VPN Advice - newbie
 

Loving Linux and learning.

I have a LAN. All running Windoze machines. File serving, firewall, gateway, backups all Debian boxes. Running sarge. I have the need to set up VPN for a working at home employee running Windoze XP (possibly 2K, not sure yet. )
I have done a lot of searching on the net and found a daunting amount of material and possible apps to implement. ( i currently have 10 tabs open in firefox)

My specific need to to have the home user be able to access the samba share on my file server. Ultimately printing would be nice, but not yet.

I need a little guidance and direction. If someone could be so kind as to push me off in the right direction it would be greatly appreciated.

Thanks

Paul

i'd say hands down openvpn. i'd send my home-cooked howto to get it working, but for debian it's as easy as

apt-get install openvpn

works great in windows and linux, i have had a company box running as an openvpn server with 20 windows openvpn clients for 6 months with 0 problems. persistent tunnels with samba, nfs, etc have all been bombproof so far.

also note since openvpn uses SSL you can forward it to boxes behind your router if you use NAT which I wasn't able to do with IPSEC. This is also useful for clients that sit behind NAT at home.

i think you'll find openvpn very satisfying.

cheers, -bp

Okay so I can handle the apt-get install of the openvpn. What do I need to do to the windows box? I have a firewall machine and the samba server is behind that. (seperate machine) I have read a little about IPSEC, I can propably weed my way through it. I am a quick study at this stuff, but a little lazy, I like to get to the root of things quickly. If you have a home cooked howto that would be great. And i really like "bombproof" solutions.

thanks,
Paul

home-cooked step-by-step to get OpenVPN working
 

this is what i do, let me know if it isn't clear. you can ignore my routing update batch file but i'll leave it in as a demo. try to ping 10.0.10.1 from 10.0.10.2 and vice versa to test.

cheers, -bp



OpenVPN setup

SERVER SIDE:
setup openvpn-2.0_rc6 as follows:

First load LZO code:
tar -xzvf lzo-1.08.tar.gz in /usr/local
cd /usr/local/lzo-1.08
./configure
make
make check
make test ( takes a while, wait for "all tests passed. Now you are ready to install LZO" )
make install

Now setup OpenVPN on linux server (2.4.25 kernel was used for this test):
tar -xzvf openvpn-2.0_rc6.tar.gz in /usr/local
cd /usr/local/openvpn-2.0_rc6
./configure
make
make install
now test cryptography:
openvpn --genkey --secret keyname.txt
openvpn --test-crypto --secret keyname.txt
above tests should produce no errors.
now test SSL/TLS negotiations: (execute each command in a different window at same time:
(window 1) openvpn --config sample-config-files/loopback-client
(window 2) openvpn --config sample-config-files/loopback-server
above tests should establish a connection between client and server in the 2 windows
ensure tun device present in /dev/net :
look for /dev/net/tun
also, locate if_tun.h should produce /usr/src/linux-2.4.25/include/linux/if_tun.h
if no /dev/net/tun but can locate if_tun.h, do: mknod /dev/net/tun c 10 200

Now setup the server:

make a static key:
mkdir /usr/local/openvpn-2.0_rc6/CONFIG_FILES
openvpn --genkey --secret /usr/local/openvpn-2.0_rc6/CONFIG_FILES/vpn_key_server1.txt

config file /usr/local/openvpn-2.0_rc6/CONFIG_FILES/start_vpn_server1
<---------
# /bin/bash
openvpn --verb 5 --lport 5000 --config /usr/local/openvpn-2.0_rc6/CONFIG_FILES/vpn_config_server1
<---------

config file /usr/local/openvpn-2.0_rc6/CONFIG_FILES/vpn_config_server1
<---------
# USING PRESHARED KEYS
dev tun
# remote 192.168.10.2
ifconfig 10.0.10.1 10.0.10.2
# 10.0.10.1 is server ; 10.0.10.2 is remote vpn client
# tun-mtu 1500
secret /usr/local/openvpn-2.0_rc6/CONFIG_FILES/vpn_key_server1.txt
<---------

setup routing on server, add the following to /etc/rc.d/rc.local
(note: this server is assumed to sit behind a frontend firewall)
also run these commands at command line if want to run VPN server before rebooting box to call rc.local .
<---------
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables --append FORWARD -i tun0 -j ACCEPT
<---------

Now start the server:
chmod 700 /usr/local/openvpn-2.0_rc6/CONFIG_FILES/start_vpn_server1
/usr/local/openvpn-2.0_rc6/CONFIG_FILES/start_vpn_server1 &

CLIENT SIDE:
Now setup a windows client:
setup openvpn-2.0_rc6-install.exe on windows box (win2k SP0 used here) with all default settings.
reboot
in a new folder somewhere titled VPN_CONNECT on the Windows box, add the following:
vpn_key_server1.txt

config file somewhere/VPN_CONNECT/vpn_go_server1.bat
note: add --redirect-gateway if want vpn server to be default gw for windows client
<---------
openvpn --verb 5 --remote vpnserver.ip.or.dns.name 5000 --dev tun --ifconfig 10.0.10.2 10.0.10.1 --secret vpn_key_server1.txt
<---------

config file somewhere/VPN_CONNECT/vpn_update_routing_server1
<---------
route add 192.168.0.36 MASK 255.255.255.255 10.0.10.1 METRIC 1
route add 192.168.0.7 MASK 255.255.255.255 10.0.10.1 METRIC 1
ping 192.168.0.7
pause
<---------

TRY THE TUNNEL:
double-click on somewhere/VPN_CONNECT/vpn_go_server1.bat
should see connection establish in ~10 seconds
update routing tables:
double-click on config file somewhere/VPN_CONNECT/vpn_update_routing_server1

VPN should be up.