Configuring VPN Server

Contents

15.1. Overview
15.2. Creating the Simplest VPN Example
15.3. Setting Up Your VPN Server Using Certificate Authority
15.4. KDE- and GNOME Applets For Clients
15.5. For More Information

Abstract

Nowadays, the Internet connection is cheap and available almost everywhere. It is important that the connection is as secure as possible. Virtual Private Network (VPN), is a secure network within a second, insecure network such as the Internet or WLAN. It can be implemented in different ways and serves several purposes. In this chapter, we focus on VPNs to link branch offices via secure wide area networks (WANs).

Overview

This section introduces a brief overview of some scenarios which VPN offers, and some relevant terminology as well.

VPN Scenarios

There are many solutions to set up and build of a VPN connection. This chapter focuses on the OpenVPN package. Compared to other VPN software, OpenVPN can be operated in two modes:

Routed VPN

Routing is an easy solution to set up. It is more efficient and scales better than bridged VPN. Furthermore, it allows the user to tune MTU (Maximum Transfer Unit) to raise efficiency. However, in a heterogeneous environment NetBIOS broadcasts do not work if you do not have a Samba server on the gateway. If you need IPv6, each tun drivers on both ends must support this protocol explicitly.

Figure 15.1. Routed VPN

Routed VPN

Bridged VPN

Bridging is a more complex solution. It is recommended when you need to browse Windows file shares across the VPN without setting up a Samba or WINS server. Bridged VPN is also needed if you want to use non-IP protocols (such as IPX) or applications relying on network broadcasts. However, it is less efficient than routed VPN. Another disadvantage is that it does not scale well.

Figure 15.2. Bridged VPN - Scenario 1

Bridged VPN - Scenario 1

Figure 15.3. Bridged VPN - Scenario 2

Bridged VPN - Scenario 2

Figure 15.4. Bridged VPN - Scenario 3

Bridged VPN - Scenario 3

The major difference between bridging and routing is that a routed VPN cannot IP-broadcast while a bridged VPN can.

Tun and Tap Devices

Whenever you setup a VPN connection your IP packets are transferred over your secured tunnel. The connection between the client's device and the server's device is called a tunnel. A tunnel can use a so-called tun or tap device. They are virtual network kernel drivers which implement the transmission of ethernet frames or ip frames/packets:

tun device

A tun device simulates a point-to-point network (layer 3 packets in the OSI model such as Ethernet frames). A tun device is used with routing and works with IP frames.

tap device

A tap device simulates an ethernet device (layer 2 packets in the OSI model such as IP packets). A tap device is used for creating a network bridge. It works with Ethernet frames.

The userspace program OpenVPN can attach itself to a tun or tap device to receive packets sent by your OS. The program is also able to write packets to the device. For more information, see /usr/src/linux/Documentation/networking/tuntap.txt. You must install the kernel-source package to install this file.