Re: [MY SOLUTION] Recommended way to setup an encrypted tunnel (a VPN)
On Tue, Jul 31, 2001 at 09:59:57AM +0200, Stephane Bortzmeyer wrote:
> On Tue, Jul 10, 2001 at 05:36:08PM +0200,
> Stephane Bortzmeyer <bortzmeyer@netaktiv.com> wrote a message of 24
> lines which said:
>
> > I have to connect two networks together and the virtual link needs
> > to be safely encrypted (some users know SSH but some will just POP
> > blindly and LDAP in woody is not SSLized anyway).
>
> I finally choose stunnel+PPP. Both are available in Debian packages,
> no patch to the Linux kernel is needed. I already know SSL and PPP,
> and both are proven technologies.
>
> www.stunnel.org
tcp-over-tcp tunnels aren't terribly efficient and tend to be prone to
errors and long delays (you have two levels of tcp retransmissions when
errors occur)
the author of CIPE wrote an interesting document called "Why TCP Over
TCP Is A Bad Idea" which explains this in more detail - you can see it
at:
http://sites.inka.de/~bigred/devel/tcp-tcp.html
did you look at vtun?
vtun supports several different kinds of tunnels (including ssh if you
want) but the best type is using the universal tap/tun driver, which is
available as a patch for 2.2 kernels and included as standard in 2.4
kernels.
there's currently a compatibility problem with vtun & kernels 2.4.6 and
2.4.7 but vtun 2.5 will be released soon which fixes that. all kernels
up to 2.4.5 work fine (you may need to make a /dev/net/tun device for
2.4.x kernels.)
see http://vtun.sourceforge.net/ for more details.
disclaimer: vtun is one of my packages and i like it :)
CIPE is another good tunneling system, but kernel based
rather than userland. it's packaged for debian too.
http://sites.inka.de/~bigred/devel/cipe.html
> It is not technically beautiful (you run TCP over PPP over a SSL
> connection which already is TCP!) but it works.
yep.
craig
--
craig sanders <cas@taz.net.au>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
Reply to: