# VPN Wishlist



## darkskye (Nov 28, 2008)

I have a dream. Its a simple dream (no really!)

I'm currently running 7.1-PREREL on my gateway (using ppp/netgraph to manage a PPPoE link to my ISP). This works fine, I'm happy with the way userland ppp does this job and i'm too stubborn to change it since i've been using userland ppp since sometime around 2.2.8

What I'd like to be able to do is have my gateway connect to $WORKPLACE over VPN, and then forward all traffic from $LOCALNET which is destine for $WORKNET over the vpn without actually bridging the two LANs (I don't think $WORKPLACE would approve of all my nodes popping up suddenly)

I suspect this is going to require some form of NAT, but I'm already using natd and ipfw to manage $LOCALNET

Thoughts and suggestions would be appreciated!


----------



## EliasMandouvalos (Nov 29, 2008)

what type of vpn you want to establish ?

If you can use pptp for VPN, then the solution is simple:

1.Add the pptpclient package to your home machine
2.Add a configuration like the following in /etc/ppp/ppp.conf :

```
pptp-work:
 set authname myusername
 set authkey mypassword
 set timeout 0
 set ifaddr 0 0
 nat enable yes
 nat same_ports yes
 nat use_sockets yes
```


3.Assuming that your work network consists of two subnets 192.168.100.0/24 and 172.16.1.0/24 ,Add the following section on /etc/ppp/ppp.linkup :

```
pptp-work:
 add! 192.168.100.0/24 HISADDR
 add! 172.16.1.0/24 HISADDR
```

4. Assuming that the public ip address of your VPN server at work is 1.2.3.4 then the only thing you have to do from the command line is :

```
pptp 1.2.3.4 pptp-work &
```

5.Finally you can add the following lines in /etc/ppp/ppp.linkdown so everything returns back to normal when you disconnect :

```
pptp-work:
 delete! 192.168.100.0/24 HISADDR
 delete! 172.16.1.0/24 HISADDR
 iface clear
```

Hope that helps

Elias


----------



## caligula (Dec 14, 2008)

Hello darkskye,

please, do not use PPTP. Please, don't use it!
It is insecure by design. See http://poptop.sourceforge.net/dox/protocol-security.phtml.

PPTP is secure enough for a dial-up connection to your ISP. Formerly it was widely used in that way, before PPPoE came up. It is still used for that purpose by some ISPs, because the cable between your PC and your modem can be assumed as safe and secure. 
But PPTP is not secure for a VPN over the internet - over several hosts you cannot control. PPTP can be cracked as easily as WEP for WLAN: just by listening to the traffic.


And, by the way, as you are using "natd and ipfw to manage $LOCALNET", you should not and cannot use ppp-nat simultaneously as EliasMandouvalos proposes by setting "nat enable yes" in /etc/ppp/ppp.conf. 

And you don't even need NAT for/within VPN. 
All will be a routing setup.


So, either use IPsec or OpenVPN (http://www.openvpn.net/).


Concerning IPsec, it will be some kind of a mess if your gateway gets a dynamic IP by your ISP. If your gateway has a static IP, then IPsec will probably be worth giving a try. (see handbook, chapter 14.10 http://www.freebsd.org//doc/en_US.ISO8859-1/books/handbook/ipsec.html)


OpenVPN (/usr/ports/security/openvpn) is in my opinion the best solution for you. It is based on the server-client model. The whole network/routing setup can be done on the server at $WORKPLACE and then be pushed to the client, your gateway. So the company VPN server/gateway has always control over the VPN connection. This fact respects the oldest most important, but unfortunately nowadays more and more forgotten security rule: "NEVER TRUST THE CLIENT". 
And OpenVPN is very easy to configure (=> your simple dream becomes easily true). 


So, if you are the administrator at $WORKPLACE, then ask the chief for the permission to setup IPsec or OpenVPN. 
If not, then forget it. Imagine, all employees at $WORKPLACE have your dream, they all run to the admin and ask for VPN access, the admin realizes the VPN, he is able to allow or deny access client by client, but he cannot guarantee that an employee having a malicious home-PC does not cause any damage in $WORKNET. The admin can block that client, when he "sees" something suspicious - but that could be too late.


----------

