On Tue, 2004-02-03 at 22:50, Mark wrote: > I have a small business client that is still running on Windows NT > 3.5.1. I'm thinking about putting Fedora on their main server and > making it a firewall, internet gateway, etc on their DSL line. I > brought it up the other day, and they will not mind the change as long > as their employees can still VPN into the server, and PCAnywhere into > their PC or a server. OpenVPN. I struggled with FreeS/WAN, it kinda works, but IPSec doesn't work through NAT. Then you have to apply the NAT patches to FreeS/WAN in order to tunnel IPSec through UDP, which are not supported with the current FreeS/WAN version, so you're forced to use older, buggy versions, not to mention that you have to patch the kernel. Plus the native Win2K client does not support IPSec-over-UDP, so you have to get a 3rd party client, which may or may not be free. Also, setting up clients (any kind of clients, but especially Windows) with FreeS/WAN is a pain in the butt. On top of that, it's kernel-level, so if it breaks it takes everything down. Then i discovered OpenVPN. It has clients for Linux and Windows, which are very easy to install and configure. It does not use IPSec, but SSL-over-UDP (or TCP) on arbitrary ports, so NAT and firewalls are not an issue. It can even tunnel through HTTP proxies (if using TCP). It's user-level (it's a deamon running as unprivileged user) not kernel-level, so it doesn't bring the whole system down if it breaks (it never did). Even though it's using SSL instead of IPSec, it's still a true VPN: it gives you an address, it can tunnel any protocol, you can add static routes through it, etc. It is not just a "browser thing", it's a full-blown VPN, you can mount Windows shares, you can ping or traceroute through it, etc. The strength of the encryption is as good as IPSec's. That is not true for other small VPN projects, which came under scrutiny of security specialists recently and were found to be flawed. The current version is designed for small networks (a few dozen clients) and it does not scale too well to thousands of clients, because it uses one port and one virtual interface on the server for each client. But there are plans to rewrite it to make is scale. If you have less than a hundred clients it should be ok. It is not compatible with arbitrary IPSec VPN devices and applications, because it's not using IPSec; this is where it's notably weaker than FreeS/WAN. http://openvpn.sourceforge.net/ -- Florin Andrei http://florin.myip.org/
