1999-12-08-09:35:59 Mailing Lists:
> My users all have win9x technologies, so in my case, it would be more a
> linux<->win9x or nt<->win9x solutions.
In that case, you've got another problem to plan on. A VPN is no more secure
than its endpoints, so you've got the job of tightening down the security of
your users' Windows boxes. You might want to consider scripting a host
backcheck, where upon VPN setup a portscan is launched of the client, and if
it is badly exposed the VPN link is torn down and the credentials with which
the client logged in are put on hold.
> I remember seeing vpnd, however, I think it only works in a case like yours
> when you have linux<->linux at both ends.
That's my impression too; the only implementation I've seen is Linux, anyway.
> I dind't come across ppp-over-ssh though. I'll do a search for it on
> freshmeat.
Check out the VPN mini-HOWTO; it gives a nice description. Most of it is a
piece of cake, old stuff: using ssh to establish an encrypted transparent
link, and using PPP over a point-to-point connection (like e.g. serial) to
tunnel IP. The server side comes basically for free, too; just need some
scripting to set up proper routing and so on. The client side is the tricky
bit: you need to tie the local client side PPP onto the TCP connection that's
being tunneled by ssh.
The VPN mini-howto recommends a trivial C program, pty-redir, which runs a
command (in this case the ssh invocation, which will start up a ppp on the
server end) and redirects its I/O to a local pty; then you can just direct
your local pppd at that pty the same way you'd direct it at the ttyS0 or
whatever for a modem link.
That glue bit would seem like the one piece you'll have to hunt down to
assemble this protocol approach on a Windows client.
Probably the easiest way to do a VPN with Windows clients would be to go with
another protocol. Freshmeat lists a PPTP server for Linux at
<URL:http://www.moretonbay.com/vpn/pptp.html>. Of course some analysts have
bad things to say about PPTP's security, but then many people have bad things
to say about Windows security, so maybe it's a good fit. If you can find an
IPSec implementation for Windows, there's FreeS/WAN at
<URL:http://www.xs4all.nl/~freeswan/>. Last I heard it only works with 2.0.x
kernels, so you'll need to use an old release, but as long as you strip it
bare and use it for nothing but a VPN router --- or build and install the very
newest versions of any other daemons you need --- it might not be too bad; the
only problems built right in to 2.0.x kernels are maybe some potential DoS
attacks against the IP stack, and maybe somewhat easier connection stealing
--- but a good sound crypto VPN shouldn't be troubled by the latter. Then
there's the VPN stuff built in to IPV6; recent Linux kernels come with IPV6,
although I've not used it and don't know how complete and functional it might
be.
-Bennett
PGP signature
