LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 07-09-2007, 12:13 PM   #1
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Rep: Reputation: 15
How to set up a VPN for roaming users on Internet?


Suppose some employee is on business trip and is now sitting in a internet cafe, he wants to access some resource in his company's head quarter's intranet. It is desired to have a secured connection, so, I guess VPN should be a good fit for this scenario. Anyone has thoughts about how to set up such a VPN? Suppose the employee has his own laptop for this connection since we can never expect any machine in the internet cafe for some fancy use. But the employee can plug his machine into a local area network either through a wired line or a wireless access point. In either way, his laptop will act as a DHCP client.

Thanks!

Last edited by licht; 07-09-2007 at 12:20 PM.
 
Old 07-09-2007, 12:58 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 328Reputation: 328Reputation: 328Reputation: 328
While VPNs are necessary if the resources to be accessed are via a UDP-based protocol, ssh is all you need for TCP-based services.
 
Old 07-09-2007, 01:31 PM   #3
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Thanks.

But the issues are: first, normal users feel uncomfortable with command-line tools s.a. ssh or scp, etc. second, there may exist some applications for accessing some intranet resource but they are supposed to work in an intranet and thus just provide no encryption and weak authentication, etc; third, vpn seems to be more secure.

So, if suppose we have to provide such a configuration, how to implement it or just no way?
 
Old 07-09-2007, 01:55 PM   #4
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 328Reputation: 328Reputation: 328Reputation: 328
Some comments:

- Ssh tunnels can be implemented as a GUI with no command-line "terminal" for end-users. I've done this several times. SSh tunnels are an implementation of an ad-hoc VPN.

- The primary purpose of ssh is to provide secure encrypted communications - it will use many of the same ciphers as traditional VPN software (I recommend blowfish). The level of security with ssh is equal to or greater than traditional VPNs.

- Ssh is more flexible for end users. A common request is to use local networked printers (at home), while securely connected to corporate resources. This is difficult/impossible with traditional VPNs, but trivial with ssh.

- Traditional VPNs typically require a greater (dedicated) resource requirement on the server side. Since ssh is ad-hoc by nature, you need only allocate 2MB RAM per concurrent session + network bandwidth.

- Traditional VPNs are very useful for "nailed-up" communications between systems communicating over insecure facilities. I find them less useful for ad-hoc operation by end-users. You might also find stunnel useful in addition to or in place of ssh.

If you are looking at VPNs anyway, contact your network provider (e.g. Cisco). They will set you up with the hardware/software you need to do it right. If you'd like to set it up yourself, take a look at OpenVPN.
 
Old 07-09-2007, 02:22 PM   #5
New2Linux2
Member
 
Registered: Jan 2004
Location: Arizona
Distribution: Debian
Posts: 147

Rep: Reputation: 43
I agree fully with macemoneta. I had to setup a separate VPN server for my users to access the network resources remotely. I prefer to use ssh myself because it is just as if not more secure than VPN without the need of a dedicated server.

The server I setup is a Debian 4.0 stable box with PopTop for PPTP VPN and ShoreWall for configuring the firewall (iptables). There are several VPN solutions available. Do your reading and pick one that suites your needs.
 
Old 07-09-2007, 03:15 PM   #6
karpi
Member
 
Registered: Oct 2005
Location: Germany
Distribution: Suse
Posts: 134

Rep: Reputation: 15
Hello,

I would use a dedicated VPN-Server.
I use "OPENVPN". It is available for all major Platforms
either as Server or Client.
Your Users just need to start the Client-Software and use
all resources in your network.
(Connect to Network drives, access their mails etc)

All Communication between Server and Client is encrypted.

Setting up the VPN-Server is straightforward and well documented.
The Port for the Server shows as closed.
You can use many types of Authorization-Methods.
Any other network service needs Authorization.

Using a VPN your users don't need to change their habits.

More Info http://www.openvpn.org

HTH
 
Old 07-09-2007, 03:29 PM   #7
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by macemoneta
Some comments:

- Ssh tunnels can be implemented as a GUI with no command-line "terminal" for end-users. I've done this several times. SSh tunnels are an implementation of an ad-hoc VPN.

...
Did you mean there is some GUI-based SSH client software? Could you please give some more hints as well? Thanks!

This is a list of some tasks that may be performed by a remote user:

- use the LAN printer
- access some shared network folders on some file servers
- access some web-based applications, which only allow local access; in other words, these are supposed to be internal services.

So, can GUI-like SSH fulfill the above requirements?

I think the first two should be OK. But what about the 3rd one?

I would agree that the network can be configured such that the servers running these services can be accessible to the Internet as well. But they have a local access nature.

In addition, common practice (?) is to group public servers (accessible to Internet) together and separate from internal servers (invisible to internet). So, these web-applications have to be accessed from a private network address server. I am not familiar with networking configuration. So, above is just my thoughts. Any comments about this?

Thanks!

Last edited by licht; 07-09-2007 at 03:59 PM.
 
Old 07-09-2007, 03:33 PM   #8
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by New2Linux2
I agree fully with macemoneta. I had to setup a separate VPN server for my users to access the network resources remotely. I prefer to use ssh myself because it is just as if not more secure than VPN without the need of a dedicated server.

The server I setup is a Debian 4.0 stable box with PopTop for PPTP VPN and ShoreWall for configuring the firewall (iptables). There are several VPN solutions available. Do your reading and pick one that suites your needs.
This seems something that I originally considered. But the trick behind this puzzles me. Consider that the remote user will have an arbitrary private IP address (either the same network address as his company intranet or not), how server-side knows how to handle this incoming connection request and what client-side software has to be configured?

Thanks!

Last edited by licht; 07-09-2007 at 03:37 PM.
 
Old 07-09-2007, 03:46 PM   #9
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by karpi
Hello,

I would use a dedicated VPN-Server.
I use "OPENVPN". It is available for all major Platforms
either as Server or Client.
Your Users just need to start the Client-Software and use
all resources in your network.
(Connect to Network drives, access their mails etc)...
This sounds positive to me

I've heard a lot of OpenVPN recently but not aware of all its power. So, can it be used in the scenario that mentioned in here? Suppose the intranet resource that the user wants to use (either locally or remotely) is "sth" (could be a printer or a private web-application).

- when the user plugs his laptop in his office (intranet), the openvan will not create tunnel or encrypt the connection to "sth". (OR will it?)

- when the user accesses "sth" from internet through a wireless network in the airport, the access will be a VPN connection from the user's laptop to the destination of "sth".

Could you please give some hints on both server-side and client side set-up?

Thanks!
 
Old 07-09-2007, 03:46 PM   #10
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 328Reputation: 328Reputation: 328Reputation: 328
Quote:
So, can GUI-like SSH fulfill the above requirements?
If the service is TCP-based, as all that you have listed are, ssh can provide the VPN functionality. Familiarize yourself with the broad functionality that ssh provides. A user simply clicks on a desktop icon, responds with a passphrase, and all services are available to them. From their perspective, it is as simple to use as a commercial VPN client. As the administrator, your job is to write the 5 or 6 line script that provides access via ssh (but if that's a challenge, don't look at OpenVPN).
 
Old 07-09-2007, 04:14 PM   #11
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by macemoneta
If the service is TCP-based, as all that you have listed are, ssh can provide the VPN functionality. Familiarize yourself with the broad functionality that ssh provides. A user simply clicks on a desktop icon, responds with a passphrase, and all services are available to them. From their perspective, it is as simple to use as a commercial VPN client. As the administrator, your job is to write the 5 or 6 line script that provides access via ssh (but if that's a challenge, don't look at OpenVPN).
That's great! Thanks a lot for your quick and big help!

I will definitely read on openssh for more detail. But to get a quick education, could you please give a little more hints how a remote client can access private web server from his laptop's firefox in the airport?

Thanks, thanks!
 
Old 07-09-2007, 04:52 PM   #12
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 328Reputation: 328Reputation: 328Reputation: 328
For example, let's say that the internal web server listens internally (on the intranet) on port 8000. Your client setup would:

ssh -L 80:server.com:8000 user@host

To get access to the internal (intranet) server, your user would then browse to "http://localhost" (or whatever alias you define). This works because the ssh command above defines port 80 (the default web port) on the local host as connecting to port 8000 on server.com. This is of course only one of thousands of possible configurations.

You can specify many ports at the same time in the setup (or in the client's ssh configuration file), forwarding any services to your internal servers. Those ports which are not forwarded, remain locally accessible (for example port 631, for ipp network printing).

There are network cost savings as well. If your client is connecting at a WiFi hot spot, connecting to a non-internal service (like http://google.com) is routed to the internet as usual. A traditional VPN would send that traffic to your internal servers and over your corporate internet connection. As many corporations pay for internet service by the amount of data transfer, you would pay twice for traditional VPN traffic (but not for intelligently routed ssh traffic).

As you can see, there is a great deal of flexibility to you as an administrator. Your clients don't care. They just use their services/bookmarks as usual.

Last edited by macemoneta; 07-09-2007 at 04:54 PM.
 
Old 07-09-2007, 05:35 PM   #13
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by macemoneta
For example, let's say that the internal web server listens internally (on the intranet) on port 8000. Your client setup would:

ssh -L 80:server.com:8000 user@host
Thank you so much for your example and explanation.

So, basically, this is somewhat port forwarding for any access to a local port. For any internal service behind firewall (sshd server) to be accessed remotely, we create this tunneling on user's local machine and access the service as if it is hosted locally (localhost). This is to pretend that we have a web server, smtp server, imap server, ftp server, etc.

To me, this is to say that any tcp-based service can be thus tunneled. So, most intranet resources can be securely accessed from internet, including ftp, email, web, etc. What about printing?
 
Old 07-09-2007, 05:57 PM   #14
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 328Reputation: 328Reputation: 328Reputation: 328
Yes, it appears the forwarded services are local, but you can fix that by appending entries to the hosts file while ssh is running. For example:

Code:
#------------------
# Start the tunnels
#------------------
ssh -f -L 123:server:321 -L ... user@host sleep 7200
sshPID=$!

#---------------------------------------------------
# User will be connecting to www.corporateserver.com
#---------------------------------------------------
cp -a /etc/hosts /etc/hosts.backup
echo '127.0.0.1 www.corporateserver.com' >> /etc/hosts

#---------------------------------
# Wait for the connection to close
#---------------------------------
wait $sshPID

#-----------------------
# Restore the hosts file
#-----------------------
cp -a /etc/host.backup /etc/hosts
If you want to use corporate printers instead of local printers, just specify port 631 (for ipp, like CUPS or Windows Internet printing), port 515 for lpr used by common print servers, and/or the SMB/CIFS ports 137,138,139,445 for Windows file sharing (including printers).
 
Old 07-09-2007, 06:26 PM   #15
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by macemoneta
Yes, it appears the forwarded services are local, but you can fix that by appending entries to the hosts file while ssh is running...
Now I see why ssh tunneling is a flexible solution in many scenarios that otherwise require a VPN implementation.

But it still has its limitation due to its port forwarding scheme I think. For example, it is not always predictable what tcp ports will be used by a new service and you have to define port forwarding explicitly for each such service on a client's machine. In such scenario, we simply create a VPN to secure all the traffic w/o worrying about which service should be tunneled and which not or distinguishing local service from forwarded ones...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set up iperf for roaming test??? wahaha Linux - Networking 0 03-15-2007 11:25 AM
cannot update roaming profile on samba pdc via vpn thesillyspider Linux - Networking 0 11-02-2006 02:49 AM
VPN and roaming user threats fes Linux - Networking 2 05-14-2004 05:26 PM
Roaming users on RH BarryT Linux - Networking 3 03-11-2004 05:58 AM
Sendmail for roaming users clintonm9 Linux - Software 1 06-24-2003 01:16 AM


All times are GMT -5. The time now is 09:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration