# best way of going about a vpn



## da1 (Oct 4, 2010)

Hello fellas,

I have 4x 8.1-RELEASE i386 machines, each with a internal network behind them. 

Starting from the first one, the internal networks are like so: 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24,192.168.3.0/24. 

The goal here is to have a vpn between these 4 machines and any client on any network to be able to reach any other client on any other network. 

After reading the handbook about IPSEC, I compiled all machines with the necessary options and I managed to build a vpn between the first and the second one. This is where I started having questions about the correct way of implementing this.

Scenario 1:
a gif/racoon conf. from each of the machines to every other machine (meaning 3 gif interfaces and 3 racoon settings ? - I am having problems understanding the latter, if it's even possible)

Scenario 2:
a gif/racoon conf. from all to 1 and on that "1" bridge the 3 connexions - or something like that.


Sorry, I'm just a bit over my head here in networking.

Any ideas are welcomed.


----------



## aragon (Oct 4, 2010)

Although you can use IPSec, you might find it simpler to use something like net/vtun instead.

Your two scenarios are correct.  In scenario 2 the central gateway will require the most amount of bandwidth.

There probably is no correct way.  Scenario 1 is more complex but more bandwidth efficient than scenario 2.


----------



## da1 (Oct 4, 2010)

First, thanks, I will have a look over net/vtun

Then, since 3 of the machines are in the same town (therefore using the LAN of the ISP) I have 100Mbit at my disposal (bandwidth is not a problem here anymore). The 4th machine however, is in another city and AFAIK, it has a download bw of 3.5 MB and a upload of (maybe, if I'm lucky) 512kB. All in all, I believe bw is not an issue here (except for the 4th server). Besides, how much "chatter"-worth of bw are we talking here ? It cannot possibly go above 100kB (please correct me if I'm wrong).

"scenario 2" has 1 big flaw. If, for some reason, the "central" machine goes down, the remaining 3, will no longer be a part of the vpn.

I will make an attempt at "scenario 1".


In the meantime, I have installed a pptp server for "outside" temporary windows clients. I think IPSEC can be used here too and so can openvpn (maybe even vtun?). 

My scope here is to learn as much as I can, so I will probably be turning out to try all of them, at some point in time.

This reminds me of a catchy phrase I read here on the forums that went something like "all bends have a learning curve associated with them". Though I cannot seem to remember who it was that wrote it or the correct form of it.

Nevertheless, I have a nice journey ahead of me .

Cheers for the guidance and keep 'em commin'


----------



## varda (Oct 12, 2010)

You can use regular ssh which included in base system to establish vnp between machines:

```
-w local_tun[:remote_tun]
             Requests tunnel device forwarding with the specified tun(4)
             devices between the client (local_tun) and the server
             (remote_tun).
```
An then setup IP and routing between them as you prefer.


----------

