[wellylug] Router piercing

David Harrison david.harrison at stress-free.co.nz
Tue Dec 13 15:25:27 NZDT 2005 

This looks like a nice little step-by-step howto for setting up a VPN  
on IPCop for anyone who doesn't know what a certificate is or how to  
create one:
http://home.arcor.de/u.altinkaynak/howto_openvpn.html


David



On 13/12/2005, at 3:18 PM, Michael Dittmer wrote:

> I had a quick look at the article. Most of it is true, however it  
> is two
> version out of date as IPCOP is now up to 1.4.* not 1.2.*
>
> There have been quite a few major changes between the versions  
> including
> a new GUI interface, updated kernel (2.4.31), SCSI hard-drive support
> and updated packages.
>
> I believe a new installer has also been added since 1.2.* releases.
>
> Regards
>
> Michael
>
> -----Original Message-----
> From: wellylug-bounces at lists.wellylug.org.nz
> [mailto:wellylug-bounces at lists.wellylug.org.nz] On Behalf Of David
> Harrison
> Sent: Tuesday, 13 December 2005 3:10 p.m.
> To: Wellington Linux Users Group
> Subject: Re: [wellylug] Router piercing
>
> Yeah good call regarding IPCop (though I do like Smoothwall's  
> choice of
> graphics).
>
> For reference this is a pretty good comparison of the two:
> http://www.zorg.org/linux/ipcop.shtml
>
>
> David
>
>
>
> On 13/12/2005, at 2:32 PM, Michael Dittmer wrote:
>
>> I would personally say IPCOP (not that I'm starting a distro war
>> here).
>>
>> I'll explain why below
>>
>> 1.) native GRE support out of the box (just pick the option in the
>> portwarding rules (useful for doing PPTP VPN connections
>> 2.) native IPSec support for site-to-site VPN tunnels between IPCOP
>> and compatible IPSec end-points
>> 3.) native support for multiple site-to-site VPN's (mesh-style
>> network)
>>
>> Regards
>>
>> Michael
>>
>> -----Original Message-----
>> From: wellylug-bounces at lists.wellylug.org.nz
>> [mailto:wellylug-bounces at lists.wellylug.org.nz] On Behalf Of David
>> Harrison
>> Sent: Tuesday, 13 December 2005 2:22 p.m.
>> To: Wellington Linux Users Group
>> Subject: Re: [wellylug] Router piercing
>>
>> Why not try a couple of Smoothwall boxes as either house.
>> http://www.smoothwall.org/
>>
>> Pick up a couple of old Pentium 3's out of a rubbish bin and some
>> Linux friendly network cards.
>> Put smoothwall onto each of them, set up a VPN network between each
>> house (using the friendly GUI) and have some fun.
>> If it doesn't work you still get an extra firewall with a squid  
>> proxy,
>
>> dns caching and snort at each house (which ain't bad).
>> Setup is painless and the documentation is very newbie friendly.
>>
>> It means you don't need to mess with your work/gaming computers and
>> who can't say no to just one more computer in their house?
>>
>>
>> David
>>
>>
>>
>> On 13/12/2005, at 1:37 PM, Jim Cheetham wrote:
>>
>>> On Mon, Dec 12, 2005 at 11:51:23PM +0000, Jamie Dobbs wrote:
>>>> On 12/12/2005, "Jim Cheetham" <jim at gonzul.net> wrote:
>>>>> I agree that "a VPN" is the right answer. But I strongly disagree
>>>>> that IPSec is the right VPN.
>>>>
>>>>  Would you care to say what you would choose rather than IPSec and
>>>> why you would choose it over IPSec?
>>>
>>> I had already identified my preference in a previous post to this
>>> thread. OpenVPN, http://openvpn.net
>>>
>>> It stays out of the kernel by utilising the user-space tap/tun
>>> drivers, and encryption is provided by SSL. It also has a whole  
>>> bunch
>
>>> of other features, which would probably be beyond the OP's
>>> requirements - certificate based authentication, adaptive
>>> compression,
>>
>>> endpoint load-balancing and auto re-establishment of connections.
>>>
>>> It doesn't play in the same space as IPSec - it encapsulates the IP
>>> frames, rather than modifies them, and consequently has far less
>>> trouble with dynamic IP and NAT environments.
>>>
>>> (Disclaimer - I spent 6 months running a Linux/software IPSec
>>> implementation a couple of years ago. I wasn't very successful. I  
>>> see
>
>>> the space where IPSec can be used successfully, and I don't believe
>>> it's where you use a general-purpose computer as an endpoint - such
>>> as
>>
>>> your typical Linux box at home)
>>>
>>> OpenVPN is pretty easy (for a VPN) to set up and install. If you
>>> don't
>>
>>> understand IP networking, setting up any VPN yourself will be
>>> difficult, because you have to make a number of decisions about
>>> numbering, routing and firewall security, as well as authentication
>>> policies. But given that you can figure these out, OpenVPN is easy.
>>>
>>> It's also reliable and stable, and runs on "all" OSs - "Linux,
>>> Windows
>>
>>> 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and  
>>> Solaris."
>>>
>>> I can't answer for any cryptographic criticism of it's selection of
>>> algorithms, but note that the whole job is handed to an external
>>> provider, currently OpenSSL. I know that financial institutions
>>> accept
>>
>>> SSL as being adequate for credit-card level transactions, of course.
>>> I
>>
>>> don't know how much further trust is given, but I suspect that it's
>>> good enough and not a case for concern :-)
>>>
>>> These features are not exclusive to OpenVPN - IPSec covers much of
>>> the
>>
>>> same ground. It's just my opinion that IPSec is a terribly difficult
>>> install/configure, and one that has far-reaching and subtle impacts
>>> on
>>
>>> your networking environment. Perhaps it's gotten better in the last
>>> couple of years, but I doubt it.
>>>
>>> For personal use, I don't bother with OpenVPN - I'm happy with ad- 
>>> hoc
>
>>> ssh tunnels and occasional stunnel usage. These have a low overhead
>>> for setup, but require the user to know a little bit about what they
>>> are doing. I set up OpenVPN for business users, where we can't
>>> supportably anticipate the type of usage the connection will get,  
>>> but
>
>>> instead provide a "just like being on the local LAN" service  
>>> [caveat:
>>> except for bandwidth, and CPU load on the server, that is].
>>>
>>> But hey - the whole point of being linux geeks is to learn stuff,
>>> right?
>>> So I submit that using OpenVPN to service a wireless LAN, and to
>>> provide server-to-server connections over the Internet, is a good
>>> thing to do.
>>>
>>> -jim
>>>
>>>
>>> --
>>> Wellington Linux Users Group Mailing List:
>>> wellylug at lists.wellylug.org.nz
>>> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>>>
>>
>>
>> --
>> Wellington Linux Users Group Mailing List:
>> wellylug at lists.wellylug.org.nz
>> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>>
>>
>>
>> --
>> Wellington Linux Users Group Mailing List:
>> wellylug at lists.wellylug.org.nz
>> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>>
>
>
> --
> Wellington Linux Users Group Mailing List:
> wellylug at lists.wellylug.org.nz To Leave:
> http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>
>
>
> --
> Wellington Linux Users Group Mailing List:  
> wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>

More information about the wellylug mailing list