# How does VPN work?

## nfb

Hi all

I am a bit confused:

When a Road Warrior is logged in into a vpn, which ip address does he have? The original IP or does he get an IP of the private network, which is transparently routed to him? Or is there a new virutal subnet for the virtual network?

thanks in advance

nfb

----------

## Arasi

The roadwarrior keeps his IP but also gains an IP on the virtual network as a means of communicating with it.

The only way a host can participate on a TCP/IP network is to have an ip on that network or be able to route packets through a gateway, since your gateway normally goes through to the internet and not the vpn network you want to access you set up a vpn tunnel that gets routed over the internet to the public ip on the vpns network and then establishes (assuming all things are equal) a private ip for you through dhcp or static assignment (however you configured it) that is now yours and as far as your machine is concered its then connected to both your normal network and the vpn.

On a side note if your interested in VPN's check out project openswan if you havn't already...its a fork off of freeswan and is probably the best thing to have when setting up VPNs that I've seen since it seems to mesh with most systems (windows or hardware specific) to your linux box using ipsec for your vpn tunnel (rather than pptp like poptop which uses older less secure methods of establishing vpns)

Arasi

----------

## nfb

Hi!

thank you

one example:

I have a subnet at home, say 192.168.1.0/24. In this network there is a router and VPN gateway, eg 192.168.1.15. This router is connected to the internet as 217.13.212.15. Now I log in as a road warrior from university. My Laptop at the university has the public IP 221.132.60.5.

Does my laptop get an IP from the private subnet, eg 192.168.1.88, or is there a new virtual subnet like 192.128.8.0/24 ?

In other words: A machine from the private subnet want to connect to the laptop. Which IP address is used? One from the private subnet at home or another one?

By the way: I want to use Free/SWAN or something similar.

 :Smile: 

nfb

----------

## Arasi

 *Quote:*   

> By the way: I want to use Free/SWAN or something similar. 

 

Good choice, one of the guys in the user group I go to is on that  *Quote:*   

> 

 project however they forked it to openswan, go to openswan.org to d/l latest cvs.

As for where the ip comes from, 

 *Quote:*   

> Does my laptop get an IP from the private subnet, eg 192.168.1.88

 

Yes this is where you would have the ip from.  Since you'd need an ip on the same subnet in order to communicate.

Arasi

----------

## double00

 *Quote:*   

> Since you'd need an ip on the same subnet in order to communicate. 

 

Unless you were routing from the LAN(192.168.1.0/24) to the remote user's net. (i.e. 192.128.8.0/24)

Your VPN concentrator could run a DHCP server with it's own scope, so that remote users are given a unique IP on a different network to the 192.168.1.0/24 net. This also saves the hassle of forwarding the DHCP requests over the VPN Concentrator, unless openswan handles this for you.

You would just need a way to route between the 2 networks. Maybe a router, or a seperate firewall could perform this task. This then gives you an extra level of protection by seperating out the functions over several boxes, though it does increase MTBF, admin overhead etc etc..

----------

## Arasi

 *Quote:*   

> Unless you were routing from the LAN(192.168.1.0/24) to the remote user's net. (i.e. 192.128.8.0/24) 
> 
> 

 

Agreed, however since he is only creating a tunnel from one host to another, and he doesn't sound like hes planning on putting any hardware in, the config he needs will have an ip address on the host.

Not terrible security so long as iptables or something else is configured to control who connects.

 *Quote:*   

> This also saves the hassle of forwarding the DHCP requests over the VPN Concentrator, unless openswan handles this for you. 
> 
> 

 

Openswan does not handle that for you as I recall...at least I remember setting up dhcp relay for freeswan but I haven't worked with openswan yet.  Theres a new release January 4th 2004 so anythings possible, I just know from their past work that its definately a great tool sor the job.

Arasi

----------

## nfb

thx a lot

I begin to understand

I think I will try it next week, maybe also with IPsec in kernel 2.6

nfb

----------

## tdb

I suggest you also look at OpenVPN. IPSec is good, (it is the official standard) but there is no one good guide to really teach a newbie how to configure it.  I found OpenVPN to be a lot easier to understand and manage. Took me 10 minutes from emerge to first tunnel. (just start with the basic examples at the bottom of the manpage, ignore everything else until you have actually done  them.) It's nice because you can enter everything on the command line first and see if your options work together. If they do, you can cut and paste it into a config file, trim it, and just use "openvpn --config configfiename" to bring it up again. I'm going to post a comprehensive howto on using it once I get my wireless switched over from WEP.

----------

