Thanks man. I am new to linux, all of your posts are making me so happy. Can
some one pls post about redhat topics
with regards
M. A. Swqminadane
-Original message-
From: Girish Venkatachalam
Sent: 13/05/2012, 10:25 am
To: Indian Linux User Group Chennai
Subject: [Ilugc] OpenVPN's greatness
Dear Lug,
My VPN hacking is mostly over and dynamic DNS issue I had is mostly
taken care of.
In that I recognized that for stable site to site VPNs a good IPsec
based VPN implementation like
what is found in stock OpenBSD is suitable.
When you want interoperability between different operating systems or
between different VPN
implementations then OpenVPN is the way to go.
It is not as I first thought a simple popular SSLVPN implementation.
It is lot more than that. It is 100% open source and you can customize
it to make commercial
variants out of it and the quality and detail shows.
It is fantastic and you don't have the normal issue of two layers of
TCP stacked on top of
one another.
It uses UDP port 1194 and UDP is nothing but another IP layer when it
comes to packet header
and protocol overhead.
OpenVPN, a 100% open source free software actually helps you do
amazing things just like qemu
which is also 100% open source and is incredibly convenient for virtualization.
Essentiall OpenVPN is found in all UNIX platforms,Windows and Mac. The
installer I created is only 370KB.
And using that you can connect to any OS. This means that if you have
a VPN endpoint based on some commercial
product and you want to access that from the wild, then all you have
to do is run OpenVPN client on your Windows
or Linux desktop and run the OpenVPN server inside the network
protected by the commercial VPN box. But
to get that working you have to port forward UDP port 1194 to that machine.
OpenVPN has several facilities to do multiple client VPNs, it can get
you up and running with just a single secret key for
testing and learning and you can also do sophisticated routing
manipulations(remember this is user space routing), and
you can periodically ping to ensure uptime and so on.
It is endlessly configurable and highly sophisticated. It makes me
wonder how talented the author James Yonan must be.
Here is the server configuration for multiple clients.
# cat server.conf
dev tun0
tls-server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
mode server
server 10.4.0.0 255.255.255.0
ifconfig-pool-persist pool.txt
push route 172.16.0.0 255.240.0.0
client-to-client
ping 10
ping-restart 120
push ping 10
push ping-restart 60
verb 5
Remember the local network behind the VPN is 172.16.0.0/12 here. You
should change it in your case.
And the client configuration is :
# cat client.conf
remote 123.201.6.8
dev tun0
nobind
tls-client
ca ca.crt
cert g3vpn.crt
key g3vpn.key
pull
verb 5
This is the client config which can connect to the server.
The remote ip is the public IP of the server VPN node.
Remember for each client, a new keypair ought to be created.
Using this you can run a commercial grade enterprise class VPN service
with just these commands:
# openvpn --config server.conf --daemon
on the server and
# openvpn --config client.conf
But the story does not end here.
In order to get this working you have to have the certificates,
dh1024.pem and keys.
-Girish
--
Gayatri Hitech
http://gayatri-hitech.com
___
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
___
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
