Low Cost VPN Solutions?

whschwartz asks: "I'm looking for a low cost solution for allowing myself and a few others the ability to share a server at one of our locations. One thought was using SSH tunnels to establish secure connections, forwarding any ports needed by our apps. We'd want to be able to map network drives, control the server with something like PC Anywhere or VNC with the possibility of running apps that have remote data on the server. I use the Cisco VPN solution for work, but that's not in our price range and is probably overkill. Are there any other options I should be looking at other than using SSH port forwarding?"

If Linux is ok..

[ADRA]

You could use vtun (http://vtun.sourceforge.net/) to get the job done.

It has VPN functionality, although I don't think it has Windows support, if that's a requirement.

OpenVPN

[LiENUS]

Theres always http://openvpn.sourceforge.net/ [sourceforge.net] which has clients and servers for windows, or you could always tunnel pppd over ssh, http://www.tldp.org/HOWTO/VPN-HOWTO/ [tldp.org] for details

Smoothwall

[Computerguy5]

You could use a smoothwall [smoothwall.org] router. Only cost is standard hardware.

Linksys

[Dr. Bent]

Linksys sells a VPN router [google.com] that uses the IPSec standard, for around $100. I've been using it for the last year or so and I love it. You can connect to it using the IPSec tunnel built into Windows, or connect under Linux using FreeS/Wan

windows xp vpn server

[uits]

It seems you are trying to connect to a windows machine, and you are using windows clients. Since we can assume it's not Server 2000/2003 (otherwise why would you be asking...) the following link shows how to set up a VPN server on windows xp.

http://www.onecomputerguy.com/networking/xp_vpn_se rver.htm [onecomputerguy.com]

Might not be the coolest way...but it's simple & low cost, using the hardware/software you have already.

Re:If Linux is ok..

[nocomment]

If linux is ok and yo uhave some spare boxes sitting around, then go download the Mandrake Multi-Network Firewall. I toyed around with it a couple years ago and got it working. I used OpenBSD now, but the MNF was really easy to configure. It also has packet sniffers to detect hack attempts built in (portsentry AND snort IIRC).

A couple of options

[Some guy named Chris]

PPP tunnelled over SSH is simple, quick to set up, and works without a hitch. I've used it to connect 20+ locations, and it's just as good as having a dedicated frame link between the sites.

IPSEC (using openeswan or similar) work well, but are in my experience more complicated and harder to maintain than using the PPPoverSSH method.

Both of these are free.

• http://www.tldp.org/HOWTO/VPN-HOWTO/ [tldp.org]
• http://www.openswan.org/ [openswan.org]

Re:OpenVPN

[bill_mcgonigle]

since that's packing a TCP stream inside another TCP stream and can screw up the packet counters

I knew this comment would lurk here somewhere, it always does.

There's a theoretical problem with TCP in TCP on connections with errors. That said, I've built network appliances that do TCP over TCP. From a practical perspective it works just fine, and I've sent terabytes of data over such a link and the throughput approaches the line speed.

Somebody's firewall is going to kill your connection long before other problems kick in.

Netgear FVS328 and FVS318 routers with VPN

[Futurepower(R)]

This may be helpful to someone:

We have extensive experience with the Netgear FVS328 and FVS318 routers with VPN. We have had many many problems with them.

Note that the FVS318 does NOT have secure login for remote maintenance. The password is sent in the clear.

Netgear apparently has no technical support representatives that work for the company. They apparently all work for contractors in India and the United States. We have found them to have very, very little information about these Netgear products.

Here are a few of our extensive notes about the problems:

We establish an IKE and VPN policy, and start a VPN. It works fine the first time, but, after we disconnect we cannot connect later, even though no changes have been made to the policies.

1) There is general agreement among Netgear technical support people that there is a problem.

Netgear technical support people have standard IKE and VPN policy setups they like to use, which they say are proven to work. The most common one, however, is slow and drops a lot of pings. More sophisticated IKE and VPN settings are faster, even though better encryption is used. We have no idea why this is so.

2) Turning the router power off and restarting sometimes cures the problem with not being able to re-establish a VPN. We have seen cases where the menu choice reboot did not cure a problem, but turning the power off and on did cure it.

3) Something hidden seems to time out after several hours. Sometimes VPN connection problems fix themselves after a day or so.

4) When establishing a VPN Auto Policy, the help says:

Remote VPN Endpoint Select the desired option (IP address or Domain Name) and enter the address of the remote VPN Gateway/Server or client you wish to connect to. Note: The remote VPN endpoint must have this VPN Gateway's address entered as it's "Remote VPN Endpoint".

However, we had a case where the address of one of the routers had changed from that given in the "Remote VPN Endpoint", but the VPN was re-established. The impression is given that specifying the address increases security. Apparently this is not so. Again, something seems to be keeping information for several hours, and then timing out.

5) We have seen a case where deleting all the policies and starting over cured a persistent problem with not being able to re-establish a VPN.

6) We have seen cases which seem to indicate browser dependence. For example, there may be Javascript that works perfectly only in Microsoft Internet Explorer, but sometimes fails in other browsers.

7) We have seen cases where choosing "Log Out" does not actually log out. Netgear technical support people say they've seen this also.

It seems to help if we exit from the browser completely. However, if the browser is Firefox (or Mozilla), and there are several Firefox windows open, exiting from Firefox means exiting from all the windows and tabs, which means that work opening those windows is lost. (Firefox and Mozilla do not have multiple instances; all windows come from the same instance.)

Logging out sometimes seems to leave something in the router which gets confused, and prevents re-establishing the VPN.

Version tested -- We have not tested the FVS328 firmware beta version. This report is about the FVS328 firmware Version 1.0 Release 09.

Linux based VPN gateways

[PinkX]

Are cheap, easy to setup and mantain, highly flexible and very cost-effective.

Depending on what you're planning to do, you can use any of the several VPN implementations out there, just to name a few:

* PoPToP [poptop.org], a PPTP server, compatible with the VPN client that Windows has always has,
* vpnd [sunsite.dk], really easy to set up, ideal gw to gw VPN solution, seems a little outdated but works great over slow links,
* OpenVPN [sourceforge.net], a highly portable, flexible and multiplatform VPN solution, which supports gw to gw and gw to host style VPNs,
* etc. There is also LinVPN, FreeS/WAN / Openswan, et al

Best regards.

Re:OpenVPN

[#undefined]

i also recommend openvpn [sf.net]. supported on a majority of systems: windows 2k/xp, linux, mac os x, bsds, & solaris. here's the howto [sourceforge.net].

imho, great example of kernel/user-land separation: tun/tap virtual device driver is the only kernel-side part, the rest is in user-land. no more having freeswan keep the system from cleanly shutting down because of a lost reference to a network device. but there is overhead from context switches between kernel & user, though it's a trade-off i think is worthwhile.

you can do ip or ethernet tunneling, depending how far down the osi model you want to go and how much overhead you are willing/able to process. with a single wireless client in my household, i do ethernet tunneling, as it frees me from having to do any ip routing and configuring a wins server (which i've found problematic with windows 2000 and samba 2.2 on debian stable).

openvpn openvpn can use shared key or tls, just depends on what you want. you can quickly develop a proof of concept with shared keys (prove software installation, network communication, etc work) and then "upgrade" to tls.

openvpn uses openssl for it's encryption/authentication engine. that means that all the scrutiny and improvements openssl receives (security analysis, assembly encoded algorithms, hardware engines, etc) benefits openvpn. i'm interested in doing openvpn on the via epia platform [via.com.tw] with hardware-assisted openssl [logix.cz] serving as wireless xterminals.

encrypting lots of bandwidth means lots of processor cycles, and depending on the speed of your processors and the bandwidth between the two, expect some slow down. this is not particular to openvpn, but any (software) encryption, so choose your hardware accordingly (with lots of benchmarking for your particular use case).

ipsec is a valid option, though i prefer openvpn. ipsec is a standard, and is supported on more platforms than openvpn (especially embedded systems & dedicated hardware), but is firstly cumbersome to configure and secondly compatibility is theoretically possible between all implementation but not guaranteed. i once connected windows 2000 and linux/freeswan using ipsec. nate carlson's howto [natecarlson.com] is invaluable. with linux 2.6 it's even harder to implement ipsec with iptables because neither the in-kernel ipsec implementation nor openswan support virtual interfaces (ipsec[0-9]). supposedly it's "possible" using iptables to tag packets, but i won't consider it "practical" until it's easy enough to be documented in a howto.

Re:Looking for a solution

[PinkX]

You are certainly doing something wrong. I have multiple points OpenVPN setups which only has dynamic IP address on all of them, using a dyn dns server, and it's always up and running.

Here is my config for all of the VPN gw's (/etc/openvpn/${HOST}.conf):

dev tun
remote ${REMOTEHOST}
ifconfig ${LOCAL_VPN_IP} ${REMOTE_VPN_IP}
secret /etc/openvpn/${REMOTEHOST}.key
route ${REMOTE_NETWORK} ${REMOTE_NETMASK} vpn_gateway 1
ping 20
ping-restart 60
persist-key
ping-timer-rem
persist-tun
user nobody
port 5001
verb 3
resolv-retry infinite

of course substitute all the variable names with your own values.

Best regards,

m0n0wall?

[M1FCJ]

It does the job. I use it as a CD-based system + floppy on very old hardware with 64MB. Setting up the VPN was very easy and it was dead-easy to maintain/backup. I use it between three sites but I intend to use it at work as well.

Re:OpenVPN

[erth64net]

I second OpenVPN was well.

We've used FreeS/WAN (now OpenVPN) since 2001, with nary an issue. We currently have 12 connections ranging from 144KBit to 3Mbit (all business quality!) all connected together. The VPN/firewall hardware at each site is a Pentium 120Mhz w/ 32MB or RAM, two network cards, and nothing but a floppy disk booting/running LEAF [sf.net]'s Bering-uCLib. We have Win2K/XP VPN clients connecting to these "LEAF" systems as well. In theory, OpenVPN can support many hundreds of VPN tunnels - though the highest we've pushed it was around 30 (ie: permeant tunnels plus the Win32 clients) - with about 600 users between all the sites.

When we stress-tested this hardware/software combo, we were able to push just over 7Mbit/sec, and only added about 5ms latency to the link!

This combo has been rock solid - not a single connection failure can be blamed on the VPN software - it has been either the last mile, a NIC failure, or a bad floppy disk. Administration is via SSH [ucc.asn.au] (with a web-based admin console in development), and the firewall code is Shorewall [shorewall.net].

Re:OpenVPN

[Jdodge99]

Erm -- No, Openvpn is an entirely different project, a cross platform SSL vpn, FreeS/Wan is an IPSec VPN solution, which halted development at 2.06 -- it has been succeeded by http://www.openswan.org/ [openswan.org] and http://www.strongswan.org/ [strongswan.org]

OpenVPN

[eno2001]

Go look at my very first JE a while back and I point out that OpenVPN is cross platform (Windows, Linux, MacOS X, BSDs, etc...) and works fairly well. Be warned that you need to use the latest Beta with Windows XP as SP2 breaks the last stable version. I've been using it going from Linux to Linux and it works great. Full access to my network at home from anywhere. All you need to do is open on UDP port and this will actually tunnel TCP and UDP traffic, so even Voice over IP will work with this for a private IP phone setup. Check it [sourceforge.net] out. It's worth the effort.

As a side note, I used to use SSH tunnels. That worked very well for me too, but it required a good deal of setup and mapping ports on the remote end to ports on the local end. It's great as far as cross-platform goes, and if you don't have things changing much on your network, it really works well, but it won't handle UDP traffic. Not to mention, when I used it with VNC, I had to map remote ports to local ports that were unused. So if I connected to 'mymachine:1' at home, I would connect to '127.0.0.1:21' at work since I couldn't stomp over :1 on my machine here. With OpenVPN, that all goes away. You just connect to the remote machine by its own IP (or if you get DNS or hosts set up right by its name).

I'll also mention that I'm using OpenVPN in "routing" mode. I throw all traffic destined for my home network to the tun1 interface that openVPN brings up on my local machine. You can also use openVPN in bridged mode which is a bit more of a headache to set up since you need to know how to break your network up into ranges for each location. Bascially subnetting. But the advantage of bridged mode is that broadcasts will be carried over the tunnel. OpenVPN is about the closest you get in a free project to having a virtual ethernet cable going from one end of the connection to the other. In the end, I think this is what you want. Hope this helps.