Re: road warrior VPN with IPCop2
On Thu, 10 Sep 2015 22:34:30 -0500
rlharris@oplink.net wrote:
> I am trying to understand the options for accommodating a "road
> warrior" who, as a VPN client, needs to connect to one or more
> machines which reside at the home office, in a LAN protected by a
> stand-alone firewall. The road warrior is running Debian on a
> laptop. The firewall protecting the LAN is IPCop2.
>
> After much searching with google and reading a number of documents, it
> appears to me that there exist two approaches:
>
> (1) The firewall can act as the VPN server; this allows the
> roadwarrior to access the entire protected LAN.
>
> (2) The VPN can bypass the firewall; in this case, one machine in the
> protected LAN acts as the VPN server.
>
> Either of these solutions is acceptable.
>
> I do not know whether the use of IPCop2 simplifies or complicates the
> situation; but the user strongly prefers to remain with IPCop2 rather
> than to switch to another firewall.
>
> I am having difficulty trying to reconcile the step-by-step procedures
> which I have found for implementing VPN on Debian with the the
> step-by-step procedures which I have found for implementing VPN on
> IPCop2. I am wondering if the two systems are compatible.
>
Sorry if this is obvious to you, but there are several protocols which
can be used for VPN. Within Linux, openvpn is often used, but IPCop is
promoted as a general network firewall and may use one or more of the
VPN protocols commonly used by Microsoft, but can run an openvpn
server. If your home network has a commercial modem-router facing the
Internet, it will often be able to terminate Microsoft-type VPNs, and
almost always be able to pass their protocols through to the network.
A site-to-site VPN, usually terminating on the Internet-facing
firewall, may well use the IPSec protocol, which is totally different
from openvpn. IPSec is itself platform-independent, though the support
may not be. It uses endpoint IP addresses as part of its encryption and
was not designed to pass through NAT, so an auxiliary protocol is
required to achieve that. For that reason, it is usually used between
machines with Internet-facing public IP addresses.
Openvpn passes through NAT without problems, as does the Microsoft
PPTP. Openvpn can use any TCP or UDP port, but UDP is recommended, and
only this single port needs to be forwarded to an internal server
through firewalls.
Any VPN has a large number of configurations, and the client and server
configurations must match exactly. It is best to have client and server
in the same room while getting it working. If your mobile user uses
Network Manager to handle connections, this has VPN client plugins,
though generally they handle only the more commonly-used subset of VPN
configurations. For most VPNs, digital certificates are necessary. The
openvpn instructions explain how to set up the necessary certificates
for it, and I'd suspect IPCop will have its own certificate
infrastructure which VPN certificates would tie into.
You might also consider whether a VPN is necessary: if your mobile
client needs to connect to only a few TCP ports, this can be achieved
with an ssh connection into either the firewall directly, or an internal
machine by simple port-forwarding.
--
Joe
Reply to: