OpenVPN [was: Speaking of VPNs..]

Florin Andrei florin at andrei.myip.org
Fri Feb 6 19:50:30 UTC 2004 

On Tue, 2004-02-03 at 22:50, Mark wrote:
> I have a small business client that is still running on Windows NT
> 3.5.1.  I'm thinking about putting Fedora on their main server and
> making it a firewall, internet gateway, etc on their DSL line.  I
> brought it up the other day, and they will not mind the change as long
> as their employees can still VPN into the server, and PCAnywhere into
> their PC or a server.  

OpenVPN.

I struggled with FreeS/WAN, it kinda works, but IPSec doesn't work
through NAT. Then you have to apply the NAT patches to FreeS/WAN in
order to tunnel IPSec through UDP, which are not supported with the
current FreeS/WAN version, so you're forced to use older, buggy
versions, not to mention that you have to patch the kernel.
Plus the native Win2K client does not support IPSec-over-UDP, so you
have to get a 3rd party client, which may or may not be free.
Also, setting up clients (any kind of clients, but especially Windows)
with FreeS/WAN is a pain in the butt.
On top of that, it's kernel-level, so if it breaks it takes everything
down.

Then i discovered OpenVPN. It has clients for Linux and Windows, which
are very easy to install and configure.
It does not use IPSec, but SSL-over-UDP (or TCP) on arbitrary ports, so
NAT and firewalls are not an issue. It can even tunnel through HTTP
proxies (if using TCP).
It's user-level (it's a deamon running as unprivileged user) not
kernel-level, so it doesn't bring the whole system down if it breaks (it
never did).
Even though it's using SSL instead of IPSec, it's still a true VPN: it
gives you an address, it can tunnel any protocol, you can add static
routes through it, etc. It is not just a "browser thing", it's a
full-blown VPN, you can mount Windows shares, you can ping or traceroute
through it, etc.
The strength of the encryption is as good as IPSec's. That is not true
for other small VPN projects, which came under scrutiny of security
specialists recently and were found to be flawed.
The current version is designed for small networks (a few dozen clients)
and it does not scale too well to thousands of clients, because it uses
one port and one virtual interface on the server for each client. But
there are plans to rewrite it to make is scale. If you have less than a
hundred clients it should be ok.
It is not compatible with arbitrary IPSec VPN devices and applications,
because it's not using IPSec; this is where it's notably weaker than
FreeS/WAN.

http://openvpn.sourceforge.net/

-- 
Florin Andrei

http://florin.myip.org/

More information about the fedora-list mailing list