The Poor Person's VPN

Or is it “The Lazy Person's VPN”?

Hugh Mahon - hm@mahon.cwx.net

What is a VPN?

● There are two ways to connect remote sites:– Use a dedicated line (a private network).– Use the Internet.

● Not private, so need to secure the connection.● Want to keep internal network hidden from Internet.● Want to allow two sites to access LAN at each site as if

part of same network.● The secure access using the Internet instead of a dedicated

line is what makes it a Virtual, Private Network.

Why VPNs?

● Connect two sites.● Allow remote access by individual users.

Two Sites

Two Sites – One Virtual Site

Tunnel Technologies

● IPSec● CIPE● PPTP● SSH + PPP

What is SSH?

● Secure Shell (think encrypted telnet).● Allows secure access across the Internet.● Can also provide tunneling of individual ports.

– e.g., Allow X11 to securely pass back to remote system.

● Can act as transport for ppp.

PPP

● Point-to-Point Protocol– Usually used with serial connections.– Provides IP connection between two points.

● Establishes IP address at both ends of connection.● IP traffic can be routed over PPP connection.

Setting up SSH

● Set up shared keys on both systems:– This allows connecting without using the password to

the account on the remote system.– Can use a passphrase for the key or not.– Can use different kinds of keys (e.g., RSA, DSA)– Command is: ssh-keygen– Edit 'authorized_keys' file on each system to enable

access by other system

Setting up PPP

● Make sure pppd is setuid.● Have /etc/pppd/options contain:

– lock– noauth

● Optional: set up /etc/ppp/ip-up.local to establish routing to remote network.

● Make sure to move any ~/.ppprc files out of the way.

Making it simple: footunnel

● A script that does the job of starting the VPN– starts ssh and ppp

● Usage:– footunnel [-u user] [-l local-addr] [-r addr] remotesys

The script: footunnel

● Gets the passphrase for ssh.● Starts pppd

– Starts pppd on remote system via ssh connection, which is the secure transport for the tunnel.

● Monitors the connection.● Cleans up when connection is torn down (i.e.,

stops ssh-agent).

Simple Performance comparison

No VPNtime=6 sec.

Copy w/ VPN Mid-transfer End of transfertime = 58 sec.

File size=17,515 kB

Uses for the script

● Site to site.● Home to work.● Work to home.● Wireless connection.

Wireless Example

Resources

● Book: “Building Linux Virtual Private Networks (VPNs)” - Oleg Kolesnikov, Brian Hatch; published by New Riders

● www.buildinglinuxvpns.com (for above book)

● VPN-HOWTO

● http://vpn.shmoo.com/vpn/FAQ.html

● For IPSec: www.freeswan.org

● For CIPE: http://sites.inka.de/bigred/devel/cipe.html

● For SSH: www.openssh.org

● mahon.cwx.net