# VPN - OpenVPN or VPN (Free/Swan) or IPSec

## bryon

I am planing on setting up a gentoo box for the DSL line that will be installed soon.  This box will be directly connected to the modem.  I have two simple queestions.  The first and main question is which VPN software should i use that is open source.  The theree that I belive are the most popular are OpenVPN or VPN (Free/Swan) or IPSec.  What ones do you reccomend and why.  

The programs that I plan on running on this computer are

  -iptables

  -VPN software

  -djbdns

  -snort

  -apache (maby)

Are there any other programs that you belive i should have running on a computer that it's main purpose will be as a router for the rest of the computers in the house.

----------

## sebest

you could use a mail server for spooling your outgoing mails.

About vpn, you can choose a solution which is compatible with ipsec 

for example freeswan on linux 2.4

the advantage of using something based on ipsec is that you can connect with other OS or device that use this standard like openbsd, cisco, microsoft 2k/xp, or special firewall distro like ipcop...

the other solutions, openvpn, cipe etc etc are not standard you need to install something on both side of you vpn and i think the other difference is that ipsec is implemented at the kernel level whereas openvpn are in userspace.

For some people openvpn or cipe is/seems easier to setup...

Personnaly i use ipsec implementations

----------

## lord

I've been using FreeS/WAN IPsec together with windows 2000 and XP for a short while now and it's working really great. I took a peek at openVPN before deciding, and atleast for me FreeS/WAN was the best solution since I didn't want my clients to have to install a third-party program on their side.

A really good webpage on how to setup FreeS/WAN server + linux/windows client is Nate Carlson's ipsec page.

----------

## Koon

 *bryon wrote:*   

> The theree that I belive are the most popular are OpenVPN or VPN (Free/Swan) or IPSec.  What ones do you reccomend and why.

 

FreeS/WAN uses IPSEC. So the choice is more between the two. OpenVPN is much simpler to understand, but it will less (understand : not) be compatible with other software. Great for a little OpenVPN to OpenVPN tunnel, not great for connecting your network with networks using other technologies or with roaming users using Windows. For these you will have to get into FreeS/Wan, much more compilant to standards or proprietary solutions.

-K

----------

## Jupiler

hi i 've been reading the page lord sugested 

but i'm afraid it will be to hard for my friends to set it up that way

they don't know enough from windows to even complete the the client part

is there another possible solution to use an easy vpn

on a gentoo gateway and windows clients

----------

## rncwnd

have a look at http://vpn.ebootis.de/

to configure the client (win 2k / xp) side is easier as configuring the server

side.

look also at:

http://vpn.ebootis.de/cert.htm

http://download.freeswan.ca/x509patches/install.htm

for clients behind routers lokk at:

http://download.freeswan.ca/x509patches/install.htm#section_4.4

there were some articles at the german "c't" magacine:

http://www.heise.de/ct/02/05/216/

http://www.heise.de/ct/02/05/220/

I hope i could help you. the above links helped me, to set up ipsec on multiple SuSE 8.2 Servers with win 2k / xp roadwarriors and x.509.

regards

Andy

----------

## Jupiler

tnx for the info

will try to get it up and running

----------

## Davin

While standards compliance is Good Thing, FreeSWAN + Windows is not for the weak of heart.  My personal recommendation, if you're setting up a small VPN that you control on both sides, OpenVPN is a good starting point.  (especially if you don't consider yourself particularly strong in IT ninjitsu) While the main problem people seem to percieve is it relying on a third partry program (the openvpn executable) and not subscribing to an OS-independant standard, the configuration for OpenVPN is *almost exactly identical* regardless of which OS you set it up on. OpenVPN is great for establishing VPNs where one side is Linux and the other is Windows, because it doesn't require learning two seperate methods of telling an operating system your configuration. I've played with FreeSWAN on two seperate occasions, and on both I found myself dissatisfied with the Windows side of things. If I want one of my tech-illiterate users to participate in a VPN, all I have to do with OpenVPN is say "run this installer", "put these certificates here", and "use this config file". That's it. The amount of work required to set up the Windows side of a VPN connection under FreeSWAN is not something I can easily instruct others to set up on their own. This, in my perception, is the major weakness of FreeSWAN.

This isn't to say that I strongly dislike or completely disagree with its implimentation of a VPN, but I will say that some better tools to better facilitate the setting up on the Windows side need to be written. Not that it's FreeSWAN's responsibility to make up for the shortcomings of M$ programming designs, but it would do much to help with FreeSWAN's widespread adoption. (...and seeing as how I recently acquired programming abilities, more than likely I'm going to be getting around to writing an interface to make setting it up under Windows easier - eventually)

----------

## tdb

Have to agree. I've been playing with OpenVPN for a week now as I search for a replacement for WEP. (the Atmel wireless drivers get screwy when WEP is enabled, and I hate rekeying everything every week.) I spent MONTHS trying to figure out Freeswan. I just couldn't wrap my brain around the configuration of it. Also, trying to match up the different kernels that have support for it with the various versions (super/freeswan) was just too much. I finally started really looking at OpenVPN. It wound up being easy to understand and implement. (just start with the examples at the end of the man page.) After following that, I had a vpn up in 10 minutes. I'm experimenting with putting all the vpn clients on the same subnet as the wired clients so they can get dhcp more easily. Another nice thing about it is I can easily get AES as my transport cipher. Freeswan requires some tricks to get anything other then the slow 3DES cipher. The only drawback is the lack of support for anything before win 2000. (GF's laptop still boots ME on one partition.) OpenVPN also handles bad network connections very well. While I was testing, my Atmel card would constantly lock up, needing a reset. OpenVPN kept right on chugging. As soon as the link came back, it started right back where it left off. Overall, I'm very happy with it and look forward to converting everything over to it. 

P.S. to Get AES, you need to emerge the LATEST version of OpenSSL, 0.97c I think, and the latest version of OpenVPN, 1.5.0. Both are masked. After that, do "openvpn --show-ciphers" and AES-256-CBC will be at the bottom of the list.

----------

## Arasi

A note on configuring freeswan, check out http://hlug.mohawkc.on.ca/site/presentations.htm

There is a presentation there from one of the freeswan guys from june 2003 that talks about freeswan, he attends farily regularily at our local linux user group and last wednesday he went through the free swan setup and it took literally minutes to install and configure.

The big thing he said is people forget what the "left" and "right" terminology meants...Left = Local and Right = Remote ... in all config files.

However that being said that was a linux to linux configuration, the windows side with ipsec policies can be a little nightmarish.

Arasi

----------

## thomasjb

if i install openvpn and freeswan on the same gentoo machine am i gonna set myself up for trouble, or will i be able to give both of them a try (obviously not at the same time, but on the same machine)?

thanks for any comments and hints.

----------

## tdb

I know about the left and right thing. It was just trying to figure out the nexthop, subnet, etc... It seemed there were about 50 different ways to accomplish the same thing; none of which worked together.

As for using OpenVPN and IPSec; there should be no problems with the two working together. IPSec uses ESP and AH for its transport protocols. (ESP / AH are level 3 protocols (is that the right number?), they're on the same level as TCP, UDP, ICMP, etc...) OpenVPN uses either UDP or TCP. Both use different libraries for encryption and transmision.

Each one has its own merits. IPSec is the standard, has been around for a long time, has hardware support available, and may be your only choice in some situations. (if your work uses a hardware VPN concentrator, chances are it's IPSec.) OpenVPN is easy to set up, easy for (me) to understand, and has a hell of a lot of features. It's based on OpenSSL, so you know the underlying crypto is sound.

I personally like OpenVPN because I understand it. It gives me the option to create a link that sends raw ethernet frames (level 2), instead of using an IP tunnel; so you can use any protocol that runs over ethernet, including NetBIOS, IPX, broadcast, etc... I don't know if IPSec can do that. Another consideration is that OpenVPN would appear to be more stealthy. A stream of UDP packets is commonplace on the internet. A stream of ESP packets tips off that it's a secure transmission. This is especially important when you consider that some ISP's might not allow VPN traffic on residential accounts. (Mine didn't until six months ago. They wanted you to buy a business account for telecommuting.)

----------

## thomasjb

thanks a lot tdb, appreciate the indepth information.

----------

## Maximo

I have just started to research how to setup my Gentoo box as a VPN server and I must say it looks more complicated than I hoped it would be.  

For now I would just be using a dynamic DNS config and it does not seem FreeSwan is designed to be used like this.

I would also have Windows clients connecting to the VPN.  I am not yet clear as to why all the extra software is needed for the Windows client.  Why cant a VPN connectoid be used to establish an IPSec connection to the Gentoo box?   I want to keep the process for the enduser as simple as possible.... i.e. no additional software to download and configure.

Maybe I am missing something?

Thanks,

-Maximo

----------

## tdb

 *Maximo wrote:*   

> I have just started to research how to setup my Gentoo box as a VPN server and I must say it looks more complicated than I hoped it would be.  
> 
> 

 

It dosn't have to be for OpenVPN. Just take it easy. Read the manpage all the way thru. Don't try to set it up yet, just look and get a feel for what all it has to offer. Then, do the examples at the bottom of the page first. Don't do the stuff in the howto or any of the guides linked to on the homepage. (that's what threw me off initially.) Just do the three examples I mentioned first. Then go from there. The hardest part about OpenVPN for me was figuring out how to set up the SSL keys. Although I didn't use it, the easy rsa script that comes with OpenVPN looks promising.

 *Quote:*   

> 
> 
> For now I would just be using a dynamic DNS config and it does not seem FreeSwan is designed to be used like this.
> 
> 

 

I don't know how well Freeswan handles that. OpenVPN has no problems with it. There are several different methods for dealing with dynamic IP's, even on both sides. Just start from the beginning before you try to get all fancy with the different features.

 *Quote:*   

> 
> 
> I would also have Windows clients connecting to the VPN.  I am not yet clear as to why all the extra software is needed for the Windows client.  Why cant a VPN connectoid be used to establish an IPSec connection to the Gentoo box?   I want to keep the process for the enduser as simple as possible.... i.e. no additional software to download and configure.
> 
> 

 

I don't think you need extra software for IPSec on w2k and up. Linux needs freeswan. OpenVPN needs software for both w2k and linux versions. If you want a "no download" policy, then OpenVPN is not going to work for you. What's wrong with downloading and installing? You're going to have to install keys and certificates no matter what you run, and you're going to have to do some setup work regardless. What's wrong with spending 2 extra minutes downloading a client?

----------

## Arasi

 *tdb wrote:*   

> I know about the left and right thing. It was just trying to figure out the nexthop, subnet, etc... It seemed there were about 50 different ways to accomplish the same thing; none of which worked together.

 

Well I guess maybe its all in the way you approach it as to whether its simple or not, I concede I've done this a while and the configuration seemed easy enough and worked great for myself.

 *tdb wrote:*   

> 
> 
> As for using OpenVPN and IPSec; there should be no problems with the two working together. IPSec uses ESP and AH for its transport protocols. (ESP / AH are level 3 protocols (is that the right number?), they're on the same level as TCP, UDP, ICMP, etc...) OpenVPN uses either UDP or TCP. Both use different libraries for encryption and transmision.
> 
> 

 

Just for clariety,  TCP/UDP are in fact Layer 4 (Transport) while ICMP is not on the same level it runs on Level 3 (Network/Internet) with IP and ARP.

If I remember right ESP/AH would operate at Layer 4.  But too be 100% sure I'd have to look it up in my Network OSI book.

Arasi

----------

## Arasi

 *tbd wrote:*   

> I don't know how well Freeswan handles that. OpenVPN has no problems with it. There are several different methods for dealing with dynamic IP's, even on both sides. Just start from the beginning before you try to get all fancy with the different features.

 

In any vpn solution if the IP's are dynamic on all ends then you will need some sort of dns resolution, thus if your running a hardware solution like a linksys router with dynamic dns support then you could set it up and not have to worry about it as the router will update the dns and redirect the ports (provided its configured)

However if you do not have a dynamic dns solution your going to have a lot of headaches with dynamic ips in any vpn solution.

 *Maximo wrote:*   

> I have just started to research how to setup my Gentoo box as a VPN server and I must say it looks more complicated than I hoped it would be. 

 

I just had a team of basic windows techs today set up a vpn using freeswan on gentoo boxes and following the readme and man pages step by step as you would for anything (like it was said for openVPN) then it is a smooth and simple process....but its not going to be a 2 minute double click on the msi file and there you go.

A little work and in the end a lot of control and understanding.

Arasi

----------

