Need suggestions for mini VPN

[mike123abc]

Ok, I have a private linux server in a datacenter at my disposal. What I would like to be able to do is set something up that I can run on my laptop (windows vista) to connect securely to my server and have all my internet traffic forward.

What I am aiming for is to be able to use a public wifi connection and have my entire session secured. So, essentially log on to the public wifi place, then make the secure connection to my server and have it tunnel all my traffic. I am not worried about bandwidth, server has connections to several major backbones, so it should not really slow things down too much.

There are some companies that provide this service for around $10/month (using their servers) but I figured there is probably a way to set it up using mine for free.

So, I guess I would need a way to set up a VPN to my server then have it be a proxy server for me, or perhaps just act as a router. Any suggestions? Experiences? Etc.

 

[mkatts]

Search on "linux vpn server how-to"

Here is a good article...

Set up a Linux VPN server by following these 10 steps

 

[mike123abc]

Well as a follow up to my own question, I finally got it all working today. In fact I am routed through my server right now

I used openvpn since the modules for it were already installed on my server (running suse). The plesk control panel had the turn on for the openvpn demon.

Ok, then I went to the windows client and downloaded the openvpn client software, it makes a device for a new network (named tap) that you treat like an ethernet card, except it is really an VPN tunnel to the server.

Once I established the connection between my windows box and the linux server I had a point to point VPN running. I then had to do a bit of server magic, this took the longest to research:

iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth0 -s 172.22.115.2/30 -j MASQUERADE
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

This allows packets to be forwarded off the VPN (and nothing else). If you do not set up this forwarding you end up not being able to ping past the server.

On the client you need more magic:

You need to make a route to the VPN server via your default gateway (not 0.0.0.0, but something like 192.168.1.1, your router that if you do netstat -r you will see as the gateway to 0.0.0.0) and give it a low metric so it will be used over the default.

Then you add an additional default route with a metric lower than the one you are using for your normal network: route add 0.0.0.0 mask 0.0.0.0 172.22.115.1 metric 10

I used the 172 address range for my private ip address since I figured it was most unlikely to be used and most home/small office stuff defaults to 192.168 addresses and big corporate ones go to 10. addresses.

So, essentially you opened up a vpn connection to the server using a private ip address, you make a route to the server (real ip address) so the client can still find the way to the server when you make the default over the VPN. Otherwise you end up trying to send something to the VPN fake IP address via the VPN and have no route to host.

 

[John Kotches]

Why not just use ssh as your connectivity path? You can define port forwarding via the SSH connection. I'm not sure that the overhead of VPN software buys you anything in this context.


Cheers,

 

[Smith P.]

VPN give practically full spectrum of remote control program including ssh by establishing secure network level not just app level.

 

[John Kotches]

VPN give practically full spectrum of remote control program including ssh by establishing secure network level not just app level.

And if all they're doing is remote logins and remote X sessions it's overkill. There's no usable information in an SSH session and there's less overhead involved.

Using a VPN just to manage a single server is overkill; not unlike using a sledge hammer to kill a mosquito.

Since the actual scope of work hasn't been defined for us; it's quite possible that a VPN is more than needed.

 

[mike123abc]

Actually what I am using it for is to secure wifi connections when I travel. I open the VPN to my server, then route all my internet traffic through it. Actually it really is responsive, the server is in a dedicated data center on many backbones so it is only a few miliseconds added to each packet. I am investigating getting l2tpd/ipsec working (well I have ipsec working now l2tpd is proving a roadblock atm), just so I can use the windows VPN stuff.

I have found out a lot of stuff about linux. I used to be a unix kernel programmer (actually my specialty was network file system and networking code). It is interesting how it seems the whole open source code works. It is a challenge in a lot of ways working since you find out what works and does not work in each version and what patches are needed for each version. My server is running Suse 9.3 with a 2.6.11.4-21 kernel.

When I talk to my server from home I exclusively use ssh (well except when I have to use plesk via IE).

 

[John Kotches]

ssh is a fully secured connection; wifi or not.

It's cool that you've done this; but based on what you've described it was overkill.

Cheers,

 

[mike123abc]

ssh is a fully secured connection; wifi or not.

It's cool that you've done this; but based on what you've described it was overkill.

Cheers,

Yes, ssh is fully secure, but I am not talking to my server, in fact I rarely talk to the private part of my server, the public parts have https when needed. When I am away I talk to things like my cash registers and such which have 0 encryption available... The passwords are in plain text. Or use applications like PCAnywhere which has mild encryption. Talking to all the PCs in the business is what I work to secure.

All the stuff is sitting open on the www. It would be annoying if hackers got in and messed up stuff, but they are not vital systems. Obscuring all my communication via the VPN just keeps me safer when out on public wifis as I travel around. I do not worry about my ISP (ATT formerly SBC DSL) connections between my house and the stores. So, essentially I am just recreating a wired internet from wifi, yeah it can be broken into (the communication from my server to the cash registers just goes over the internet). I just do not see many cases where hackers have spliced into fiber or tapped DSL connections to listen in. My main worry is having to have to go reinstall everything after having my network turned into a bunch of slave bots, all the vital infomation is sitting behind a firewall in a an office.

 

[John Kotches]

Yes, ssh is fully secure, but I am not talking to my server, in fact I rarely talk to the private part of my server, the public parts have https when needed.

When I am away I talk to things like my cash registers and such which have 0 encryption available... The passwords are in plain text. Or use applications like PCAnywhere which has mild encryption. Talking to all the PCs in the business is what I work to secure.

Okay; but this can be solved...

$$$ Register --> VPN Router --> WAN <-- VPN router <-- your network

The VPN router could be as simple as a cheap PC with any of the *nix variants or Free BSD with two NICs. Of course you could scale this in price dramatically to whatever you wanted.

All the stuff is sitting open on the www. It would be annoying if hackers got in and messed up stuff, but they are not vital systems.

If the cash registers are what brings in the revenue I wouldn't refer to them as "not vital systems"

Obscuring all my communication via the VPN just keeps me safer when out on public wifis as I travel around. I do not worry about my ISP (ATT formerly SBC DSL) connections between my house and the stores. So, essentially I am just recreating a wired internet from wifi, yeah it can be broken into (the communication from my server to the cash registers just goes over the internet). I just do not see many cases where hackers have spliced into fiber or tapped DSL connections to listen in.

You always pick the low hanging fruit; wherever it is. This depends somewhat on what data it is you're going after.

You've made one assumption which might not be the best to make... that the WAN provider is maintaining security. That's a big ??? mark.

My main worry is having to have to go reinstall everything after having my network turned into a bunch of slave bots, all the vital infomation is sitting behind a firewall in a an office.

Lots of strategies for this.

 

[mrschwarz]

Have you tired Hamachi? It's free. All you do is load the clients on the PCs. Then, set up a proxy server (I currently use FreeProxy on a Win2k3 server).

I have been successfully using this setup for 6 months.

 

[mike123abc]

Well I tried to get IPsec/L2TP to work for a week. Using openswan and xl2tpd. Well it came down to the fact that I am running a 2.6.11.4-21 server and NAT ipsec is broken on it. I would have to upgrade to 2.6.16+. Ugg, my server does not even have the source on it. I am running Suse 9.3. I considered getting the source and making a new kernel, but then I reconsidered considering I do not have physical access to the server (it is a dedicated server located in a server farm in San Diego, CA). I did not feel comfortable playing with the kernel without physical access.

Then MS announces Vista SP1 will now have SSTP/PPP VPN on it. Of course it is a new creation of theirs. It will be similar to other SSL VPNs except that it will use port 443. In other words it will connect to the https port, use SSL to make a PPP network connection. Well, that is very interesting, and it promises to be better than the IPsec hack that is out now (IPsec was for network to network and did not have NAT built in, and it was hacked on by MS and of course tried to be emulated in Linux).

So, I guess for now I will stick with may OpenVPN hack (well it works well, just not built into windows). I will wait to see what comes out of the new SSTP/PPP VPN and see if a user level connection can be made with Linux.

The other thought is that I am considering a new server, probably a colacated one that I can have physical access to when I want to play with it. Also, can update to a more recent version of Linux (mine is about 2 years old now).