Contents
Abstract
Nowadays, the Internet connection is cheap and available almost everywhere. It is important that the connection is as secure as possible. Virtual Private Network (VPN), is a secure network within a second, insecure network such as the Internet or WLAN. It can be implemented in different ways and serves several purposes. In this chapter, we focus on VPNs to link branch offices via secure wide area networks (WANs).
This section introduces a brief overview of some scenarios which VPN offers, and some relevant terminology as well.
There are many solutions to set up and build of a VPN connection. This chapter focuses on the OpenVPN package. Compared to other VPN software, OpenVPN can be operated in two modes:
Routing is an easy solution to set up. It is more efficient and scales better than bridged VPN. Furthermore, it allows the user to tune MTU (Maximum Transfer Unit) to raise efficiency. However, in a heterogeneous environment NetBIOS broadcasts do not work if you do not have a Samba server on the gateway. If you need IPv6, each tun drivers on both ends must support this protocol explicitly.
Bridging is a more complex solution. It is recommended when you need to browse Windows file shares across the VPN without setting up a Samba or WINS server. Bridged VPN is also needed if you want to use non-IP protocols (such as IPX) or applications relying on network broadcasts. However, it is less efficient than routed VPN. Another disadvantage is that it does not scale well.
The major difference between bridging and routing is that a routed VPN cannot IP-broadcast while a bridged VPN can.
Whenever you setup a VPN connection your IP packets are transferred over your secured tunnel. The connection between the client's device and the server's device is called a tunnel. A tunnel can use a so-called tun or tap device. They are virtual network kernel drivers which implement the transmission of ethernet frames or ip frames/packets:
A tun device simulates a point-to-point network (layer 3 packets in the OSI model such as Ethernet frames). A tun device is used with routing and works with IP frames.
A tap device simulates an ethernet device (layer 2 packets in the OSI model such as IP packets). A tap device is used for creating a network bridge. It works with Ethernet frames.
The userspace program OpenVPN can attach itself to a tun or tap device
to receive packets sent by your OS. The program is also able to write
packets to the device. For more information, see
/usr/src/linux/Documentation/networking/tuntap.txt
.
You must install the kernel-source
package to install
this file.