VPN Project

From 2600wiki

Contents 1 Motivation 2 Connection Types 2.1 Client 2.2 Site To Site 3 Software 3.1 IPSec 3.2 OpenVPN

[edit] Motivation

Typical home internet connections these days are crippled. Several ports are usually filtered, only a single public IP address is available which in some cases is re-assigned very frequently. This interferes with the way the Internet was intended to function. We really hope this changes soon, but in the mean time, we're taking matters into our own hands.

We'd like to create private network using VPN technology to recreate an open, two-way network to allow for experimentation and testing. This eliminates the the complications of NAT, port redirection, Dynamic DNS, malicious internet traffic, and potential ISP ToS violations, while at the same time providing privacy through strong encryption.

[edit] Connection Types

[edit] Client

A VPN connection can be brought up on-demand from anywhere and authenticated via username/password or public key encryption. A dynamic private network address is automatically assigned and a default gateway is configured to direct traffic into the private network. This provides for secure remote access from untrusted networks like public WiFi hotspots or Hacker conferences.

[edit] Site To Site

In this mode, a permanent connection is formed between two sites. They should both be always-on connections, preferably broadband. A static IP address works best, but as long a dynamic DNS has been configured, the connection can be kept up across address changes. The VPN gateway should be a system which can be left on most of the time and is not rebooted often. Any old pentium system with around 1GB of storage is plenty.

[edit] Software

[edit] IPSec

IPSec is a very powerful protocol. It works well and is used by thousands of companies. Unfortunately it is not very simple to configure. There are literally hundreds of options. While it's very easy to connect two sites with very similar setups, things become a mess very quickly when trying to maintain compatibility across a number of different systems. A single configuration mistake can render the entire setup non-functional and is very difficult to troubleshoot.

There has been some success in connecting a pair OpenBSD systems over the internet, thanks in part to improvements in recent releases which significantly streamlined configuration. Specifically, the ipsecctl tool makes setup far simpler. Unfortunately, this only applies to OpenBSD, and those choosing different operating systems are still left dealing with some complex configurations.

[edit] OpenVPN

While OpenVPN has been around for a several years now, it is not quite as proven as IPSec. However, it's based on SSL/TLS which has been protecting websites for over a decade. It's been designed from the start to be simple to configure and portable between different platforms.

Example configurations for OpenVPN