[nzlug] VPN/Tunnel software

Daniel Pittman daniel at rimspace.net
Mon Oct 2 13:18:26 NZDT 2006 

Simon Lyall <simon at darkmere.gen.nz> writes:

> I was wondering what people are using for VPN/Tunnel software?

As others have mentioned, use OpenVPN.  It is probably the nicest
option, and is sufficiently cross-platform to be well worth it.


If you /really/ need interoperability with something that uses IPSec,
use the 'pipsecd' tool, which is a user-space implementation of IPSec
tunnel mode ESP with pre-shared keys.

Unlike most other options it is actually reasonably easy to configure,
and almost impossible to configure insecurely.  Well, unless you use a
bad pre-shared key. ;)

> What I am looking for is something to tunnel between by home Linux box
> to a remote Linux server. The home box is on DSL and changes IP every
> now and then.

As long as you have a fixed identifier so that both ends can find the
other there shouldn't be an issue.  OpenVPN can do DNS lookups, which
can make that easier.

> Currently I use vtun but I would prefer something a bit more
> mainstream.

Please stop.  vtun, like most of the other home-brew VPN solutions, has
been considered insecure when reviewed by cryptography experts.

Typically these solutions use crypto in a way that defeats any real
security, and are often vulnerable to trivial injection, replay or
corruption attacks.

> Requirements:
>
> 1. Debian/Ubuntu at both ends. Servers not desktops (ie not graphical)

Either option, with OpenVPN being a "one tool" solution.

> 2. I would prefer to use the most popular software rather than something
>    obscure. Eg part of packages, plenty of howtos.

OpenVPN is well documented.  

pipsecd has a couple of paragraphs, but they cover everything that it
does exhaustively, so I think it is also well documented.

> 3. Reasonable encryption.

OpenVPN has never been subject to a serious review, but Peter Gutmann
felt that it was the only open source VPN solution (other than IPSec)
that was worth the time, from a brief look.

His statements can be found here:
    http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt

One of the key advantages that OpenVPN has is that it uses OpenSSL to
deal with the encryption and SSL protocol side of things, focusing
itself on the transport and management side.

This means that, unlike most other options, the authors didn't try to
write their own crypto code, so you get better performance and more
security for free.


pipsecd uses IPSec ESP tunnel-mode encapsulation, with main mode IKE,
and is interoperable with other implementations.

While I don't know of an exhaustive security review of the code there
has been extensive study of those protocols, and the underlying design
is secure.

> 4. Built in Traffic shaping would be a bonus.

Er, it probably wouldn't you know.  The more jobs a single package tries
to do the less well it can do each individual job.

You should just use the standard Linux traffic shaping tools to manage
what flows over the basic, bare-bones interface the VPN tool provides.

> 5. Not too barebones (ie not just iptables).

That is hard to address.  Is a tool that uses only a configuration file
suitable?

Perhaps if this is a critical requirement you might want to restate your
question in some other way such as:

   Not too barebones (such as raw iptables) because ...


> The mainstream bit is pretty important, I just want something I can
> apt-get , is maintained and has a good level of documentation. However
> from googling around it is very hard to tell what is the standard
> software most people are using.

Many people are using gratuitously insecure software because it is "good
enough" for their threat model.

PPtP, with or without the Microsoft encryption, is completely insecure
when attacked cryptographically.  It is still widespread, however,
because it is good enough for most folks -- because, frankly, having
people sniff your traffic streams on the Internet isn't a threat to most
people.


Likewise you could use one of the insecure-by-design VPN solutions for
Linux and, well, not have any problems at all -- because no one cares
enough to attack your VPN, with easier targets still available.


However, the OpenVPN or pipsecd solutions should make that impractical
to attack other than implementation bugs.[1]

The use of a standard encryption library by OpenVPN is a big help, as it
was re-secured as soon as OpenSSL addressed the issue.

Regards,
        Daniel

Footnotes: 
[1]  OpenVPN would be vulnerable to the recent OpenSSL certificate
     flaws, for example.
-- 
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
                 http://digital-infrastructure.com.au/

More information about the NZLUG mailing list