Building Linux Virtual Private Networks 104
| Building Linux Virtual Private Networks | |
| author | Brian Hatch, Oleg Kolesnikov |
| pages | 408 |
| publisher | New Riders |
| rating | 10 |
| reviewer | Richard Miller |
| ISBN | 1578702666 |
| summary | Finally, a VPN book you can use. |
Rants
I've been on the lookout for a good VPN book since I first bought the O'Reilly VPN book in 1998. Yes, that book shattered my long standing belief that O'Reilly could do no wrong. The technical descriptions of VPN technologies were flawed and confusing, and they seemed to think that the only usable VPN technologies were commercial products. They only showed you implementations via screen shots of point-and-click GUI sessions. The one potentially portable section describing PPP over SSH was practically copyright infringement from the HOWTO, but with enough errors that they could make the case they had never actually read it.
For a while the O'Reilly VPN book was the only one out there. Then a few other publishers got into the mix. Unfortunately their results were no better. I could never find a book that had both a description of the protocols that would allow you to debug problems and implementation details that weren't so vague that they could apply to the installation of my washing machine. I must have bought half a dozen VPN books, all of which were severly lacking in crucial aspects that would make them usable. I had little stickies placed in them showing me which parts were correct and helpful, and would flop between them all whenever I needed to do something, because nothing got it all right.
Now I'm not here just to flame these other books, but I must let you get an idea for how I was feeling, because only then can you understand how much happier I am now. Now I can finally throw away all those other books.
Building Linux VPNs was written by Brian Hatch (of Hacking Linux Exposed fame) and Oleg Kolesnikov, and published by the New Riders, the same guys who do the SANS publications. It's not as thick as you might expect, coming in at 408 pages, but it's remarkably dense in a good way. No wasted space for boring screen shots, instead concentrating on well tailored diagrams when needed, code listings, and command line sessions.
Overview
Part one, the first two chapters, teaches you everything you need to know about general VPN technology, and discusses all the VPN issues you're going to face: various different network topologies you could use, how to get your routing set up on both servers and clients, DNS setups, how to use VPNs with firewalls (and where they could go) and more. These are the issues that the trickiest to get right when actually setting up a VPN, and something most other VPN books leave up to the reader to figure out.
Part two discusses standard VPN protocols. The first two chapters of this section discuss creating a VPN with PPP over SSH and SSL. For those of us who have implemented PPP over SSH following the HOWTO before, you'll remember how hackish it felt. The authors have come up with a much more modular (you can have any number of VPNs easily) and secure (they teach you how to set up your SSH keys or SSL certificates securely) method, and provide you all the code to do it. Following the step-by-step instructions, you could make a PPP over (SSH/SSL) VPN in about 30 minutes. Rock on.
They then dedicate two chapters to IPSec: one for the description of the protocol itself (which definitely deserves a chapter) and then one for the implementation of FreeS/WAN. IPSec is known to be a difficult beast to ride, and they do a really great job of giving you the information needed to get it right.
The last chapter of this part covers PPTP for both server and client. I was shocked to see PPTP discussed in a Linux book, but I guess the authors say it best when they said:
"There are times when you must support PPTP, either because you are forced to connect to a server that only runs PPTP or because you need to support remote Windows machines. In either of these cases, we offer our deepest sympathies."
Part three discusses non-standard VPN protocols. In the same detailed fashion, the authors devote three chapters to alternative VPN technologies VTun, CIPE, and tinc. While these technologies do not have IETF protocol drafts, they are nonetheless well defined, and work on multiple Unix platforms.
Analysis
In this day and age of '2nd/3rd/4th Edition' it's good to see a book that really hit the nail on the head the first time. Building Linux Virtual Private Networks has all the technical information you need to understand the protocols, set up your networks, and troubleshoot, and has the implementation details to get it all done almost entirely pain free.
It's extreemly easy to read, has a consistent style and tone, and uses just the right amount of humor to keep you interested in something that could be an extreemly boring technical topic.
One nice thing is that they defined their network early in the book, and they implemented each separate VPN technology using the same network, including host names, IP addresses, etc. This consistency really pays off in clarity to the reader.
Beefs
There's a good bit of code in the book, which is a great thing. They mention throughout that you can download the code online at their website, but it doesn't seem to be there yet. Hopefully this will get rectified. (You can still get a preview, though, at the book's official website. Good to see folks who don't blindly use ".com" for everything. )
Also, a lot of the software they discuss works on *BSD, Solaris, some even on Windows. Why does every book need to include the magic 'L' word in the title nowadays?
Kudos.
You can purchase Building Linux VPNs from Fatbrain. Want to see your own review here? Just read the book review guidelines, then use Slashdot's handy submission form.
Re:Is it as good as New Riders' MySQL book? (Score:2)
I have as much respect for New Riders as I do for O'Reilly.
What's complicated about FreeSWAN? (Score:4, Interesting)
Re:What's complicated about FreeSWAN? (Score:5, Insightful)
Well, a LOT. Not if you're deeply involved technically in the project, but if you back out and take the perspective of someone who's never used a VPN, plenty.
A lot of people don't even think about the fact that there's a separate protocol field in IP, or that people run any IP protocol but UDP or TCP. Getting 50/51 through your existing firmware firewall can be a real trick. FreeSWAN requires you to be able have the GNU Multi-Precision library installed for the crypto calculations before you compile it. Unless your distro can with FreeSWAN, you have to recompile your kernel with modifications.
And, like many tools, there's no single graphical GUI; unlike SAMBA's excellent SWAT, there's nothing to lead you to ipsec.conf or ipsec.secrets. There's a LOT of reading to be done.
Ok, so, for you or me, it's easy. Maybe a day of reading tops. But compare that to the commercial world where an application must install and be configured from a GUI in a few hours, and FreeSWAN is... nearly a toy. It's unusable in a business environment. As soon as you say "compile", a CTO is going to turn down your volume.
It's cool, but don't call it uncomplicated. That's part of it's coolness (-;
Re:What's complicated about FreeSWAN? (Score:3, Insightful)
systems. I did find there was a large learning curve at the beginning, but now it takes 5 min to setup a new vpn tunnel. The systems have been extremely reliable. I've never had a problem (other than net congestion) with keeping the tunnels up. A lot of the tunnels have 80+ days of uptime. As for compiling, most modern distros include IPSec (trustix, mandrake, etc.) or there are options like Astaro. Having a CTO "turn down your volume" based on the fact that you have to compile software, doesn't say anything about the quality or reliability of the software, that's a personal decision by CTO not to use OSS. I do agree it's not point and click, and that would be nice, but to say it's unusable in a business environment is just untrue. It's not pretty but it works, and works well.
Re:What's complicated about FreeSWAN? (Score:3, Insightful)
With security software in general, and VPN software in particular, that's a very, very dangerous attitude: a GUI may fool you into thinking that you understand what's going on when in reality you haven't a clue. With most software, that's not an issue, but with security software, that can compromise the very goal you're trying to achieve.
How many days do you want to spend cleaning up after a security incident that occurred because the GUI let you get away without spending two days reading documentation? How much time will you save in the long run if every time you save two days reading documentation you spend three days cleaning up?
(We lose money on every item --- but we make it up in volume!)
Re:What's complicated about FreeSWAN? (Score:1)
First of all, a GUI interface, if it is well-designed, can provide every bit as much control over the underlying security behavior of a firewall as any command-line interface. Furthermore, a GUI allows an administrator to spend less time trying to deal with syntax, etc., and more time on building a ruleset that is secure.
Someone who has done the reading and understands how firewalls and VPN's work will appreciate a GUI because of this.
For those who don't fully understand how firewalls and VPN's work, a GUI at least provides a reasonable learning environment and early attempts at a ruleset will probably more secure anyhow.
Re:What's complicated about FreeSWAN? (Score:3, Insightful)
I never said a GUI wasn't useful to implement VPNs. Just that it was dangerous to implement them without reading the documentation, a problem that a GUI makes worse only because it tricks people into thinking they can get away without it.
IANACLB (Score:4, Interesting)
The problem with the GUI interfaces I have seen is that they really don't give you any effective conceptual support. You have to figure out the topology and requirements of your network, then you do this bit of intellectual gymnastics that turns these global requirements and properties into settings for each individual box, THEN you sit down at your GUI. At that stage, the GUI can have very little benefit, since you are talking about a half dozen relatively simple commands you need to type in. In fact, typing them in means you can keep them in a little word processor file and send them to the box over and over again with little changes -- good for setting up multiple boxes or for playing around with a single box you are repeatedly pin-resetting.
To really help a person like you who doesn't have time to bone up on every box you are working with, what you really need is something that is kind of a cross between a network management system and a CAD system. You would sketch out your network, and drop little dollops of distinctively colored "paint" on each network or host that needs to participate in some virtual network. The system would then output configurations to download to each of the participating firewalls or hosts.
A GUI that just configures and individual box does practically nothing for you.
Where to get Freeswan packages for Red Hat (Score:2)
Non-US distributions like SuSE and Debian can include Freeswan in their list of apps. US based ones like Red Hat can't. But some lovely fellows at Steambaloon [steambaloon.com] (a Linux security consulting firm - no, I work for someone else) produce source and binary packages of the original and updated Red Hat kernels (with the AC patches, extensive testing, and old 2.4 VM) with Klips, the kernel level part of ipsec, compiled in.
How stupid is the CTO? (Score:1)
Re:What's complicated about FreeSWAN? (Score:3, Interesting)
One of the things that they don't tell you how to do, i guess so they don't get asked questions, is how to put gre traffic inside of an ipsec tunnel and make it work right. Also, it seems to have slipped by that you CAN make two linux 2.4 secure gateways talk to each other over the ipsec tunnel.
I have a couple samples of some of the neat things I have done at http://lwolenczak.net/ipsec.html
Re:What's complicated about FreeSWAN? (Score:3, Interesting)
- Client behind NAT
- Left/Right side nomenclature really confuse me; they could have used "peers" or client/server, I don't know
- Recompiling kernel; easy if you have a single box, quite hard when you manage 30+. Plus it require you to commit the sin of rebooting the machine.
At work, we have choosen CIPE for Linux-Linux VPN. It is totally userland, come stock on recent RedHat version and is available as RPM; all that make it is easy to install and upgrade on a lot of machines. Plus the config file is really dumb-proof. We are stuck using PPTP for Windows-Linux VPN because that's all the Windows monkeys know about.
Re:What's complicated about FreeSWAN? (Score:1)
We use PPP over SSH for our home/office VPN for Linux and Solaris. It works very well and since it was originally a skunworks project, we didn't even have to get IT to open any new ports since SSH was already supported.
Re:What's complicated about FreeSWAN? (Score:2)
On my end I have a linux firewall with iptables.
And what I could not figure out is what to do with the packet filtering, do I need to accept traffic over 50/ip on the ipsec0 interface or the eth0 interface. Same question for the 500 udp/ip traffic.
And the other part of the network is connected to a freebsd server with racoon running. That is a completely different ipsec implementation. At least for configuring it is different.
I believe running a packet filter is quite hard if you want to do it right. You have to understand networking and just play with for a few weeks just to understand it.
If anyone would tell me he has a secure packet filter running, but cannot explain how it works, I just cannot believe it. You just have to know what you are doing.
Same with ipsec.
Ipsec is not only networking, but also crypto.
So there is more you need to know about it, and it adds extra complexity to firewalling.
Re:What's complicated about FreeSWAN? (Score:1)
According to the FreeSwan folks, no firewalling NEEDS to be done on the ipsec0 interfaces, as all packets coming through this tunnel are already being disassembled and "cleaned-up" by freeswan itself.
Re:why? (Score:2, Insightful)
Re:why? (Score:2)
Now ssh without ppp on top supports only TCP tunnels, I'll assume that is what you are talking about. A statement that says you need to use IP, but you only get TCP sounds really goofy, since TCP rides on top of IP, phrasing it with the protocols you need (i.e. udp, icmp, etc) would have made the post more sensible (that and omitting ppp...). If I heard someone make the statement you just made I wouldn't trust them with firewall configuration either...
Re:why? (Score:2)
Are you saying that ICMP, or UDP, traffic is unable to utilize this tunnel?
That is certainly not correct. Just as PPP carries all of your IP traffic (any protocol) between your home and your ISP, a PPP over SSH tunnel will also carry whatever you need it to.
Re:why? (Score:2)
I have configured a VPN with the help of a HOW-TO page and it worked. B
ut when you want to do larger setup's in the "real" world. All kinds of questions comes and demands comes to mind and it's nice to be on top of things and be able to say from the first meeting, what is possible and what is not.
VPN hardware (Score:1, Troll)
This book may make it easier to build a VPN, but it's kind of obsolete, now that the Linksys VPN router [linksys.com] has been released, making it a matter of plugging in and turning on. Of course, if you have plenty of free time, but very little money, you might go for the book instead.
Re:VPN hardware (Score:2, Interesting)
Re:VPN hardware (Score:1)
What's wrong with PPTP? (Score:4, Interesting)
So, what's wrong with it then? Well, the security of PPTP apparently depends on the password. A German student [uni-freiburg.de] has written software which can crack the password in a couple of hours on a Pentium II.
c't (Heise) [heise.de] reported about this.
Re:What's wrong with PPTP? (Score:2, Informative)
Re:What's wrong with PPTP? (Score:3, Interesting)
Secondly, a lot of older hardware has little to no support for the GRE protocol that PPTP depends on. Thus many people simply can't use it.
Thirdly, it's virtually impossible to get two people connecting to the same VPN behind the same NAT network on any hardware. The nature of GRE makes it very difficult since it has no concept of port to diffentiate between packets, only source and destination IP. Unfortunately, NAT is very common these days so this really does matter.
Re:What's wrong with PPTP? (Score:3, Informative)
Wrong: Win2K IPSEC uses L2TP for tunneling (Score:1)
Windows 2000/XP's support for IPSEC is limited to transport mode. Tunnelling is handled by Cisco's Layer 2 Tunnelling Protocol (L2TP). Unless FreeS/WAN and KAME now support L2TP, IPSEC VPNs using Windows-native clients are limited to routable IP addresses all the way around.
Now NAT is evil---ask my friends, I rant about it all the time---but in the real world, one must be able to tunnel VPN traffic at least in one direction (into the company). Without support for L2TP in FreeS/WAN or commercial IPSEC clients in Windows, one cannot currently do this.
Please, I beg you, prove me wrong. I've been struggling to get Windows IPSEC working with KAME for some time now. And my copy of Cisco's Unity VPN client doesn't work on XP.
Re:Wrong: Win2K IPSEC uses L2TP for tunneling (Score:2)
http://www.marko.net/l2tp/
A bit dated, but reportedly still functional...
Now as far as getting connectivity to Cisco with Windows with tunneling, I have no idea, never tried...
Re:What's wrong with PPTP? (Score:2)
Excellent - do you have any documentation on how to do this?
Re:What's wrong with PPTP? (Score:2)
contains some links, right now the tripod exceeded bandwidth, and that is the one with Windows interop. instructions, but I have seen it and it looks pretty solid.
Re:What's wrong with PPTP? (Score:2, Informative)
For all of this you have to patch the code [freeswan.org] to use the newer ciphers. You can get that here [irrigacion.gov.ar] and if you need to use x509 certs you can get that stuff here [strongsec.com]. This is all pretty easy if you have you druthers about compiling new kernels and working with OpenSSL.
Why this isn't in the kernel to begin with is anybody's guess. I would guess that it has something to do with all those pesky crypto export laws. Just like everything else in the ol US of A we have to sacrifice our freedoms so that we can be safe from the KGB and that one guy from Hackers [imdb.com].
Its damn slow (Score:1)
Most were of course higher level execs so their complaining actually mattered.
PGPnet (Score:3, Informative)
wireless PPTP == readable password file (Score:1)
Problem is getting Management to go along (Score:2, Interesting)
Having a book like this one [amazon.com] is great if you want to familiarize yourself with the standards and how to implement them on Linux, but the much harder task is getting Management, particularly at larger companies, to see the benefit of implementing a standards based VPN where the users can use any standards based client over any TCP/IP network.
Instead what I see is managers that want to buy a single product that comes with both the server and client applications, but then doesn't work or is hard to implement when the clients are trying to access the VPN from a cablemodem, DSL, or 802.11 connected machine, and don't (God forbid) want to use MSIE and Citrix on Windows to get onto the office network.
Can't beat SSH (Score:2, Insightful)
LocalForward 8080 theproxy:8080
LocalForward 25 thesmtp:25
LocalForward 143 theimap:143
Don't forget your '-g' =)
SSH != VPN. That's a good thing. (Score:1)
As a side note, if you use '-g', make sure you have iptables/ipchains/hosts.{allow|deny} rulesets enabled to make sure that only authorized machines can use the gateway. Otherwise anyone in the world can use your encrypted tunnel.
Re:SSH != VPN. That's a good thing. (Score:2)
This is an EXCELLENT POINT that CANNOT BE OVEREMPHASIZED.
I recently had to set up tunnels to allow a set of NAT'd workstations (laptops runnin a mix of Linux and W2K) access a system on the inside of a remote firewall where SSH was the only available securable protocol. We needed to use the "-g" switch, and the need for filtering access was immediately apparent.
We ended up using a set of scripts to build the tunnel, including the necessary iptables rules.
As an aside, I'd check if hosts.allow|deny rules are sufficient - I think the ssh tunnel would make all connections appear to be coming from the host running the tunnel. (Can't check for myself right now)
The main problem with IPSEC... (Score:5, Insightful)
Now if you don't have a firewall protectecting the network, this won't hurt, but if you do, then a solution like ssh is somewhat more secure, as you only set up the tunnels you absolutely need to very specific hosts. While there is still a risk, it is greatly reduced and strikes a good balance between usability and security.
What IPSEC *is* good for is seamlessly connecting sites together without really expensive dedicated lines securely. While it makes no guarantee as to bandwidht or availability, it does provide almost the same level of security. If a company can't afford lines to sites but still wants to expand, IPSEC is ideal. I use it to connect my home private network to a friends home private network. The key here is that not only do you have to trust the clients whose keys you permit to connect, but you must also trust that the administrator of that client machine or network is sufficiently competent to keep his network secure, as the security of the two networks is tied a lot more closely together...
Re:The main problem with IPSEC... (Score:1, Informative)
-m
Re:The main problem with IPSEC... (Score:2)
Well, but that doesn't prevent the telecommuter's computer to become compromised with some background logging software that'll collect information when connected to the company network, and send it to the attacker when connected to the internet.
Of course, using an SSH tunnel also doesn't solve that problem.
The only real option is to assign IPs from a different subnet to the telecummters' home computers, and having a firewall between that subnet and the rest of the company network that'll not allow access to certain ressources that are especially critical. And, of course, the telecommuters must be educated about the security issues.
Re:The main problem with IPSEC... (Score:2, Informative)
As far as I'm concerned, a bigger threat is the road warrior laptop not having adequate virus protection. (VP of Sales does insist on Windows, doesn't he?) Desktops behind the firewall presumably have multiple layers of protection in front of them, the road warrior, maybe not.
Re:The main problem with IPSEC... (Score:2)
Agreed. Especially trojans. So, how does one secure the terminal? Boot from Read Only media? Use a thin client?
Re:The main problem with IPSEC... (Score:2)
Re:The main problem with IPSEC... (Score:2)
Re:The main problem with IPSEC... (Score:2)
The bottom line is, VPNs make it possible to do things in business that aren't cost-effective any other way, and businesses are there to make money, not to be secure. It's a trade-off, and if the return outweighs the risk, it's worth the risk.
Re:The main problem with IPSEC... (Score:1)
Don't you have the same exact problem with desktop machines on the LAN, inside the firewall? Seems to me that VPN-though-a-firewall doesn't introduce any vulnerabilities that you don't already have.
Re:The main problem with IPSEC... (Score:1)
Ha hah hah ha! That's a good one.
Seriously, it must be nice to work at a place where they haven't heard of "Active Content" and no one uses products like Microsoft Word or Microsoft Outlook. :-)
Re:The main problem with IPSEC... (Score:2)
Re:The main problem with IPSEC... (Score:1)
--audiowhore
Re:The main problem with IPSEC... (Score:2)
CIPE - a better solution. (Score:3, Informative)
It's a better solution [sites.inka.de] because it doesnt run TCP over TCP, which can give a problem, when retransmission occurs. With the right ammount of bad luck, you can have double retransmission where both layers of TCP retransmit. CIPE runs completely over UDP to avoid this problem.
JonB
Re:CIPE - a better solution. (Score:2, Insightful)
Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.
JonB
Re:CIPE - a better solution. (Score:1)
Junta already posted a valid response to this statement.
Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.
FreeS/WAN works great with non-static IP addresses.
For example:
conn netnet
...
left=theirhost.dyn.dhs.org
leftid=@theirhost.dyn.dhs.org
leftsubnet=10.1.1.0/24
right=%defaultroute
rightid=@myhost.dyn.dhs.org
rightsubnet=10.1.2.0/24
leftrsasigkey=....
rightrsasigkey=....
authby=rsasig
auto=start
And in ipsec.secrets:
@myhost.dyn.dhs.org : RSA {
}
I have been using a similar configuration since the release of FreeS/WAN v1.5.
Re:CIPE - a better solution. (Score:2, Informative)
IPSEC also does not run TCP over TCP, it uses udp for isakmp, and data is transmitted through custom protocols (numbers 50 and/or 51), *not* through TCP.
Another thing about IPSEC that works better than CIPE is that IPSEC more strongly authenticates the machine at the other end. This is why NAT breaks, because unlike CIPE, IPSEC works to ensure the packet has passed unmodified since leaving a known trusted host, and the very nature of NAT prevents this. Solution is simple, move the IPSEC gateway to either the NAT system or beyond. Though it is being pushed in many circles as a good solution for telecommuting, it really was never designed for that and that usage really spits in the face of firewalls.
Finally, CIPE lacks compatibility. Sure you can configure windows and linux boxes and maybe other platforms, but just try to connect to, say a CISCO router....
CIPE is a hack that creates more problems than it solves in the long run. PPP over ssh is worse, but a dumb idea, set up tunnels for specific tcp services that you need, more overhead, but security is better (not perfect, but better). For connecting networks together, a good architect can piece together an IPSEC solution that guarantees identity at other end of the pipe... CIPE offers the gaping whole that IPSEC can while not offering enough identification. So ssh or IPSEC remains the best solution, depending on the problem.
Duh, we cover cIPe in the book. (Score:2, Informative)
Answer? (Score:3, Funny)
Because they have a better chance of getting posted to the Slashdot homepage?
Re:Answer? (Score:1)
Crossplatform aspect? (Score:2, Interesting)
For example, I couldn't find a free IPSEC client for Windows.
Any new hints from this book?
Thanks in advance.
egghat.
Re:Crossplatform aspect? (Score:3, Informative)
PGPnet- commercial and free versions. Free version doesn't do complicated routing stuff
Windows 2000 and newer have built in IPSEC capabilities.
Both these methods can interact with CISCO, OpenBSD, and FreeS/WAN.
IPSEC is the best shot you have at a cross-platform standard.
Re:Crossplatform aspect? (Score:1)
What about the Macs?
Re:Crossplatform aspect? (Score:1)
We discuss PPTP s.t. you can communicate with PPTP-only Windows clients. You can run IPSec software on more recent versions of Windows, however describing how to do so would probably increase the size of the book by several hundred pages, not counting the fact that we'd have lost some serious sanity in the process.
So when cross platform == unix-like systems, this book does it for you. When cross platform == non unix, you're on your own.
Semi-OT: any ISPs that route a VPN connection? (Score:1)
Anyone know of any ISPs (preferably outside USA) that will route stuff coming from a VPN (or any other type of encrypted tunnel) to The Internet? (i.e. from The Internet's point of view, it would be like I was a local user of that ISP, even though I'm physically somewhere else.) Doesn't have to be free beer.
Re:Semi-OT: any ISPs that route a VPN connection? (Score:2)
Why would you want to do that? Not only will it slow down your network connection, but I suspect that it should be fairly easy to do traffic analysis to determine which traffic was yours in the first place, even at a busy ISP...
Has anybody used isakmpd on Linux (Score:2)
I really need to use aggressive mode but the patches for freeswan are ancient/unmaintained.
A pointer would be greatly appreciated.
ssh + ppp = vpn (Score:1)
You have to setup ssh correctly with rsa keys before it will work. You also have to download pty-redir. See the VPN mini how-to for more details.
#!/bin/bash
REMOTE_HOST=$1
REMOTE_IP=$2
LOCAL_IP=$3
if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] ; then
echo "usage ssh-vpn "
exit 1
fi
# this file holds the slave pty that the local pppd needs
tmpfile=/tmp/tmp$$
# start remote pppd
/usr/local/bin/pty-redir
# give the remote pppd process a little time to send its first connect request
sleep 5
#start local pppd
/usr/sbin/pppd $(cat $tmpfile) passive
# remove file that held the slave pty file name
sleep 5
rm $tmpfile
The pty-redir hack is dead. (Score:1)
The ppp over (ssh/ssl) stuff in the book is much more complete, allowing you to make more than one connection, doesn't rely on best-guess 'sleep X' timeouts, and walks you through setting up ssh securely s.t. it can only be used to create the VPN, and doesn't require logging in as root from either endpoint.
Re:The pty-redir hack is dead. (Score:1)
You are correct, of course, about the flaws of my scheme, but you'd be amazed how well it works for my purposes. I work from home and need to get access to my work machines through the firewall.
USing my 128k DSL connection to the net, I can do a lot this way, including using VNC acceptably.
I wouldn't recommend it for any production environment, but for simple things it more than fits the bill.
Re:ssh + ppp = vpn (Score:1)
http://www.hopelesscase.com/pty-redir.tgz
I had to modify it to get it to work so in the interests of saving time, I'm posting it here.
Re:ssh + ppp = vpn (Score:4, Informative)
TCP over IP over ppp over ssh over TCP over IP, etc...
Note the fact that we have TCP over TCP, which is bad, very very bad. If a packet gets lost, we have two layers doing the same thing to restore a connection and things can get stalled out quickly....
ssh's built in tcp tunneling suffices for most remote access applications. For a true VPN, IPSEC is the only good way to go. Other things like CIPE certainly work better than ppp aver ssh, but still lack in certain features things that IPSEC does. Then again, if you have to build a VPN where you need to modify packets in transit (i.e. NAT), CIPE is a viable alternative if you don't mind that packets could be mangled by more than just the NAT gateways and CIPE wouldn't care, but I personally want to ensure the highest security with IPSEC...
Re:ssh + ppp = vpn (Score:1)
IPSec would be better but I would have a lot to learn and experiment with before I could use it. The ssh+ppp solution is much easier.
Right in time. (Score:2)
So I looked at amazon also thinking that I could not go wrong with a book from O'Reilly, but after looking at the few stars it got I had been looking at this book and the one from RSA. Well, that does it. I'm getting this one.
Re:Right in time. (Score:2)
Books cost $$$. (Score:1)
vtun (Score:1)
i especially like the compression! i could copy a zip file from my computer to the server at the other end and the transfer rate was consistent with the bandwidth cap of my cable modem. but transferring something like an access database was a lot faster (access dbs can usually be compressed quite a bit). basically no point to zipping before transfer as it happens automatically.
vtun has quite a few options and methods of transport and i'd highly recommend it!
-- Joel
Why FATBRAIN? (Score:1)
They are always cheaper for the techy books. I wish they would give me a cut for all the times I have sent people there. Now they will get