# Setting up a VPN

## Shining Arcanine

My university network has a VPN (setup with PPP) to which it requires everyone using its wireless service to connect, otherwise you can only do basic browsing. Upon connecting to it with the university's PPP client (on Windows or Mac OS X anyway; linux is not supported), your computer's routing tables are modified to forward all traffic through the VPN connection. It only requires unidirectional authentication and it can only be used when on campus.

I would like to setup something similar at home, but more secure by requiring bi-directional authentication in such a way that I will be able to use it to connect to my home network from anywhere over the internet and work as if I was physically connected to my home network, with both the server and client (my laptop in this case) and be able to do stuff like banking over unsecured Wi-Fi connections without having to worry about man in the middle attacks involving wireless connections. One example would be the following man in the middle attack described at security focus, which as things are now, would likely catch me because I never check whether certain sites are running over HTTP or HTTPS:

http://www.securityfocus.com/brief/910

I read the wiki page on how to configure OpenVPN:

http://en.gentoo-wiki.com/wiki/OpenVPN

I decided to do a trial run with OpenVPN on a virtual machine before I setup an OpenVPN server with physical hardware. So far, I have things setup to where I can connect to the virtual machine through OpenVPN and ping it, but I want to configure all network traffic to flow through the VPN connection, not just pings to the OpenVPN server. I also want to bridge my machine with my home network over the VPN to avoid the issues that arise when running things through a NAT. How can I accomplish these things?

----------

## Shining Arcanine

I tried reconfiguring OpenVPN to use a bridge setup server. I am trying to bridge tap0 and eth0, but I am getting the following error message when I try to add a logical bridge. I have CONFIG_BRIDGE set to yes in my kernel configuration because it would not load as a module

```
vg64 ~ # brctl show     

bridge name     bridge id               STP enabled     interfaces

vg64 ~ # brctl addbr br0

add bridge failed: Package not installed
```

When I had it configured as a module, dmesg showed the following whenever I tried to load it:

```
bridge: Unknown symbol br_handle_frame_hook
```

----------

## gerdesj

Just a quick thought to cover your requirement:

Put a proxy on your home machine, eg Squid.  

Use OpenVPN to get home. 

Force your web browser to go through your proxy.

OpenVPN if done correctly is a bi-directional authentication setup in the way that you describe - you own both ends.  

By using your own proxy you don't have to fiddle with routing.

Pop in Dan's Guardian as well for AV and other nasty removal as well if you like.

If you are really sick - run another Squid on your laptop with a local named (or similar) as well for full control.  Point your local Squid at your home one.  It might seem a bit over the top but it really helps if you have to fall back on a ppp connection over your mobile phone.  To fully automate this sort of thing you can look into a separate runlevel to use Squid (it takes ages to start and stop)

Cheers

Jon

----------

## Shining Arcanine

I keep thinking of things that I would like to do that I could do if all traffic to be routed through the VPN, and not just HTTP traffic. One example is that I could take WPA2 off my wireless network and then only allow connections to a single port on the VPN server on my home network, such that even if someone managed to connect through the MAC address filter, they would need to hack OpenVPN to get a working internet connection, which is much harder to do than simply cracking WPA2.

Is there no way to make this work?

----------

## Dagger

In your server config you need to push route.

OpenVPN suggests:

```

push "redirect-gateway def1"

```

Alternatively you can use:

```

push "route 0.0.0.0 0.0.0.0"

```

----------

