[wellylug] Router piercing

David Harrison david.harrison at stress-free.co.nz
Tue Dec 13 15:09:48 NZDT 2005


Yeah good call regarding IPCop (though I do like Smoothwall's choice  
of graphics).

For reference this is a pretty good comparison of the two:
http://www.zorg.org/linux/ipcop.shtml


David



On 13/12/2005, at 2:32 PM, Michael Dittmer wrote:

> I would personally say IPCOP (not that I'm starting a distro war  
> here).
>
> I'll explain why below
>
> 1.) native GRE support out of the box (just pick the option in the
> portwarding rules (useful for doing PPTP VPN connections
> 2.) native IPSec support for site-to-site VPN tunnels between IPCOP  
> and
> compatible IPSec end-points
> 3.) native support for multiple site-to-site VPN's (mesh-style  
> network)
>
> Regards
>
> Michael
>
> -----Original Message-----
> From: wellylug-bounces at lists.wellylug.org.nz
> [mailto:wellylug-bounces at lists.wellylug.org.nz] On Behalf Of David
> Harrison
> Sent: Tuesday, 13 December 2005 2:22 p.m.
> To: Wellington Linux Users Group
> Subject: Re: [wellylug] Router piercing
>
> Why not try a couple of Smoothwall boxes as either house.
> http://www.smoothwall.org/
>
> Pick up a couple of old Pentium 3's out of a rubbish bin and some  
> Linux
> friendly network cards.
> Put smoothwall onto each of them, set up a VPN network between each
> house (using the friendly GUI) and have some fun.
> If it doesn't work you still get an extra firewall with a squid proxy,
> dns caching and snort at each house (which ain't bad).
> Setup is painless and the documentation is very newbie friendly.
>
> It means you don't need to mess with your work/gaming computers and  
> who
> can't say no to just one more computer in their house?
>
>
> David
>
>
>
> On 13/12/2005, at 1:37 PM, Jim Cheetham wrote:
>
>> On Mon, Dec 12, 2005 at 11:51:23PM +0000, Jamie Dobbs wrote:
>>> On 12/12/2005, "Jim Cheetham" <jim at gonzul.net> wrote:
>>>> I agree that "a VPN" is the right answer. But I strongly disagree
>>>> that IPSec is the right VPN.
>>>
>>>  Would you care to say what you would choose rather than IPSec and
>>> why you would choose it over IPSec?
>>
>> I had already identified my preference in a previous post to this
>> thread. OpenVPN, http://openvpn.net
>>
>> It stays out of the kernel by utilising the user-space tap/tun
>> drivers, and encryption is provided by SSL. It also has a whole bunch
>> of other features, which would probably be beyond the OP's
>> requirements - certificate based authentication, adaptive  
>> compression,
>
>> endpoint load-balancing and auto re-establishment of connections.
>>
>> It doesn't play in the same space as IPSec - it encapsulates the IP
>> frames, rather than modifies them, and consequently has far less
>> trouble with dynamic IP and NAT environments.
>>
>> (Disclaimer - I spent 6 months running a Linux/software IPSec
>> implementation a couple of years ago. I wasn't very successful. I see
>> the space where IPSec can be used successfully, and I don't believe
>> it's where you use a general-purpose computer as an endpoint -  
>> such as
>
>> your typical Linux box at home)
>>
>> OpenVPN is pretty easy (for a VPN) to set up and install. If you  
>> don't
>
>> understand IP networking, setting up any VPN yourself will be
>> difficult, because you have to make a number of decisions about
>> numbering, routing and firewall security, as well as authentication
>> policies. But given that you can figure these out, OpenVPN is easy.
>>
>> It's also reliable and stable, and runs on "all" OSs - "Linux,  
>> Windows
>
>> 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris."
>>
>> I can't answer for any cryptographic criticism of it's selection of
>> algorithms, but note that the whole job is handed to an external
>> provider, currently OpenSSL. I know that financial institutions  
>> accept
>
>> SSL as being adequate for credit-card level transactions, of  
>> course. I
>
>> don't know how much further trust is given, but I suspect that it's
>> good enough and not a case for concern :-)
>>
>> These features are not exclusive to OpenVPN - IPSec covers much of  
>> the
>
>> same ground. It's just my opinion that IPSec is a terribly difficult
>> install/configure, and one that has far-reaching and subtle  
>> impacts on
>
>> your networking environment. Perhaps it's gotten better in the last
>> couple of years, but I doubt it.
>>
>> For personal use, I don't bother with OpenVPN - I'm happy with ad-hoc
>> ssh tunnels and occasional stunnel usage. These have a low overhead
>> for setup, but require the user to know a little bit about what they
>> are doing. I set up OpenVPN for business users, where we can't
>> supportably anticipate the type of usage the connection will get, but
>> instead provide a "just like being on the local LAN" service [caveat:
>> except for bandwidth, and CPU load on the server, that is].
>>
>> But hey - the whole point of being linux geeks is to learn stuff,
>> right?
>> So I submit that using OpenVPN to service a wireless LAN, and to
>> provide server-to-server connections over the Internet, is a good
>> thing to do.
>>
>> -jim
>>
>>
>> --
>> Wellington Linux Users Group Mailing List:
>> wellylug at lists.wellylug.org.nz
>> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>>
>
>
> -- 
> Wellington Linux Users Group Mailing List:
> wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>
>
>
> --
> Wellington Linux Users Group Mailing List:  
> wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>




More information about the wellylug mailing list