[gentoo-user] VPN?

[gentoo-user] VPN?

[Michael W. Holdeman]

OK I have read the vpn howto, and tunneling from the howto, and to be 
truthfull i am totally over my head.

I have a LAN at the office including a freebsd file server, the server has an 
ip of 192.168.xx.xx, and several other gentoo desktops have the same +1 each. 
I have a linksys cable modem, and wireless router serving through the gateway 
of 192.168.xx.1. dns is fixed with 2 dns servers from comcast. Problem is I 
have a dynamis ip from comcast. 

I want to be able to access a desktop machine, and most importantly the bsd 
file server with my laptop, again with a dynamic assigned ip from remote 
locations.

What is the best combination, and some sort of howto for dummies would be 
great!!

Thanks in advance.

Mike
-- 
 
Michael W. Holdeman


________________________________________
Powered by Gentoo Linux www.gentoo.org  |
Kernel 2.6.11-ck8                       |
Win4Lin 5-1-20 netraverse.com           |
Win4LinPro 6.1.1-03 win4lin.com         |
________________________________________|
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] VPN?

[Jonathan A. Kollasch]

On Friday 26 August 2005 10:12 pm, Michael W. Holdeman wrote:
> I want to be able to access a desktop machine, and most importantly the bsd
> file server with my laptop, again with a dynamic assigned ip from remote
> locations.

	I suggest one of those trendy dynamic DNS services (or a _real_ ISP). Not 
sure how well VPNs can cope with a changing address (at your laptop or home) 
though (I don't think IPsec would like it).

	Jonathan Kollasch
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] VPN?

[David Miller]

I've been having alot of luck with openvpn it's ssl based rather than
ipsec.  I have found it to be easier to setup and less confusing and
it has clients for various platforms including windows...which is not
always the easiest platform to use IPSEC with unless you go with a
commercial client.  You will need to setup a certificate authority and
understand the basics of openssl the rest is pretty simple.  It even
works behind a NAT router or firewall.  If the vpn connection is lost
it will re-establish it's connection automatically once it's routable
again.  This works for both dynamic ip clients and even the server as
long as you're using some sort of deamon to update dyndns info.

For the most part, atleast in my area, I find comcast IP's to be very
stable.  My IP hasn't changed in years.  My ip least just gets
renewed.
--
David


On 8/26/05, Michael W. Holdeman <lists@ptfd.org> wrote:
> OK I have read the vpn howto, and tunneling from the howto, and to be
> truthfull i am totally over my head.
> 
> I have a LAN at the office including a freebsd file server, the server has an
> ip of 192.168.xx.xx, and several other gentoo desktops have the same +1 each.
> I have a linksys cable modem, and wireless router serving through the gateway
> of 192.168.xx.1. dns is fixed with 2 dns servers from comcast. Problem is I
> have a dynamis ip from comcast.
> 
> I want to be able to access a desktop machine, and most importantly the bsd
> file server with my laptop, again with a dynamic assigned ip from remote
> locations.
> 
> What is the best combination, and some sort of howto for dummies would be
> great!!
> 
> Thanks in advance.
> 
> Mike
> --
> 
> Michael W. Holdeman
> 
> 
> ________________________________________
> Powered by Gentoo Linux www.gentoo.org  |
> Kernel 2.6.11-ck8                       |
> Win4Lin 5-1-20 netraverse.com           |
> Win4LinPro 6.1.1-03 win4lin.com         |
> ________________________________________|
> --
> gentoo-user@gentoo.org mailing list
> 
>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] VPN?

[Michael Crute]

[-- Attachment #1: Type: text/plain, Size: 1662 bytes --]

On 8/27/05, David Miller <david3d@gmail.com> wrote:
> 
> I've been having alot of luck with openvpn it's ssl based rather than
> ipsec. I have found it to be easier to setup and less confusing and
> it has clients for various platforms including windows...which is not
> always the easiest platform to use IPSEC with unless you go with a
> commercial client. You will need to setup a certificate authority and
> understand the basics of openssl the rest is pretty simple. It even
> works behind a NAT router or firewall. If the vpn connection is lost
> it will re-establish it's connection automatically once it's routable
> again. This works for both dynamic ip clients and even the server as
> long as you're using some sort of deamon to update dyndns info.


Are there any security trade-offs with SSL as opposed to IPSEC? 

On 8/26/05, Michael W. Holdeman <lists@ptfd.org> wrote:
> 
> > I want to be able to access a desktop machine, and most importantly the 
> bsd
> > file server with my laptop, again with a dynamic assigned ip from remote
> > locations.


I know not (naught? :) about the VPN but as far as your dynamic IP goes I 
use changeip.com <http://changeip.com> with great success. They are farily 
cheap and you can send them a top level domain. The nice part is to update 
the DNS records you can download a really simple Bash script and cron it to 
make the updates.

-Mike

-- 
________________________________
Michael E. Crute
Software Developer
SoftGroup Development Corporation

Linux, because reboots are for installing hardware.
"In a world without walls and fences, who needs windows and gates?"

[-- Attachment #2: Type: text/html, Size: 2247 bytes --]

Re: [gentoo-user] VPN?

[Michael W. Holdeman]

I have a dyndns account, it keeps the dns updted. I can always get to my 
router/gateway which is dyndns enabled, how do I get to my ip on the server, 
I need to mount the servers nfs export throught the router. I setup the 
correct ports for nfs to foreward, is that it?

If I can do that it would be very insecure, then I would disable that and 
set-up openvpn on the server to the router...


As I said I am over my head..

Mike

On Saturday 27 August 2005 12:15 am, David Miller wrote:
> I've been having alot of luck with openvpn it's ssl based rather than
> ipsec.  I have found it to be easier to setup and less confusing and
> it has clients for various platforms including windows...which is not
> always the easiest platform to use IPSEC with unless you go with a
> commercial client.  You will need to setup a certificate authority and
> understand the basics of openssl the rest is pretty simple.  It even
> works behind a NAT router or firewall.  If the vpn connection is lost
> it will re-establish it's connection automatically once it's routable
> again.  This works for both dynamic ip clients and even the server as
> long as you're using some sort of deamon to update dyndns info.
>
> For the most part, atleast in my area, I find comcast IP's to be very
> stable.  My IP hasn't changed in years.  My ip least just gets
> renewed.
> --
> David
>
> On 8/26/05, Michael W. Holdeman <lists@ptfd.org> wrote:
> > OK I have read the vpn howto, and tunneling from the howto, and to be
> > truthfull i am totally over my head.
> >
> > I have a LAN at the office including a freebsd file server, the server
> > has an ip of 192.168.xx.xx, and several other gentoo desktops have the
> > same +1 each. I have a linksys cable modem, and wireless router serving
> > through the gateway of 192.168.xx.1. dns is fixed with 2 dns servers from
> > comcast. Problem is I have a dynamis ip from comcast.
> >
> > I want to be able to access a desktop machine, and most importantly the
> > bsd file server with my laptop, again with a dynamic assigned ip from
> > remote locations.
> >
> > What is the best combination, and some sort of howto for dummies would be
> > great!!
> >
> > Thanks in advance.
> >
> > Mike
> > --
> >
> > Michael W. Holdeman
> >
> >
> > ________________________________________
> > Powered by Gentoo Linux www.gentoo.org  |
> > Kernel 2.6.11-ck8                       |
> > Win4Lin 5-1-20 netraverse.com           |
> > Win4LinPro 6.1.1-03 win4lin.com         |
> > ________________________________________|
> > --
> > gentoo-user@gentoo.org mailing list

-- 
 
Michael W. Holdeman


________________________________________
Powered by Gentoo Linux www.gentoo.org  |
Kernel 2.6.11-ck8                       |
Win4Lin 5-1-20 netraverse.com           |
Win4LinPro 6.1.1-03 win4lin.com         |
________________________________________|
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] VPN?

[Heinz Sporn]

Am Samstag, den 27.08.2005, 00:32 -0400 schrieb Michael Crute:
> On 8/27/05, David Miller <david3d@gmail.com> wrote:
>         I've been having alot of luck with openvpn it's ssl based
>         rather than
>         ipsec.  I have found it to be easier to setup and less
>         confusing and
>         it has clients for various platforms including windows...which
>         is not
>         always the easiest platform to use IPSEC with unless you go
>         with a 
>         commercial client.  You will need to setup a certificate
>         authority and
>         understand the basics of openssl the rest is pretty
>         simple.  It even
>         works behind a NAT router or firewall.  If the vpn connection
>         is lost
>         it will re-establish it's connection automatically once it's
>         routable
>         again.  This works for both dynamic ip clients and even the
>         server as
>         long as you're using some sort of deamon to update dyndns
>         info.
> 
> Are there any security trade-offs with SSL as opposed to IPSEC? 

I suggest reading the article "OpenVPN and the SSL VPN Revoultion" on
http://openvpn.net/articles.html . You should find all answers there.

> 
> 
>         On 8/26/05, Michael W. Holdeman <lists@ptfd.org> wrote:
>         
>         > I want to be able to access a desktop machine, and most
>         importantly the bsd
>         > file server with my laptop, again with a dynamic assigned ip
>         from remote
>         > locations.
> 

You can easily configure OpenVPN for such kind of environments.

> I know not (naught? :) about the VPN but as far as your dynamic IP
> goes I use changeip.com with great success. They are farily cheap and
> you can send them a top level domain. The nice part is to update the
> DNS records you can download a really simple Bash script and cron it
> to make the updates.
> 
> -Mike
> 
> 
> -- 
> ________________________________
> Michael E. Crute
> Software Developer
> SoftGroup Development Corporation
> 
> Linux, because reboots are for installing hardware.
> "In a world without walls and fences, who needs windows and gates?"
-- 
Mit freundlichen Grüßen

Heinz Sporn

SPORN it-freelancing

Mobile:  ++43 (0)699 / 127 827 07
Email:   heinz.sporn@sporn-it.com
         heinz.sporn@utanet.at
Website: http://www.sporn-it.com
Snail:   Steyrer Str. 20
         A-4540 Bad Hall
         Austria / Europe

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] VPN?

[Bryan Whitehead]

Get dyndns working on one end... and then use ppp over ssh... :)

http://www.csh.rit.edu/~psionic/articles/ppp-over-ssh/
http://www.faqs.org/docs/Linux-mini/ppp-ssh.html

On Sat, 27 Aug 2005, Michael W. Holdeman wrote:

> I have a dyndns account, it keeps the dns updted. I can always get to my
> router/gateway which is dyndns enabled, how do I get to my ip on the server,
> I need to mount the servers nfs export throught the router. I setup the
> correct ports for nfs to foreward, is that it?
>
> If I can do that it would be very insecure, then I would disable that and
> set-up openvpn on the server to the router...
>
>
> As I said I am over my head..
>
> Mike
>
> On Saturday 27 August 2005 12:15 am, David Miller wrote:
>> I've been having alot of luck with openvpn it's ssl based rather than
>> ipsec.  I have found it to be easier to setup and less confusing and
>> it has clients for various platforms including windows...which is not
>> always the easiest platform to use IPSEC with unless you go with a
>> commercial client.  You will need to setup a certificate authority and
>> understand the basics of openssl the rest is pretty simple.  It even
>> works behind a NAT router or firewall.  If the vpn connection is lost
>> it will re-establish it's connection automatically once it's routable
>> again.  This works for both dynamic ip clients and even the server as
>> long as you're using some sort of deamon to update dyndns info.
>>
>> For the most part, atleast in my area, I find comcast IP's to be very
>> stable.  My IP hasn't changed in years.  My ip least just gets
>> renewed.
>> --
>> David
>>
>> On 8/26/05, Michael W. Holdeman <lists@ptfd.org> wrote:
>>> OK I have read the vpn howto, and tunneling from the howto, and to be
>>> truthfull i am totally over my head.
>>>
>>> I have a LAN at the office including a freebsd file server, the server
>>> has an ip of 192.168.xx.xx, and several other gentoo desktops have the
>>> same +1 each. I have a linksys cable modem, and wireless router serving
>>> through the gateway of 192.168.xx.1. dns is fixed with 2 dns servers from
>>> comcast. Problem is I have a dynamis ip from comcast.
>>>
>>> I want to be able to access a desktop machine, and most importantly the
>>> bsd file server with my laptop, again with a dynamic assigned ip from
>>> remote locations.
>>>
>>> What is the best combination, and some sort of howto for dummies would be
>>> great!!
>>>
>>> Thanks in advance.
>>>
>>> Mike
>>> --
>>>
>>> Michael W. Holdeman
>>>
>>>
>>> ________________________________________
>>> Powered by Gentoo Linux www.gentoo.org  |
>>> Kernel 2.6.11-ck8                       |
>>> Win4Lin 5-1-20 netraverse.com           |
>>> Win4LinPro 6.1.1-03 win4lin.com         |
>>> ________________________________________|
>>> --
>>> gentoo-user@gentoo.org mailing list
>
>

-- 
Bryan Whitehead
Email:driver@megahappy.net
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] VPN?

[Mike Williams]

On Saturday 27 August 2005 04:12, Michael W. Holdeman wrote:
> OK I have read the vpn howto, and tunneling from the howto, and to be
> truthfull i am totally over my head.

http://www.natecarlson.com/linux/ipsec-x509.php

As long as the server has a static address, you'll be fine.
Doesn't even matter if it's your laptop initiating the connection from a 
private IP behind your cable modem. Problems are likely to come up if your 
private IP is in the same range as the private IPs at the other end, in which 
case you'll probably be needing to get a DHCP lease from the remote end 
(something I've not done, or even tried to do yet...)

Basically, the server has a connection defined which specifies it's 
certificate, and is left open ended so anyone can connect to it. But, because 
it's got a certificate only remote hosts which provide a certificate signed 
by the same CA will be allowed.

-- 
Mike Williams
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] VPN?

[Hans-Werner Hilse]

Hi,

On Sat, 27 Aug 2005, Bryan Whitehead wrote:

> Get dyndns working on one end... and then use ppp over ssh... :)
>
> http: //www.csh.rit.edu/~psionic/articles/ppp-over-ssh/
> http: //www.faqs.org/docs/Linux-mini/ppp-ssh.html

Nah, don't do that. It will introduce major issues reg. connection 
stability. OpenVPN is much better - as long TCP isn't used. Using SSH/ppp 
one would transfer IP over TCP. That's much worser than IP over UDP.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] VPN?

[Hans-Werner Hilse]

Hi,

On Sat, 27 Aug 2005, Michael W. Holdeman wrote:

> I have a dyndns account, it keeps the dns updted. I can always get to my
> router/gateway which is dyndns enabled, how do I get to my ip on the server,

set up port forwarding on the router. Most router-in-a-box appliances will 
let you configure this using some kind of frontend.

> I need to mount the servers nfs export throught the router. I setup the
> correct ports for nfs to foreward, is that it?

Hm, yes, that's how it is supposed to work. But as you mention...

> If I can do that it would be very insecure, then I would disable that and
> set-up openvpn on the server to the router...

... I wouldn't offer my NFS mounts to the wild, wild world out there. 
Instead, your setup would look like this:

Router --port forwarding--> Box running OpenVPN

And with OpenVPN you could either
- bridge your office LAN to the OpenVPN virtual device (not recommended, 
traffic explosion ahead ;-) ),
- route from the OpenVPN device to the office LAN

So you'll basically get away with just one port forwarding from the router 
to the box running OpenVPN.

-hwh
-- 
gentoo-user@gentoo.org mailing list