Virtual Private Networks, or VPNs, are a way of securely accessing resources on your network from untrusted points on the internet. This page describes some of the various types of open-source VPN solutions that are available on Linux systems, with benefits and drawbacks for each solution. I’m not making a VPN comparison, per se, but I hope I provide enough information that you can draw your own conclusions, and make a decision on what type of VPN best fits your need. Feel free to mail me (ipsec@natecarlson.com) with any questions.
Contents:
IPSec VPNs (Openswan, KAME)
SSL-Based VPNs (OpenVPN)
PPTP-Based VPNs (PoPToP)
Commercial VPN software
IPSec is one of the older VPN standards, and is still very secure and useful when properly configured. There are two major separate implementations of IPSec under Linux. The first is the project that was originally called FreeS/WAN, but has now forked into Openswan and Strongswan. This implementation provides its own IPSec kernel stack, and it can also use the code included in recent kernels. The second is a port of KAME from BSD. KAME can only use the kernel stack. The main IPSec specification itself does not provide a virtual IP for the remote host on the local network, but there are various extensions that offer this. You can also run L2TP over IPSec, which is well supported by Microsoft’s recent operating systems.
Pros: IPSec is a very established protocol, and is well supported by pretty much anything that supports VPN connections (routers, smartphones, operating systems, you name it!) The Openswan implementation works with the proprietary XAUTH extension, and can work as a client to Cisco, Nortel, and many other VPN concentrators. IPSec makes it reasonably easy to secure what can and cannot go over a tunnel, at the kernel level, without having to set up extra firewall rules. Very flexible for subnet<->subnet configurations, host<->subnet configurations, and so on.
Cons: IPSec can be difficult to get set up and working. It also does not work behind some types of NAT gateways, although this has improved with NAT-Traversal support.
Links:
Openswan
IPSec-tools, KAME port for Linux
My article on configuring Openswan with X.509 and Windows XP’s client
My article on configuring Openswan with L2TP and Windows XP’s client
Consulting information, if you need help
Recently, SSL-based VPN have been gaining popularity. The big benefit to SSL VPN’s is that you only require a single TCP or UDP port to tunnel your traffic on, so you can easily traverse most firewalls. There are many implementations of SSL VPN’s; many of them are commercial, and support both a web-based interface (which only allows you to browse web pages on the remote network, but works on any browser on any platform.. it is essentially a browser-based proxy server) and a full tunneled implementation. As far as open source implementations go, the most mature by far is OpenVPN. OpenVPN is fairly mature, very feature-rich, and has been ported to most major operating systems. As of yet, there is not a “clientless” (ie, web-browser-based) version available that I am aware of.
Pros: Trivial firewall configuration; just needs a single TCP or UDP port. Uses SSL, which is a very mature protocol. Available for most operating systems, including Windows. Flexible configuration options.
Cons: Requires more firewall configuration that IPSec to control access to internal resources. OpenVPN is not supported in most commercial VPN concentrators; however, they usually provide their own implementation.
Links:
OpenVPN’s home page; very informative.
PPTP is the protocol that Microsoft originally supported somewhere around Windows 95. It’s been used for a long time, but there are many questions about the security of it. Basically it tunnels a PPP connection over the GRE protocol. PoPToP is the main PPTP server for Linux. If you think you need PPTP, I would highly advise you to look at L2TP over IPSec instead — L2TP over IPSec is more secure, offers all the same features, plus a few extras.
Pros: Easy configuration under Windows, supported by many commercial routers/firewalls.
Cons: Questionable security, firewall/NAT problems similar to IPSec. Requires kernel patches to offer encryption.
Links:
PoPToP home page.
Analysis of the MSCHAP-v2 protocol
[ad name=”Chitika 728×90 Leaderboard”]
There are various commercial VPN clients available for Linux, but as far as I am aware, there are not any commercial servers. If you are aware of any commercial servers for Linux, please let me know. Below is a list of some of the better-known commercial clients.
Links:
vpnc — open-source client to connect to Cisco VPN concentrators with IPsec
OpenConnect — open-source client to connect to Cisco “AnyConnect” SSL VPN’s
Cisco Client — link is to reference manual; if you have a CCO login you can download the client.
Nortel VPN Client
Apani VPN client for Nortel
Very informative article…Always wanted to learn about all the VPN options available when working with Linux.
The problem of FreeS/WAN are the development has stopped
Indeed. Have you tried Openswan or Strongswan, or plain ‘ol racoon?