OpenVPN [was: IPSec VPN docs]

Florin Andrei florin at andrei.myip.org
Fri Mar 26 19:46:08 UTC 2004 

Well, yeah, if 22 is the port your OpenVPN server is listening for this
particular client. But that would be rather unusual, especially since
it's a privileged port.

Typically, if the OpenVPN server is behind a firewall, most OpenVPN
admins assign ports like 5000... 6000... to their clients (one port for
each client with current OpenVPN versions, sorry, that will change in
future releases) and open all of them on their firewall.
I believe it would even work if the OpenVPN server is behind a NATing
firewall, but i never tried that; in that case, you'll have to
port-forward all those ports to the outside instead of simply opening
them up.

On Fri, 2004-03-26 at 11:43, Brian Chase wrote:
> Yeah, you can also open port 22 on the firewall and VPN to the OpenVPN 
> server behind your Dlink
> 
> Florin Andrei wrote:
> 
> > On Fri, 2004-03-26 at 11:24, Mark Haney wrote:
> > 
> >>Hey thanks for that.  I might try that if the DLINK people can't give me 
> >>what I need.  I found a FreeSWAN doc about setting up an IPSec VPN from a 
> >>DLINK firewall but it was in Russian, and since my Russian is rusty 
> >>(*cough, non existant, cough*), it really hasn't helped much.  If FreeSWAN 
> >>doesn't jive, I'll try that with the DLINK.
> > 
> > 
> > Just remember, OpenVPN is not based on IPSec and it cannot interoperate
> > with IPSec-based VPN devices.
> > I'm not sure what your DLINK thing is, but if it's some kind of VPN
> > server appliance, and it's based on IPSec, an OpenVPN client will not be
> > able to connect to it; so, you cannot try OpenVPN "with the DLINK".
> > 
> > What you can do, though, is to install a Linux box and configure it as
> > an OpenVPN server. Quite a few people are actually using their Linux
> > firewalls as OpenVPN servers - maybe not the absolute best idea from a
> > technical p.o.v., but it's cheap and simple (it's the situation
> > described in the howto on fedoranews.org).
> > 
> > Good luck,
> > 
> > 
> >>On 26 Mar 2004 11:06:25 -0800, Florin Andrei <florin at andrei.myip.org> 
> >>wrote:
> >>
> >>
> >>>On Sun, 2004-03-21 at 12:07, Mark Haney wrote:
> >>>
> >>>>I'm trying to get a VPN setup between my FC1 box at home and a DLink
> >>>>DFL300 at my office so I can do some things securely without having to
> >>>>make the 30 minute drive in to work to fix stuff.  I've googled the
> >>>>subject and the amount of documentation is pretty immense.  Can someone
> >>>>give me a shortened version what I need to configure or point me to a 
> >>>>good
> >>>>step by step doc on how to do it?
> >>>
> >>>Well, if IPSec is not a specific requirement, and if you actually could
> >>>use any VPN solution that's simple to install, secure and feature-rich,
> >>>have a look at OpenVPN:
> >>>
> >>>http://openvpn.sourceforge.net/
> >>>
> >>>A brief "cookbook recipe" HOWTO:
> >>>
> >>>http://fedoranews.org/contributors/florin_andrei/openvpn/
> >>>
> >>>IPSec VPN (like FreeS/WAN) is nice because it's compatible with all
> >>>kinds of VPN devices and software.
> >>>However, it can be a pain to install, even more so if you're using
> >>>Windows clients (but Linux is not a lot simpler, especially if you have
> >>>non-geek users). Also, it is very, very picky if there are firewalls in
> >>>between, especially if you go through NAT.
> >>>
> >>>OpenVPN is very simple to install, it does not require weird kernel
> >>>patches, it is firewall-friendly, works just fine with Windows (and
> >>>Solaris, and BSD), can tunnel through proxies, etc.
> >>>
> >>>It is not a typical "SSL VPN" - i mean, it is not a browser-based VPN,
> >>>even though it's using SSL to encrypt the tunnel. Think of it as exactly
> >>>the same thing as FreeS/WAN except it's using SSL instead of IPSec;
> >>>otherwise, it can route arbitrary IP protocols, it does not require a
> >>>browser, etc.
> >>>Just like FreeS/WAN, but without the pain.
> >>>
> >>
> >>
> >>
> >>-- 
> >>Estne volumen in toga, an solum tibi libet me videre?
> >>
> >>Mark Haney
> >>Development, Systems and Network Administration
> >>DoctorDirectory.com
> >>http://www.doctordirectory.com
> 
> -- 
> Brian Chase			Phone:  386-775-5366
> 2345 Hillside Ave.		Fax:    309-276-2048
> Orange City, FL  32763		Email:  networkr0 at cfl.rr.com
> 
> http://openalternatives.net
-- 
Florin Andrei

http://florin.myip.org/

More information about the fedora-list mailing list