Creating a UNIX-based VPN: pointers, guidelines and pitfalls?

in linux you have two major options:

• ipsec compatible vpn - use freeswan/openswan/strongswan. as i remember it was quite chellenging to set up...
• not-standarized [ but really good ] sslvpn - openvpn. very easy to set up.

2nd one is really great, i've been using it in production for a couple of years. it's available in debian as standard package. it performs quite well for capacities of tens of megabits [ hundreds as well, but i dont have that fast internet connections between offices ]

some tips for openvpn:

• to be more secure do not use 'shared secret' type of keys, create cert authority and use keys signed by it instead.
• if possible use tun mode instead of tap [ route traffic via vpn instead of bridging two ethernet segments over it ]
• if you go for cert authority solution - keep in mind that keys expire. set couple reminders for yourself to re-generate the keys.
• to be on the safe side use software watchdog built into opensvn [ ping-restart option ] + put additoinal simple bash script that cyclically checks if openvpn process is running. openpn died for me ~2 times in the last 3 years.
• use tunneling over udp whenever you can [instead of tcp]. i had problem with vpn from office behind nat [ where linux box was behind cheap dlink router i could not control ] where udp packets after some time ware blocked - in that case i was forced to use tcp.
• enjoy openvpn from behind firewalls / nats.. as long as one side has public ip and can be reached over tcp or udp on one port - you can establish vpn to it, the other node does not need to have public ip!

True IPsec is nothing but a headache. The protocol stumbles across different network topologies. The clients are universally lacking no matter what the OS. Unless you require hardware endpoints that will only do IPsec, then avoid it at all costs.

OpenVPN is however straightforward to setup, rock solid in use and has very intuitive clients for Linux, Windows and Mac.

Consider how you are going to manage new users and revoke old ones. This will depend on how many users you are anticipating to support. Personally we use x509 certificates placed upon two-factor tokens, which scales very well, but does require some way to manage PKI if you grow.

Another vote for OpenVPN here. We used it at my previous job and it was rock solid and we had fewer issues with it compared to the PPTP and IPSEC VPN tunnels we use at my current job. It's also hard to beat the flexibility that OpenVPN offers. But OpenVPN does have one weak spot in my opinion. It currently isn't supported by many smart phones. In fact I don't know of any that do. I do know that there are people trying to port it to the iPhone but I'm not sure where that project is.

You didn't mention what type of clients your vpn solution needed to support. So with that in mind if you need to avoid 3rd party clients or need smart phone support then PPTP may be a better fit. Windows, OSX, and many smart phones all have native PPTP clients. Poptop is the Linux project that implements PPTP.

The two tools I can recommend having a look at are OpenVPN (mentioned before) and Adito (which has recently been renamed to OpenVPN ALS). http://sourceforge.net/projects/adito/ http://adito.wiki.sourceforge.net/

One very flexible and well documented solution is OpenVPN (http://openvpn.net/) This is available as a package from the standard repository in Ubuntu and should be in Debian too.

I've used OpenVPN in my company for about 2 years now. Had very few issues with it.

We are using client-specific configuration to assign users IP in different sub-networks. From then, we can limit access to internal resources thanks to a firewall.

What is less comfortable is the PKI management (we use certificate to authenticate clients). But with 2 or 3 scripts, this become bearable.