LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 07-20-2005, 04:44 PM   #1
wally42
LQ Newbie
 
Registered: Jul 2005
Posts: 7

Rep: Reputation: 0
VPN Advice - newbie


Loving Linux and learning.

I have a LAN. All running Windoze machines. File serving, firewall, gateway, backups all Debian boxes. Running sarge. I have the need to set up VPN for a working at home employee running Windoze XP (possibly 2K, not sure yet. )
I have done a lot of searching on the net and found a daunting amount of material and possible apps to implement. ( i currently have 10 tabs open in firefox)

My specific need to to have the home user be able to access the samba share on my file server. Ultimately printing would be nice, but not yet.

I need a little guidance and direction. If someone could be so kind as to push me off in the right direction it would be greatly appreciated.

Thanks

Paul
 
Old 07-20-2005, 11:40 PM   #2
bdp
Member
 
Registered: Apr 2002
Distribution: RH 9
Posts: 230

Rep: Reputation: 30
i'd say hands down openvpn. i'd send my home-cooked howto to get it working, but for debian it's as easy as

apt-get install openvpn

works great in windows and linux, i have had a company box running as an openvpn server with 20 windows openvpn clients for 6 months with 0 problems. persistent tunnels with samba, nfs, etc have all been bombproof so far.

also note since openvpn uses SSL you can forward it to boxes behind your router if you use NAT which I wasn't able to do with IPSEC. This is also useful for clients that sit behind NAT at home.

i think you'll find openvpn very satisfying.

cheers, -bp

Last edited by bdp; 07-20-2005 at 11:43 PM.
 
Old 07-21-2005, 12:41 PM   #3
wally42
LQ Newbie
 
Registered: Jul 2005
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by bdp
i'd say hands down openvpn. i'd send my home-cooked howto to get it working, but for debian it's as easy as

apt-get install openvpn

works great in windows and linux, i have had a company box running as an openvpn server with 20 windows openvpn clients for 6 months with 0 problems. persistent tunnels with samba, nfs, etc have all been bombproof so far.

also note since openvpn uses SSL you can forward it to boxes behind your router if you use NAT which I wasn't able to do with IPSEC. This is also useful for clients that sit behind NAT at home.

i think you'll find openvpn very satisfying.

cheers, -bp
Okay so I can handle the apt-get install of the openvpn. What do I need to do to the windows box? I have a firewall machine and the samba server is behind that. (seperate machine) I have read a little about IPSEC, I can propably weed my way through it. I am a quick study at this stuff, but a little lazy, I like to get to the root of things quickly. If you have a home cooked howto that would be great. And i really like "bombproof" solutions.

thanks,
Paul
 
Old 07-22-2005, 02:18 AM   #4
bdp
Member
 
Registered: Apr 2002
Distribution: RH 9
Posts: 230

Rep: Reputation: 30
home-cooked step-by-step to get OpenVPN working

this is what i do, let me know if it isn't clear. you can ignore my routing update batch file but i'll leave it in as a demo. try to ping 10.0.10.1 from 10.0.10.2 and vice versa to test.

cheers, -bp



OpenVPN setup

SERVER SIDE:
setup openvpn-2.0_rc6 as follows:

First load LZO code:
tar -xzvf lzo-1.08.tar.gz in /usr/local
cd /usr/local/lzo-1.08
./configure
make
make check
make test ( takes a while, wait for "all tests passed. Now you are ready to install LZO" )
make install

Now setup OpenVPN on linux server (2.4.25 kernel was used for this test):
tar -xzvf openvpn-2.0_rc6.tar.gz in /usr/local
cd /usr/local/openvpn-2.0_rc6
./configure
make
make install
now test cryptography:
openvpn --genkey --secret keyname.txt
openvpn --test-crypto --secret keyname.txt
above tests should produce no errors.
now test SSL/TLS negotiations: (execute each command in a different window at same time:
(window 1) openvpn --config sample-config-files/loopback-client
(window 2) openvpn --config sample-config-files/loopback-server
above tests should establish a connection between client and server in the 2 windows
ensure tun device present in /dev/net :
look for /dev/net/tun
also, locate if_tun.h should produce /usr/src/linux-2.4.25/include/linux/if_tun.h
if no /dev/net/tun but can locate if_tun.h, do: mknod /dev/net/tun c 10 200

Now setup the server:

make a static key:
mkdir /usr/local/openvpn-2.0_rc6/CONFIG_FILES
openvpn --genkey --secret /usr/local/openvpn-2.0_rc6/CONFIG_FILES/vpn_key_server1.txt

config file /usr/local/openvpn-2.0_rc6/CONFIG_FILES/start_vpn_server1
<---------
# /bin/bash
openvpn --verb 5 --lport 5000 --config /usr/local/openvpn-2.0_rc6/CONFIG_FILES/vpn_config_server1
<---------

config file /usr/local/openvpn-2.0_rc6/CONFIG_FILES/vpn_config_server1
<---------
# USING PRESHARED KEYS
dev tun
# remote 192.168.10.2
ifconfig 10.0.10.1 10.0.10.2
# 10.0.10.1 is server ; 10.0.10.2 is remote vpn client
# tun-mtu 1500
secret /usr/local/openvpn-2.0_rc6/CONFIG_FILES/vpn_key_server1.txt
<---------

setup routing on server, add the following to /etc/rc.d/rc.local
(note: this server is assumed to sit behind a frontend firewall)
also run these commands at command line if want to run VPN server before rebooting box to call rc.local .
<---------
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables --append FORWARD -i tun0 -j ACCEPT
<---------

Now start the server:
chmod 700 /usr/local/openvpn-2.0_rc6/CONFIG_FILES/start_vpn_server1
/usr/local/openvpn-2.0_rc6/CONFIG_FILES/start_vpn_server1 &

CLIENT SIDE:
Now setup a windows client:
setup openvpn-2.0_rc6-install.exe on windows box (win2k SP0 used here) with all default settings.
reboot
in a new folder somewhere titled VPN_CONNECT on the Windows box, add the following:
vpn_key_server1.txt

config file somewhere/VPN_CONNECT/vpn_go_server1.bat
note: add --redirect-gateway if want vpn server to be default gw for windows client
<---------
openvpn --verb 5 --remote vpnserver.ip.or.dns.name 5000 --dev tun --ifconfig 10.0.10.2 10.0.10.1 --secret vpn_key_server1.txt
<---------

config file somewhere/VPN_CONNECT/vpn_update_routing_server1
<---------
route add 192.168.0.36 MASK 255.255.255.255 10.0.10.1 METRIC 1
route add 192.168.0.7 MASK 255.255.255.255 10.0.10.1 METRIC 1
ping 192.168.0.7
pause
<---------

TRY THE TUNNEL:
double-click on somewhere/VPN_CONNECT/vpn_go_server1.bat
should see connection establish in ~10 seconds
update routing tables:
double-click on config file somewhere/VPN_CONNECT/vpn_update_routing_server1

VPN should be up.

Last edited by bdp; 07-22-2005 at 02:19 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
security newbie, but not Linux newbie. advice on secure delete tools mattie_linux Linux - Security 19 08-15-2005 02:50 AM
Advice on setting up VPN/LAN DNS rwalkerphl Linux - Networking 2 10-03-2004 01:32 PM
Advice on VPN setup rwalkerphl Linux - Newbie 0 09-21-2004 01:26 PM
advice on connecting a LAN to an SDSL modem/VPN router behind redhat 9.0 debloxie Linux - Networking 2 07-31-2004 02:05 PM
VPN Newbie gauge73 Linux - Networking 5 03-05-2003 05:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 12:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration