[wplug] VPN stuff

Alexandros Papadopoulos apapadop at alumni.cmu.edu
Wed Mar 23 12:01:14 EST 2005 

On Wednesday 23 March 2005 18:34, Michael P. O Connor wrote:
> I have been readding about VPN this last week or so, and wondering if
> any one has any knolage on the subject, I will be working on
> implimenting a VPN server over the next few weeks.  The server will
> also be a VPN gateway into the network, and will be an older
> computer.  Here are some of the things I am thinking.
>
> I am going to use the PPTP protocal (software for linux PoPTop, I was
> warnd there are some issues with PoPToP, what are those issues, and
> how can I avoid them) the reason for PPTP is since one of the
> requiurments is that I want to connect windows boxes to the network,
> with out much hassel, and PPTP is built in.  Unless some one can tell
> me where I could get a good windows IPsec client, but it needs to
> pass smb traffic, and all other kinds of traffic not just TCP/IP
> traffic.

Read Schneier's PPTP FAQ [0] for why you shouldn't use Microsoft's PPTP 
implementation.

I suggest using OpenVPN [1] which has worked flawlessly for our sites 
for eight months now using <300MHz GNU/Linux machines as VPN gateways.

It also comes with a Windows installer [2] that makes installation and 
configuration quite easy, but still requires that you know what you're 
doing. It can pass across the VPN tunnel any kind of IP traffic. SMB 
browsing etc work fine. Plus, the community support is excellent.

> I am not sure what distro to use, or even if I should use Linux (the
> book I am reading is linux centered, but if a VPN server on BSD would
> be easer I could be easly convince to use it, since it is a bit more
> secure then Linux, BSD people start you sales pitch, I will listen)

It doesn't really matter. Use whatever you're most comfortable with. 
OpenVPN runs on all popular platforms.

> Any other thing I might be missing.

If I may, I would suggest making sure that you understand the networking 
and security concepts behind a VPN before using it in any critical 
environment. It's very easy to have hardly more than the illusion of 
security.

> Also I plan on only haveing port 22 and what ever port I need for the
> VPN open on my router (right now I only have 22 open) and access to
> everything in my network will be done via the VPN.

That's a good strategy if you can afford it. The rule of least privilege 
is the mother of all rules in security, at least in my book.

-A

[0] http://www.schneier.com/pptp-faq.html
[1] http://openvpn.net/
[2] http://openvpn.se/

More information about the wplug mailing list