Cheap vpn

347 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
347
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The two LANs are protected from the Internet by firewalls, so a user on LAN A can't get to LAN B, at least not without making a hole in the firewall that could be a security hole.
  • The VPN puts routable connections inside the firewalls, so that traffic between the LANs travels within a protected tunnel.
  • Each of these deserve their own presentation. IPSec is the preferred solution, but can be difficult to configure. CIPE is a good solution. PPTP is also a good solution, but the most prevalent implementation lacks quality and the security it is supposed to provide. This presentation focuses on SSH and PPP.
  • If you are not using a secure mechanism for connecting to your home system across the Internet, you should! SSH is freely available and provides a good level of security.
  • The above is the performance between a 400MHz PII and a 533 MHz VIA Mini-ITX system. When run between the 400 MHz system and an Athlon 1800 system, the time for the tranfer was about half (i.e., 3 seconds for no VPN, and 30 for the VPN), but instead of CPU load on the sender being ~50%, it was 99%.
  • In this example, a firewall appliance is used to forward the SSH port to a system on the LAN that will accept the SSH connection and act as one end of the tunnel. Note that unless this node is configured as the router for the external subnet for the wireless LAN, this node should be acting as a NAT, thus all traffic coming through the tunnel will appear to all other systems to be coming from System X.
  • Cheap vpn

    1. 1. The Poor Person's VPN Or is it “The Lazy Person's VPN”? Hugh Mahon - hm@mahon.cwx.net
    2. 2. What is a VPN? <ul><li>There are two ways to connect remote sites: </li></ul><ul><ul><li>Use a dedicated line (a private network). </li></ul></ul><ul><ul><li>Use the Internet. </li></ul></ul><ul><ul><ul><li>Not private, so need to secure the connection. </li></ul></ul></ul><ul><ul><ul><li>Want to keep internal network hidden from Internet. </li></ul></ul></ul><ul><ul><ul><li>Want to allow two sites to access LAN at each site as if part of same network. </li></ul></ul></ul><ul><ul><ul><li>The secure access using the Internet instead of a dedicated line is what makes it a Virtual, Private Network. </li></ul></ul></ul>
    3. 3. Why VPNs? <ul><li>Connect two sites. </li></ul><ul><li>Allow remote access by individual users. </li></ul>
    4. 4. Two Sites
    5. 5. Two Sites – One Virtual Site
    6. 6. Tunnel Technologies <ul><li>IPSec </li></ul><ul><li>CIPE </li></ul><ul><li>PPTP </li></ul><ul><li>SSH + PPP </li></ul>
    7. 7. What is SSH? <ul><li>Secure Shell (think encrypted telnet). </li></ul><ul><li>Allows secure access across the Internet. </li></ul><ul><li>Can also provide tunneling of individual ports. </li></ul><ul><ul><li>e.g., Allow X11 to securely pass back to remote system. </li></ul></ul><ul><li>Can act as transport for ppp. </li></ul>
    8. 8. PPP <ul><li>Point-to-Point Protocol </li></ul><ul><ul><li>Usually used with serial connections. </li></ul></ul><ul><ul><li>Provides IP connection between two points. </li></ul></ul><ul><li>Establishes IP address at both ends of connection. </li></ul><ul><li>IP traffic can be routed over PPP connection. </li></ul>
    9. 9. Setting up SSH <ul><li>Set up shared keys on both systems: </li></ul><ul><ul><li>This allows connecting without using the password to the account on the remote system. </li></ul></ul><ul><ul><li>Can use a passphrase for the key or not. </li></ul></ul><ul><ul><li>Can use different kinds of keys (e.g., RSA, DSA) </li></ul></ul><ul><ul><li>Command is: ssh-keygen </li></ul></ul><ul><ul><li>Edit 'authorized_keys' file on each system to enable access by other system </li></ul></ul>
    10. 10. Setting up PPP <ul><li>Make sure pppd is setuid. </li></ul><ul><li>Have /etc/pppd/options contain: </li></ul><ul><ul><li>lock </li></ul></ul><ul><ul><li>noauth </li></ul></ul><ul><li>Optional: set up /etc/ppp/ip-up.local to establish routing to remote network. </li></ul><ul><li>Make sure to move any ~/.ppprc files out of the way. </li></ul>
    11. 11. Making it simple: footunnel <ul><li>A script that does the job of starting the VPN </li></ul><ul><ul><li>starts ssh and ppp </li></ul></ul><ul><li>Usage: </li></ul><ul><ul><li>footunnel [-u user] [-l local-addr] [-r addr] remotesys </li></ul></ul>
    12. 12. The script: footunnel <ul><li>Gets the passphrase for ssh. </li></ul><ul><li>Starts pppd </li></ul><ul><ul><li>Starts pppd on remote system via ssh connection, which is the secure transport for the tunnel. </li></ul></ul><ul><li>Monitors the connection. </li></ul><ul><li>Cleans up when connection is torn down (i.e., stops ssh-agent). </li></ul>
    13. 13. Simple Performance comparison No VPN time=6 sec. Copy w/ VPN Mid-transfer End of transfer time = 58 sec. File size=17,515 kB
    14. 14. Uses for the script <ul><li>Site to site. </li></ul><ul><li>Home to work. </li></ul><ul><li>Work to home. </li></ul><ul><li>Wireless connection. </li></ul>
    15. 15. Wireless Example
    16. 16. Resources <ul><li>Book: “Building Linux Virtual Private Networks (VPNs)” - Oleg Kolesnikov, Brian Hatch; published by New Riders </li></ul><ul><li>www.buildinglinuxvpns.com (for above book) </li></ul><ul><li>VPN-HOWTO </li></ul><ul><li>http://vpn.shmoo.com/vpn/FAQ.html </li></ul><ul><li>For IPSec: www.freeswan.org </li></ul><ul><li>For CIPE: http://sites.inka.de/bigred/devel/cipe.html </li></ul><ul><li>For SSH: www.openssh.org </li></ul><ul><li>mahon.cwx.net </li></ul>

    ×