Re: road warrior VPN with IPCop2

To: debian-user@lists.debian.org
Subject: Re: road warrior VPN with IPCop2
From: Joe <joe@jretrading.com>
Date: Fri, 11 Sep 2015 19:49:10 +0100
Message-id: <[🔎] 20150911194910.3eb5ed09@jresid.jretrading.com>
In-reply-to: <[🔎] 2aafbed76b0b4c39b4463c503e31bcea.squirrel@webmail.oplink.net>
References: <[🔎] 3b03e8e5c7a4f6b913a82a43cbaa4324.squirrel@webmail.oplink.net> <[🔎] 20150911085910.2b2d7dd7@jresid.jretrading.com> <[🔎] 2aafbed76b0b4c39b4463c503e31bcea.squirrel@webmail.oplink.net>

On Fri, 11 Sep 2015 08:52:16 -0500
rlharris@oplink.net wrote:

> On Fri, September 11, 2015 2:59 am, Joe wrote:

> 
> > Openvpn can use any TCP or UDP port, but UDP is recommended, and
> > only this single port needs to be forwarded to an internal server
> > through firewalls.
> 
> Somewhere here I have a thick O'Reilly book on UDP; perhaps I ought
> to dig out?

No, you don't need to know anything about it, openvpn uses a UDP port
as standard, you may want to change the port number but I don't think
there's a good reason unless you are running multiple openvpn servers
through the same firewall.

> 
> > Any VPN has a large number of configurations, and the client and
> > server configurations must match exactly. It is best to have client
> > and server in the same room while getting it working.
> 
> That is one thing which confused me a bit.  Can I then get things
> working with two machines connected directly and isolated from the
> LAN?  (But I suppose that an ethernet switch or hub is needed between
> them; otherwise so sort of "reverse" cable would be needed, right?)
> 
I've never had a problem either with openvpn or PPTP by just plugging
my client straight into the network containing the server. The
computer's routing might be mildly confused once the connection is up,
but you're not looking to transfer data, just make or not make a
connection.

Getting a VPN working for the first time through two or more NAT
routers has too many points of failure to be less than traumatic, and
first making sure that the client and server talk to each other without
any packet filters to complicate things is well worth doing. I used to
help out on the MS Small Business Server newsgroup, and frequently
talked people through getting PPTP working into their SBS. Hooking the
client into the network physically was an important troubleshooting
technique when nothing seemed to work remotely. Openvpn is much easier,
as there is only one port to forward, PPTP needs a TCP port *and* an IP
protocol, as well as a couple of sets of DSL router firmware which
work as advertised, using the equivalent of an iptables conntrack
module.

> > If your mobile user uses Network Manager to handle connections
> 
> Yes; Debian Jessie.
> 
> > this has VPN client plugins
> 
> I never noticed this.

They need to be installed separately, look for network-manager-openvpn
in your package manager, and network-manager-openvpn-gnome for
integration into the NM Gnome GUI if the Gnome desktop is in use.
> 
> > For most VPNs, digital certificates are necessary. The openvpn
> > instructions explain how to set up the necessary certificates for
> > it, and I'd suspect IPCop will have its own certificate
> > infrastructure which VPN certificates would tie into.
> 
> Yes.  But the questions asked by the IPCop certificate generator are
> a bit different from the questions asked by the official OPENVPN
> generator; and that is another thing which confused me.

Openssl is unavoidably somewhat user-hostile when it comes to generating
certificates (look at the man page), so there are various auxiliary
scripts available which minimise the confusion when you want a
particular type of certificate. Openvpn recommends using easy-rsa, one
such set of scripts, but there are other scripts and no doubt you can
find instructions for using openssl directly from the command line, if
you are a good and patient typist. The end result should be equivalent
whichever method is used.

There are various fields which are important for some uses of
certificates, particularly when they form part of a public key
infrastructure. The certificates used by openvpn (and freeradius, and
many other client certificate systems) do not need the various
identification or location fields, all that matters is that a client
certificate which has been directly signed by the server certificate
will be accepted as valid, and nothing else will. A Distinguished Name
is necessary, but not very much else, other than for your convenience
in identifying certificates. I would guess the IPCop certificate
generator is asking for fields which are unnecessary in this particular
situation, but are necessary for example for an https server.

> 
> > You might also consider whether a VPN is necessary:
> 
> The ability to browse several different web sites is essential, and
> it is better (though slower) if all traffic from the road warrior is
> directed back to the home LAN.  Besides, I would like to go through
> the exercise.
> 

Indeed, I use my home VPN both for access to my server and as a secure
Internet connection when I use public wifi or some other untrusted
network. But I also tunnel things through ssh for simplicity, such as
if I just want to reach my IMAP and/or MySQL servers from my Windows
laptop. The openvpn Windows client needs root privileges, puTTY
doesn't, and if I'm in a reasonably secure network, I don't want my
web browsing filtered through my slow home ADSL upload speed. Horses
for courses. Oh, yes, for mobile use it is less convenient but slightly
more secure to keep the encrypted keys, ssh or openvpn, on a USB stick. 

-- 
Joe

Reply to:

References:
- road warrior VPN with IPCop2
  - From: rlharris@oplink.net
- Re: road warrior VPN with IPCop2
  - From: Joe <joe@jretrading.com>
- Re: road warrior VPN with IPCop2
  - From: rlharris@oplink.net

Prev by Date: systemd ignores / overrides 'shutdown -t' delay?
Next by Date: Re: systemd ignores / overrides 'shutdown -t' delay?
Previous by thread: Re: road warrior VPN with IPCop2
Next by thread: Re: road warrior VPN with IPCop2
Index(es):
- Date
- Thread