How To Configure VPN

From Biowiki
Jump to: navigation, search

How To Configure A Virtual Private Network (VPN) For Free [THIS IS IN PROGRESS AND SHOULD BE FINISHED SOON!]

Free means, "without having to pay for VPN software." Not free of pain or frustration.

What is this guide? Why is it here? Who is this for?

A few weeks ago I was trying to link together two subnets on separate networks using some sort of encrypted tunnel (see the diagram below for a picture worth a thousand words). The original intention for this was so that we could securely mount a NFS onto machines on Subnet 2, although the NFS server is on Subnet 1 and behind a gateway/firewall/NAT box (and of course the NFS server has a local subnet IP in the range reserved for private IPs and isn't visible to anyone outside of Subnet 1).

This I accomplished with some success (described in Mounting NFS Through SSH Tunnel). What's the problem? This solution doesn't work for Mac OS X (or, as far as I can tell, any BSD-derived OS), because Mac OS X does not allow you to bypass RPC and specify ports to mount on, so you can't make NFS traffic go through the ports that are forwarded through the SSH tunnel. If I'm wrong in this, or anything else on this page, please let me (Andrew Uzilov) know, or drop a comment at the bottom.

The better solution for this, and many other things as well, was to use a Virtual Private Network (VPN), so that machines on Subnet 1 were visible to machines on Subnet 2 as if they were actually on the same subnet, and vice versa. The link between the subnets would be... yep, a good old SSH tunnel, providing encrypted, secure communication over an unsecure network.

Another problem was that I didn't want to pay for VPN software, and OpenVPN caused the latest version of OpenSSL to crash when both were compiled from source on 64-bit Cent OS on an Opteron machine (I mean that OpenSSL crashed after OpenVPN established a TCP connection, not at the compile step). Darn. I couldn't track down the source of this problem, and decided to rig together something less elegant instead.

NOTE TO SELF: include a searchable description of the Open SSL crash... report the bug!

Suffice to say, there was some documentation (see below) on how to get this to work using nothing but routing tables, SSH, a little program called pty-redir, and the PPP protocol, a daemon for which comes standard on the later (and for all I know, earlier) versions of Debian and Cent OS. It also comes with Mac OS X (version 10.3.9, aka Panther, and presumably on 10.4, aka Tiger). Actually, considering what PPP is, there are probably no operating systems with networking capability that don't have a PPP daemon.

Regardless, you will see from the write-up below that it's not necessary for every machine on your subnet to have PPP anyway, only the tunnel entrance. Alternately, you could have each machine establish its own tunnel (in which case they'll all need PPP), which is useful if you're on the road or at home or something and want to access your VPN with just one machine, not put the entire subnet on it. This guide should make it clear how both ways work.

So if you have any less-than-draconian operating system, an SSH framework (client and server - I would recommend OpenSSH), and PPP capability (check for /usr/sbin/pppd on your Linux or Mac box), and have a minimal amount of experience with networks, routing tables, and firewalls, you can set up your own VPN with nothing but duct tape and rubber bands! Oh yeah, but quite importantly, you will also need pty-redir.

Yes, I deliberately stocked this intro with searchable keywords. Hopefully this guide will save someone some trouble. The intention was to write this for inexperienced users.

There is nothing here for Windows users. Good luck.

Before you go on... here are some other resources

Apparently you can run an open-source PPTP server called Poptop on Linux, which is your VPN server. The grand advantage to this is that a lot of popular operating systems out there - such as Mac OS X (Jaguar, aka version 10.2, and later), later versions of Windows (although Windows boxes are banned from our VPN), and maybe even later versions of Linux - come bundled with a PPTP client. Actually, I think later versions of Linux may even come with a PPTP server also, but I'm not sure. So in theory, any machine out there can easily connect to your VPN.

Honestly, I am not quite sure why I never explored this option, as it would have probably saved a hell of a lot of time and effort. For example, there would be no painful setup of the client side at all. I think I might have mistakenly though that either (1) it was not encrypted/encryptable, or (2) it wasn't free, or encumbered by some patent because it (used to be?) a Microsoft product. This will definately be revisited.

(Note to self: is Poptop basically a wrapper around /usr/sbin/pppd? Is this "PPTP server" that comes bundled with Linux distros basically... pppd? Because if that's the case, then we have a, um, home-brewed version of Poptop implemented already.)

There is also OpenVPN, an open-source VPN implementation for both the client and the server side. Supposedly it is stable on 64-bit platforms. For us, though, it didn't play well with OpenSSL.

Word on the street has it that Hamachi might work as well. I haven't tried it or know anything about it, but I might as well put the link in.

This guide is built on information from these guides (I think the first two are actually built on the last guide):



[3]] (in particular, the [pitfalls section might be quite useful)

They might be useful to you if this guide is not sufficient.

Our example network topology

(refer to these as Subnet 1 and Subnet 2)


download and compile pty-redir


If you have something to say or correct... just edit the Wiki directly (that's what Wikis are for!) and leave a message here that you did it, for courtesy (because I don't have to peruse the change logs that way). Or just leave a message here. Or e-mail me. The important part is... do something, don't just stand idly by and let ignorance choke the Internet massive!


-- Andrew Uzilov - 28 Mar 2006