[wellylug] Router piercing
Ewen McNeill
wellylug at ewen.mcneill.gen.nz
Tue Dec 13 13:26:42 NZDT 2005
In message <2e51a0350512121600x118104dbn919b6bb2acb23931 at mail.gmail.com>, Andrew
Stephen writes:
>Disclaimer: This is not something I have actually set up but rather
>something I have read about that I intend to give a go one day soon. [...]
>Have a look at OpenVPN (http://openvpn.net/)
I have actually used OpenVPN (both I and my clients use it regularly).
It's reasonably easy to configure (the main hassle is creating a SSL CA,
and keys/certificates, for which they provide an easy-rsa kit).
It uses a single UDP port (normally 1194, their well known port),
and as such normally works out through NAT fine; I'd imagine it would
work in through NAT too, but I've never needed to do that. It hooks in
using tun/tap drivers in Linux, a similar driver in OS X, and something
analagous in Windows. Encryption is typical SSL/TLS protocols.
I'm pretty happy with OpenVPN as a single-client-to-remote-network
solution (it's possible for the server to "force" some routes back onto
the client, so the client gets access to the internal network directly
when the VPN comes up), and so it solves the remote-worker situation
fairly well. It's not as well suited to joining two networks together,
in that there's no obvious way to automatically add routes on the server
end pointing back at the client networks -- and I'm not sure that they'd
even be allowed through the tunnel if you did.
The most commonly used VPN technologies seem to be PPTP (mainly on
Microsoft platforms), which is a control channel (TCP/1720) and GRE
packets (protocol 47), and IPSEC with a control channel (UDP/500) and
typically ESP packets (protocol 50). Both are somewhat tricky to get
through NAT, although if you hold your tongue just right it is possible.
PPTP is mainly used in a single-client-to-remote-network setup; I'm not
even sure if it supports joining two networks. IPSEC can be used in
either mode, although in the single-client (non-tunnelled) mode care is
required to ensure the traffic really is arriving encrypted as in that
mode it doesn't use an "internal" IP address as per most other VPNs.
The other VPN protocol I've currently got in use, for joining two
networks together, is vtun. It uses a TCP control connection and
usually UDP packets for the VPN. It works through NAT reasonably well,
and supports adding arbitrary routes at either end when the tunnel comes
up. However I'm not sure how strong the security is (and the main
authentication method seems to be 'shared secret', which typically ends
up being pretty weak). For what I'm using it for (data which will then
travel over the Internet unencrypted) the potential lack of privacy in
the VPN doesn't matter much.
Where I want to join two networks together, and care about
privacy/encryption, I do still use IPSEC. And I avoid the NAT issues by
running it between the devices doing the NAT (eg, border firewalls),
tunnelling for the internal networks.
Ewen
More information about the wellylug
mailing list