VPN's and other remote access
A VPN is a Virtual Private Network. The concept is that you are
using public or other shared lines (generally the Internet) to
connect machines, but that all packets are encrypted (so your
connections are "private").
You should understand first that you do not necessarily need a
VPN if you want remote clients to connect to your Linux or Unix
server. You don't even necessarily need this if your concern is
encryption for security. There are other ways to do these things
and I'll talk about them also; the advantage of a VPN is
If you have private lines, there's really no point to a VPN.
Which one is "better"? That depends on many things. If "faster" is
your concern, then a VPN can be fast if you have fast Internet
access at both ends of the connection, but if you don't, then it
won't be fast and you might be better off with private or dial-up
With an active VPN, the remote client machine acts very much
exactly as it would act if it were physically connected to your
office network. This is true even if your internal network is made
up of non-routable, private addresses (see Networking 101). For example, if your
internal pop mail server is at 192.168.2.5 and your application is
at 192.168.2.3, the remote client still accesses those addresses,
just as everyone in the physical office does.
My experience is that dial-in ppp is usually faster than a VPN
over dial-up internet access; the overhead of the VPN seems
generally to be more than the possible gain of 56K to an isp vs.
33.6 to another modem.
What happens is that the person at home first connects to the
Internet, using their modem, DSL, or whatever. At your office you
have a VPN server sitting at a real ip address on the Internet. You
have VPN software running on the client machine, so when they
attempt to connect to an address that the VPN software recognizes
as belonging to it (which is probably one of the internal
addresses, such as 192.168.2.3), it routes packets to the real IP
address and in turn the VPN server there passes them to the
internal address. It's all transparent to the clients: everything
looks to them as though they have a physical connection to your
internal network: if they would "telnet 10.1.36.3" in the building,
that's just what they'd do from home.
Exactly the same thing can be done with a direct modem to modem
( or other dedicated connection) from the client to your office.
Ordinary TCP/IP over dial up PPP just requires an inbound PPP
connection. The clients use DUN to acccess a modem at your
location, nothing to do with the Internet. Again, their perception
of addressing doesn't change, though of course there is no
encryption. Once the remote client has made the ppp connection, it
can access ip addresses within the internal network (assuming, of
course that proper routing is in place, etc.).
People sometimes find this confusing, but think of the Internet
as one giant private network and your local connection as a smaller
version. Once you are appropriately connected to either one, you
have access to that network, not just the machine you made the PPP
connection to. In fact, just as with the Internet, you may have no
intention of accessing that connection machine at all- it just is
there to let you get a connection so that you can access other
resources. There's probably no need for encryption over such a
connection, though you may want to use dial-back modems.
Windows clients with ssh capabilty are becoming common; most of
the well know names have added this to their products. A free
product that seems to be very good is PuTTY.
I also like the AlphaCom 3
If you have a real ip address on the Internet, you can also do
something similar using ssh.
This is not really a VPN, it's just encryption of packets. The
difference is that your clients connect to that known, public IP
address, not to the internal addresses you could use with a true
VPN. However, this requires much less work to set up, and of course
once they connect to that address you can automagically send them
along to where you really want them. For example, you can modify
their .profile on the ssh server so that they immediately ssh or
rsh to their same account on another server. Again, though, their
software has to use real, public ip addresses and you have to do
whatever is necessary to redirect the packets within the office.
Further, although ssh can set up tunnels for ftp or other access,
none of it happens automatically: your remote clients will either
need to be somewhat technical or you will have to do a lot of
scripting or programming on their machines.
Some VPN solutions include proprietary ones like Cisco and
completely free Linux implementations. The
proprietary packages generally require their own clients to be
installed on the Windows machines, PopTop uses the built in Windows
VPN client that Microsoft expected you to use with their NT VPN
server. If you don't want Cisco, but aren't up to doing it by
yourself, there is some middle ground: many routers contain VPN capability.
One particular disadvantage (or advantage, depending on your
viewpoint) of proprietary clients like the Cisco product is that
they are memory resident. The Windows VPN client is not; you have
to specifically make the VPN connection before attempting access to
the remote network. Memory resident clients are good for situations
where the client is always remote (never actually comes into the
office) and where the connection is to one VPN server. When you
have multiple possible connections (as I do with my clients) the
Windows VPN client is much easier- you are specifically choosing
what VPN server to connect to. In the case where the normally
remote client brings their laptop to the office and physically
connects to the network, the VPN software has to be unloaded,
because it will try to route what are now local accesses through
the VPN; this just won't work. It's usually easy enough to disable
(with Cisco, for example, you just choose "unload Security policy")
but people forget.
One important point with regard to VPN's: these are NOT
perfectly reliable connection. Unless you have rock solid internet
connections at BOTH ends, you are going to have disconnects and
lockouts now and then. If your software can't handle that, and you
can't fix it with something like "screen" or "dislocate" ( see
How can I reconnect to a
disconnected session?) , VPN's may not be for you.
Almost all routers today, even inexpensive home versions, have at least
basic VPN capability. Most offer at least PPTP, perhaps IPSEC, and some
offer LAN to LAN VPN's (great for branch offices).
For more VPN information, see www.vpnlabs.org
If this page was useful to you, please help others find it:
More Articles by Tony Lawrence
- Find me on Google+
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site:
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Publishing your articles here
Jump to Comments
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.