Re: road warrior VPN with IPCop2

To: debian-user@lists.debian.org
Subject: Re: road warrior VPN with IPCop2
From: rlharris@oplink.net
Date: Fri, 11 Sep 2015 08:52:16 -0500
Message-id: <[🔎] 2aafbed76b0b4c39b4463c503e31bcea.squirrel@webmail.oplink.net>
In-reply-to: <[🔎] 20150911085910.2b2d7dd7@jresid.jretrading.com>
References: <[🔎] 3b03e8e5c7a4f6b913a82a43cbaa4324.squirrel@webmail.oplink.net> <[🔎] 20150911085910.2b2d7dd7@jresid.jretrading.com>

On Fri, September 11, 2015 2:59 am, Joe wrote:
> Sorry if this is obvious to you,

If it were obvious, I would not be asking.  :-)  I appreciate your
patience in explaining things to me.

> IPCop is promoted as a general network firewall and may use one or
> more of the VPN protocols commonly used by Microsoft, but can run an
> openvpn server.

This is attractive to me, because then it eliminates the need to dedicate
one of the machines in the LAN to VPN.

> If your home network has a commercial modem-router facing the
> Internet, it will often be able to terminate Microsoft-type VPNs,
> and almost always be able to pass their protocols through to the
> network.

IPCop is fed directly by the DSL modem, but the ISP stands between me
and the Internet.

> A site-to-site VPN, usually terminating on the Internet-facing
> firewall, may well use the IPSec protocol, which is totally
> different from openvpn.

IPSec is a realm which I would prefer to avoid, at least for the present.

> Openvpn passes through NAT without problems, as does the Microsoft
> PPTP.

I anticipate no need to accommodate a M$ system.

> Openvpn can use any TCP or UDP port, but UDP is recommended, and
> only this single port needs to be forwarded to an internal server through
> firewalls.

Somewhere here I have a thick O'Reilly book on UDP; perhaps I ought to dig
out?

> Any VPN has a large number of configurations, and the client and server
> configurations must match exactly. It is best to have client and server in
> the same room while getting it working.

That is one thing which confused me a bit.  Can I then get things working
with two machines connected directly and isolated from the LAN?  (But I
suppose that an ethernet switch or hub is needed between them; otherwise
so sort of "reverse" cable would be needed, right?)

> If your mobile user uses Network Manager to handle connections

Yes; Debian Jessie.

> this has VPN client plugins

I never noticed this.

> For most VPNs, digital certificates are necessary. The openvpn
> instructions explain how to set up the necessary certificates for
> it, and I'd suspect IPCop will have its own certificate
> infrastructure which VPN certificates would tie into.

Yes.  But the questions asked by the IPCop certificate generator are a bit
different from the questions asked by the official OPENVPN generator; and
that is another thing which confused me.

> You might also consider whether a VPN is necessary:

The ability to browse several different web sites is essential, and it is
better (though slower) if all traffic from the road warrior is directed
back to the home LAN.  Besides, I would like to go through the exercise.

RLH

Reply to:

Follow-Ups:
- Re: road warrior VPN with IPCop2
  - From: Joe <joe@jretrading.com>

References:
- road warrior VPN with IPCop2
  - From: rlharris@oplink.net
- Re: road warrior VPN with IPCop2
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: adobe flash player in Iceweasel does not work anymore in Jessie
Next by Date: problems on jessie with git-gui missing wish. Tk broken?
Previous by thread: Re: road warrior VPN with IPCop2
Next by thread: Re: road warrior VPN with IPCop2
Index(es):
- Date
- Thread