[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setting up a new FIREWALL with VPN

If the windows clients are single machines (not on a network of their own), then that (vtun) won't quite work right. Check your Windows machines to see what VPN tech they are capable of. If you can do IPSEC (the standard) you can use Freeswan on Linux to set up your tunnels. If your Windows machines can't do IPSEC yet, you may have to get PGP (which provides a PGPnet IPSEC client). Linux freeswan is at freeswan.org (AFAIR) or just apt-cache search freeswan. You should be able to setup either user of certificate authentication with IPSEC. Let the list know how your Debian setup is going, or join a freeswan list for real help with it and interop.


David Gardi wrote:

Paul wrote:

>I'm planning a new system that will act as a gateway/firewall for a
>network behind a cable modem.
>The idea is to have all clients able to use the gateway to access the
>internet for EMail only (I figure IPMASQ blocking all those ports) and
>then user auth'd proxy for the web... I figure I'll use SQUID for that.
>My question however, is setting this all up with allowing for VPN...
>I want users outside the network on windows clients to be able to connect
>securely to the network with encription (of course) and user
>authentication (a generic password or usernames will suffice)
>Does anyone have any suggestions on how to do this... and perhaps a URL
>for howto's or whatever?
>I'm confident that I'll be able to set up SQUID and IPMASQ and securing
>the machine.. but I've never done linux debian VPN before...
If I were you , I'd take a look at vtun (http://vtun.sourceforge.net/).
You can create a virtual tunnel over the internet (or any ip network for
that matter) using compression and encryption. For this to work, you
need the tun driver compiled as a module and loaded. To check whether
you have it compiled in check for  |CONFIG_TUN| in your .config file in
the kernel source tree. I strongly reccomend you use kernel 2.4.18 or
higher since I have experienced incompatibilities with previous
versions. You then create the device like this: |mknod /dev/net/tun c 10
200|  for kernels 2.4.4 or greater (if it is not already there of
course), and |mknod /dev/tun c 10 200| for kernels 2.4.2 or below. Done
that, load the module by doing: modprobe tun. Check if it is loaded by
doing lsmod. Ok now you have your kernel ready to communicate over the
tun interface. All you need to do is download vtun and install it. This
is how it works:
One machine will be the vtun server, and the other (possible over the
internet) will be a client. You have to configure /etc/vtund.conf
differently on each side to tell it whether to be a client or a server..
and then run the server and connect to it with the client.

Once it is all up and running your two networks, located at different
parts of the internet, should be able to communicate with each other as
if on a local network. In terms of firewalling you could just add a
simple rule saying to allow all traffic that comes to/from the tun

Let me know if you want example config files for client/server
eventhough you will find them already in the default installation.

Hope this helps,

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: