all up as a contributed rpm.

[Michael Smith]

Sounds too good to be true!  Genius developer makes product more secure & with more features than anything else available ... and it's covered under the GPL ... and it's cross-platform ... and works with dynamic IP addresses ... fabulous.  Have you tried it out?

[Duncan]

I am going to give it a go sometime during the next few days over a wireless link.

Will let you know how I go after that (Although days seem to run in to weeks around here)

Regards Duncan

[Duncan]

So far so good. I quite like this.

The win32 client is pretty easy to set up (A good deal easier than getting anything to work with IPSec). It doesnt appear to be a client/server setup which is handy and doesnt bitch if either end is down.

Getting it working wasnt too hard - I am running 5.6 so it is slightly different than the how to. The init file needs modifying a little bit to work properly.

I wasnt able to get it working using RSA keys (some errors) but i have it working fine with static keys.

I have found that the config files are a lot easier to understand and work with opposed to Freeswan. I dont forsee much of a drama with multiple tunnels.

Regards Duncan

[ryan]

OpenVPN sounds interesting.  I am going to read up on this.  Another simple and extremely cheap option is the linksys BEFVP41 firewall vpn router ($129.00 at compusa).  These devices can handle up to 70 IPSEC tunnels and are SIMPLE to configure.  

The linksys is a simple device that is easy to configure.  For my primary location, I prefer a true linux server firewall with a secure DMZ.  I have IPCop linux as my central site firewall vpn router.  IPCop is every easy and quick to install.  Amazingly, you can use the linksys BEFVP41 firewall vpn router as an IPSEC endpoint to IPCop.  For me, this is perfect as the linksys is dirt cheap and has no moving parts so it should be reliable for those remote (don't want to travel there) locations.  SME is also used as a primary gateway to filter web traffic with squidguard, watch it with sarg, and filter spam before passing email to exchange.   This setup works well and is very cost effective.  

Now to learn about OpenVPN....

ryan

[Lazo]

can someone provide a How to (a rpm could bew great!! ) instal this openVPN on SME 5.6 u6!!

I'm trying but still no luck

Thanks in advance!

[RayG]

Duncan,
    How has OpenVPN been working out for you over the past few weeks ? A brief description of how your using it and what mods you had to make to the init file would be great.