[wellylug] Router piercing

Michael Dittmer michaeld at mercury-projects.co.nz
Tue Dec 13 14:32:55 NZDT 2005 

I would personally say IPCOP (not that I'm starting a distro war here).

I'll explain why below

1.) native GRE support out of the box (just pick the option in the
portwarding rules (useful for doing PPTP VPN connections
2.) native IPSec support for site-to-site VPN tunnels between IPCOP and
compatible IPSec end-points
3.) native support for multiple site-to-site VPN's (mesh-style network)

Regards

Michael

-----Original Message-----
From: wellylug-bounces at lists.wellylug.org.nz
[mailto:wellylug-bounces at lists.wellylug.org.nz] On Behalf Of David
Harrison
Sent: Tuesday, 13 December 2005 2:22 p.m.
To: Wellington Linux Users Group
Subject: Re: [wellylug] Router piercing

Why not try a couple of Smoothwall boxes as either house.
http://www.smoothwall.org/

Pick up a couple of old Pentium 3's out of a rubbish bin and some Linux
friendly network cards.
Put smoothwall onto each of them, set up a VPN network between each
house (using the friendly GUI) and have some fun.
If it doesn't work you still get an extra firewall with a squid proxy,
dns caching and snort at each house (which ain't bad).
Setup is painless and the documentation is very newbie friendly.

It means you don't need to mess with your work/gaming computers and who
can't say no to just one more computer in their house?


David



On 13/12/2005, at 1:37 PM, Jim Cheetham wrote:

> On Mon, Dec 12, 2005 at 11:51:23PM +0000, Jamie Dobbs wrote:
>> On 12/12/2005, "Jim Cheetham" <jim at gonzul.net> wrote:
>>> I agree that "a VPN" is the right answer. But I strongly disagree 
>>> that IPSec is the right VPN.
>>
>>  Would you care to say what you would choose rather than IPSec and 
>> why you would choose it over IPSec?
>
> I had already identified my preference in a previous post to this 
> thread. OpenVPN, http://openvpn.net
>
> It stays out of the kernel by utilising the user-space tap/tun 
> drivers, and encryption is provided by SSL. It also has a whole bunch 
> of other features, which would probably be beyond the OP's 
> requirements - certificate based authentication, adaptive compression,

> endpoint load-balancing and auto re-establishment of connections.
>
> It doesn't play in the same space as IPSec - it encapsulates the IP 
> frames, rather than modifies them, and consequently has far less 
> trouble with dynamic IP and NAT environments.
>
> (Disclaimer - I spent 6 months running a Linux/software IPSec 
> implementation a couple of years ago. I wasn't very successful. I see 
> the space where IPSec can be used successfully, and I don't believe 
> it's where you use a general-purpose computer as an endpoint - such as

> your typical Linux box at home)
>
> OpenVPN is pretty easy (for a VPN) to set up and install. If you don't

> understand IP networking, setting up any VPN yourself will be 
> difficult, because you have to make a number of decisions about 
> numbering, routing and firewall security, as well as authentication 
> policies. But given that you can figure these out, OpenVPN is easy.
>
> It's also reliable and stable, and runs on "all" OSs - "Linux, Windows

> 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris."
>
> I can't answer for any cryptographic criticism of it's selection of 
> algorithms, but note that the whole job is handed to an external 
> provider, currently OpenSSL. I know that financial institutions accept

> SSL as being adequate for credit-card level transactions, of course. I

> don't know how much further trust is given, but I suspect that it's 
> good enough and not a case for concern :-)
>
> These features are not exclusive to OpenVPN - IPSec covers much of the

> same ground. It's just my opinion that IPSec is a terribly difficult 
> install/configure, and one that has far-reaching and subtle impacts on

> your networking environment. Perhaps it's gotten better in the last 
> couple of years, but I doubt it.
>
> For personal use, I don't bother with OpenVPN - I'm happy with ad-hoc 
> ssh tunnels and occasional stunnel usage. These have a low overhead 
> for setup, but require the user to know a little bit about what they 
> are doing. I set up OpenVPN for business users, where we can't 
> supportably anticipate the type of usage the connection will get, but 
> instead provide a "just like being on the local LAN" service [caveat: 
> except for bandwidth, and CPU load on the server, that is].
>
> But hey - the whole point of being linux geeks is to learn stuff, 
> right?
> So I submit that using OpenVPN to service a wireless LAN, and to 
> provide server-to-server connections over the Internet, is a good 
> thing to do.
>
> -jim
>
>
> --
> Wellington Linux Users Group Mailing List:  
> wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>


-- 
Wellington Linux Users Group Mailing List:
wellylug at lists.wellylug.org.nz
To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug

More information about the wellylug mailing list