Thanks man. I am new to linux, all of your posts are making me so happy. Can some one pls post about redhat topics
with regards M. A. Swqminadane -----Original message----- From: Girish Venkatachalam Sent: 13/05/2012, 10:25 am To: Indian Linux User Group Chennai Subject: [Ilugc] OpenVPN's greatness Dear Lug, My VPN hacking is mostly over and dynamic DNS issue I had is mostly taken care of. In that I recognized that for stable site to site VPNs a good IPsec based VPN implementation like what is found in stock OpenBSD is suitable. When you want interoperability between different operating systems or between different VPN implementations then OpenVPN is the way to go. It is not as I first thought a simple popular SSLVPN implementation. It is lot more than that. It is 100% open source and you can customize it to make commercial variants out of it and the quality and detail shows. It is fantastic and you don't have the normal issue of two layers of TCP stacked on top of one another. It uses UDP port 1194 and UDP is nothing but another IP layer when it comes to packet header and protocol overhead. OpenVPN, a 100% open source free software actually helps you do amazing things just like qemu which is also 100% open source and is incredibly convenient for virtualization. Essentiall OpenVPN is found in all UNIX platforms,Windows and Mac. The installer I created is only 370KB. And using that you can connect to any OS. This means that if you have a VPN endpoint based on some commercial product and you want to access that from the wild, then all you have to do is run OpenVPN client on your Windows or Linux desktop and run the OpenVPN server inside the network protected by the commercial VPN box. But to get that working you have to port forward UDP port 1194 to that machine. OpenVPN has several facilities to do multiple client VPNs, it can get you up and running with just a single secret key for testing and learning and you can also do sophisticated routing manipulations(remember this is user space routing), and you can periodically ping to ensure uptime and so on. It is endlessly configurable and highly sophisticated. It makes me wonder how talented the author James Yonan must be. Here is the server configuration for multiple clients. # cat server.conf dev tun0 tls-server ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem mode server server 10.4.0.0 255.255.255.0 ifconfig-pool-persist pool.txt push "route 172.16.0.0 255.240.0.0" client-to-client ping 10 ping-restart 120 push "ping 10" push "ping-restart 60" verb 5 Remember the local network behind the VPN is 172.16.0.0/12 here. You should change it in your case. And the client configuration is : # cat client.conf remote 123.201.6.8 dev tun0 nobind tls-client ca ca.crt cert g3vpn.crt key g3vpn.key pull verb 5 This is the client config which can connect to the server. The "remote <ip>" is the public IP of the server VPN node. Remember for each client, a new keypair ought to be created. Using this you can run a commercial grade enterprise class VPN service with just these commands: # openvpn --config server.conf --daemon on the server and # openvpn --config client.conf But the story does not end here. In order to get this working you have to have the certificates, dh1024.pem and keys. -Girish -- Gayatri Hitech http://gayatri-hitech.com _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
