[plug] Debian VPN

Tomasz Grzegurzko tomasz89 at gmail.com
Mon Nov 6 11:57:04 WST 2006


On 11/6/06, Jonathan Young <jonathan at pcphix.com> wrote:
>
> On 11/6/2006, "Jonathan Young" <jonathan at pcphix.com> wrote:
>
> >Hi all
> >
> >Just after a quick overview of (plus any considerations when planning)
> >how to implement a VPN using Linux.  Under Windows you enable the VPN
> >server and allow certain ports through the firewall; presto LAN via VPN.
> >
> >How is it done under Debian?
> >
> >I am familiar with the concepts involved, but still relatively new to
> >Linux administration (strangely all my Linux servers have needed far
> >less attention; consequently I don't get to 'learn' as much without
> >doing research).
>
> More information:
>
> I currently have an organisation that employs 5 servers in three
> locations and I need to network at least two of these locations to share
> some files and a central A/V solution.
>
> At location A we have:
>
> Debian box(1) operating as an Internet Gateway - firewall and ADSL.
> Debian box(2) operating as a Mail Server - postfix.
> Windows 2000 Server(3) operating as the PDC - list of users, shared
> Windows applications, filesharing; uses PAM to sync newly created users
> which results in auto-creation of mailboxes on the mail server.
>
> At locations B and C we have:
> Debian boxes (servers 4 and 5) operating as PDCs - including
> filesharing/authentication via Samba.
>
> In all locations there are a handful of PCs running either Win98, Win2K
> or XP and popping mail directly from the mailserver at location A.
>
> Everything works well, but now the client has purchased a server-based
> anti-virus solution to be installed on the Windows 2000 server and
> distributed from there automatically.
>
> It has been suggested that we use VPN to distribute updates to the other
> two sites (or at least one of them), so I see two ways of doing this:
>
> (1) Manual VPN connection on each PC which must be connected from time to
> time to get updates by connecting directly to the Windows server at
> location A.
>
> (2) A full time point-to-point VPN from one each Linux server back to
> location A connecting all three locations so that workstations appear
> local the Win2K Server and get request updates whenever they wish.
>
> The company I am working for sees another option as:
>
> (3) Throw out the Linux boxes, replace them with routers capable
> providing the VPN (e.g. Sonicwall) and upgrade the Windows box to SBS
> and run the lot from there.
>
> Unfortunately, I have had plenty of experience with option 3 so unless I
> can put forward a viable Linux based VPN option and follow it through it
> looks like 4 of my favourite boxes will be going in the bin in favour of
> the hardware based solution.
>
> - Jonathan
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>
I set up the exact scenario you're talking about with OpenVPN not
three weeks ago. Basically, I set up routed networks between a central
site and potentially n (currently 1) remote sites, in real terms VPN
tunnels between Linux boxes over the Internet. Check out the OpenVPN
site, it covers precisely this scenario. If you have the network
address space (we didn't) then a bridged solution would suit your
purposes better. We had a (limited) /24 address mask to work with (not
easily changeable) so I went with the routing option..

Tomasz



More information about the plug mailing list