[wellylug] Router piercing

David Harrison david.harrison at stress-free.co.nz
Tue Dec 13 14:22:06 NZDT 2005 

Why not try a couple of Smoothwall boxes as either house.
http://www.smoothwall.org/

Pick up a couple of old Pentium 3's out of a rubbish bin and some  
Linux friendly network cards.
Put smoothwall onto each of them, set up a VPN network between each  
house (using the friendly GUI) and have some fun.
If it doesn't work you still get an extra firewall with a squid  
proxy, dns caching and snort at each house (which ain't bad).
Setup is painless and the documentation is very newbie friendly.

It means you don't need to mess with your work/gaming computers and  
who can't say no to just one more computer in their house?


David



On 13/12/2005, at 1:37 PM, Jim Cheetham wrote:

> On Mon, Dec 12, 2005 at 11:51:23PM +0000, Jamie Dobbs wrote:
>> On 12/12/2005, "Jim Cheetham" <jim at gonzul.net> wrote:
>>> I agree that "a VPN" is the right answer. But I strongly disagree  
>>> that
>>> IPSec is the right VPN.
>>
>>  Would you care to say what you would choose rather than IPSec and  
>> why
>> you would choose it over IPSec?
>
> I had already identified my preference in a previous post to this
> thread. OpenVPN, http://openvpn.net
>
> It stays out of the kernel by utilising the user-space tap/tun  
> drivers,
> and encryption is provided by SSL. It also has a whole bunch of other
> features, which would probably be beyond the OP's requirements -
> certificate based authentication, adaptive compression, endpoint
> load-balancing and auto re-establishment of connections.
>
> It doesn't play in the same space as IPSec - it encapsulates the IP
> frames, rather than modifies them, and consequently has far less  
> trouble
> with dynamic IP and NAT environments.
>
> (Disclaimer - I spent 6 months running a Linux/software IPSec
> implementation a couple of years ago. I wasn't very successful. I see
> the space where IPSec can be used successfully, and I don't believe  
> it's
> where you use a general-purpose computer as an endpoint - such as your
> typical Linux box at home)
>
> OpenVPN is pretty easy (for a VPN) to set up and install. If you don't
> understand IP networking, setting up any VPN yourself will be  
> difficult,
> because you have to make a number of decisions about numbering,  
> routing
> and firewall security, as well as authentication policies. But given
> that you can figure these out, OpenVPN is easy.
>
> It's also reliable and stable, and runs on "all" OSs - "Linux, Windows
> 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris."
>
> I can't answer for any cryptographic criticism of it's selection of
> algorithms, but note that the whole job is handed to an external
> provider, currently OpenSSL. I know that financial institutions accept
> SSL as being adequate for credit-card level transactions, of course. I
> don't know how much further trust is given, but I suspect that it's  
> good
> enough and not a case for concern :-)
>
> These features are not exclusive to OpenVPN - IPSec covers much of the
> same ground. It's just my opinion that IPSec is a terribly difficult
> install/configure, and one that has far-reaching and subtle impacts on
> your networking environment. Perhaps it's gotten better in the last
> couple of years, but I doubt it.
>
> For personal use, I don't bother with OpenVPN - I'm happy with ad-hoc
> ssh tunnels and occasional stunnel usage. These have a low overhead  
> for
> setup, but require the user to know a little bit about what they are
> doing. I set up OpenVPN for business users, where we can't supportably
> anticipate the type of usage the connection will get, but instead
> provide a "just like being on the local LAN" service [caveat: except
> for bandwidth, and CPU load on the server, that is].
>
> But hey - the whole point of being linux geeks is to learn stuff,  
> right?
> So I submit that using OpenVPN to service a wireless LAN, and to  
> provide
> server-to-server connections over the Internet, is a good thing to do.
>
> -jim
>
>
> -- 
> Wellington Linux Users Group Mailing List:  
> wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>

More information about the wellylug mailing list