Linux VPN
Bennett Todd
bet at RAHUL.NET
Fri Jan 21 14:29:13 EST 2000
2000-01-21-01:20:49 Todd Wilburn:
> We are thinking us using Linux for our server/firewalls and we
> need to do VPN. What programs are available for a Linux VPN box? I
> can use secret pass codes or certs.
There are a lot of alternatives. I've been trying to read up on
them, but haven't yet tried them.
If you favour IPSec, there's FreeS/WAN[1]. There's PopTop[2] for
people who need interoperability with Windows clients with no add-on
software, and are willing to live with the security of PPTP to get
it. There are more approaches to doing ppp, slip, or other protocols
tunneled over ssh than you can shake a stick at. The newest I've
seen is vpnstarter[3]. The simplest VPN implementation I know of
for Linux is vpnd[4], and simplicity is often a win.
But I fear, even though it's probably the most complex solution of
them all, I'd probably recommend pursuing the FreeS/WAN, and if I
couldn't get that working I'd then recommend trying replacing the
Linux boxes with OpenBSD and trying its ipsec for the VPNning.
The thing is, from everything I've read, I get the strong impression
that IP-over-TCP tunneling --- which includes the foo-over-ssh
solutions and vpnd --- has really awful performance problems as
soon as the net is less than perfect (and the internet is the
diametrical opposite of perfect these days). TCP has some amazing
performance-tuning hacks, designed to minimize needless resends
in the face of large and variable latencies, and to avoid filling
buffers in intermediate routers. Apparently their behavior is such
that the latency characteristics delivered up by an underlying TCP
layer completely screw up the performance of the tunneled tcp layer
attempting to ride on top. Or so I've heard.
All this is hearsay, so if anybody knows I'm wrong about it I'd love
to be corrected.
-Bennett
[1] <URL:http://www.freeswan.org/>
[2] <URL:http://www.moretonbay.com/vpn/pptp.html>
[3] <URL:http://detached.net/vpnstarter/>
[4] <URL:http://sunsite.auc.dk/vpnd/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000121/69d3bf31/attachment.pgp
More information about the VPN
mailing list