On Fri, 11 Sep 2015 08:52:16 -0500 [email protected] wrote: > On Fri, September 11, 2015 2:59 am, Joe wrote:
> > > Openvpn can use any TCP or UDP port, but UDP is recommended, and > > only this single port needs to be forwarded to an internal server > > through firewalls. > > Somewhere here I have a thick O'Reilly book on UDP; perhaps I ought > to dig out? No, you don't need to know anything about it, openvpn uses a UDP port as standard, you may want to change the port number but I don't think there's a good reason unless you are running multiple openvpn servers through the same firewall. > > > Any VPN has a large number of configurations, and the client and > > server configurations must match exactly. It is best to have client > > and server in the same room while getting it working. > > That is one thing which confused me a bit. Can I then get things > working with two machines connected directly and isolated from the > LAN? (But I suppose that an ethernet switch or hub is needed between > them; otherwise so sort of "reverse" cable would be needed, right?) > I've never had a problem either with openvpn or PPTP by just plugging my client straight into the network containing the server. The computer's routing might be mildly confused once the connection is up, but you're not looking to transfer data, just make or not make a connection. Getting a VPN working for the first time through two or more NAT routers has too many points of failure to be less than traumatic, and first making sure that the client and server talk to each other without any packet filters to complicate things is well worth doing. I used to help out on the MS Small Business Server newsgroup, and frequently talked people through getting PPTP working into their SBS. Hooking the client into the network physically was an important troubleshooting technique when nothing seemed to work remotely. Openvpn is much easier, as there is only one port to forward, PPTP needs a TCP port *and* an IP protocol, as well as a couple of sets of DSL router firmware which work as advertised, using the equivalent of an iptables conntrack module. > > If your mobile user uses Network Manager to handle connections > > Yes; Debian Jessie. > > > this has VPN client plugins > > I never noticed this. They need to be installed separately, look for network-manager-openvpn in your package manager, and network-manager-openvpn-gnome for integration into the NM Gnome GUI if the Gnome desktop is in use. > > > For most VPNs, digital certificates are necessary. The openvpn > > instructions explain how to set up the necessary certificates for > > it, and I'd suspect IPCop will have its own certificate > > infrastructure which VPN certificates would tie into. > > Yes. But the questions asked by the IPCop certificate generator are > a bit different from the questions asked by the official OPENVPN > generator; and that is another thing which confused me. Openssl is unavoidably somewhat user-hostile when it comes to generating certificates (look at the man page), so there are various auxiliary scripts available which minimise the confusion when you want a particular type of certificate. Openvpn recommends using easy-rsa, one such set of scripts, but there are other scripts and no doubt you can find instructions for using openssl directly from the command line, if you are a good and patient typist. The end result should be equivalent whichever method is used. There are various fields which are important for some uses of certificates, particularly when they form part of a public key infrastructure. The certificates used by openvpn (and freeradius, and many other client certificate systems) do not need the various identification or location fields, all that matters is that a client certificate which has been directly signed by the server certificate will be accepted as valid, and nothing else will. A Distinguished Name is necessary, but not very much else, other than for your convenience in identifying certificates. I would guess the IPCop certificate generator is asking for fields which are unnecessary in this particular situation, but are necessary for example for an https server. > > > You might also consider whether a VPN is necessary: > > The ability to browse several different web sites is essential, and > it is better (though slower) if all traffic from the road warrior is > directed back to the home LAN. Besides, I would like to go through > the exercise. > Indeed, I use my home VPN both for access to my server and as a secure Internet connection when I use public wifi or some other untrusted network. But I also tunnel things through ssh for simplicity, such as if I just want to reach my IMAP and/or MySQL servers from my Windows laptop. The openvpn Windows client needs root privileges, puTTY doesn't, and if I'm in a reasonably secure network, I don't want my web browsing filtered through my slow home ADSL upload speed. Horses for courses. Oh, yes, for mobile use it is less convenient but slightly more secure to keep the encrypted keys, ssh or openvpn, on a USB stick. -- Joe
