VPN's and other remote access
A VPN is a Virtual Private Network. The concept is that you are
using public or other shared lines (generally the Internet) to
connect machines, but that all packets are encrypted (so your
connections are "private").
You should understand first that you do not necessarily need a
VPN if you want remote clients to connect to your Linux or Unix
server. You don't even necessarily need this if your concern is
encryption for security. There are other ways to do these things
and I'll talk about them also; the advantage of a VPN is
If you have private lines, there's really no point to a VPN.
Which one is "better"? That depends on many things. If "faster" is
your concern, then a VPN can be fast if you have fast Internet
access at both ends of the connection, but if you don't, then it
won't be fast and you might be better off with private or dial-up
With an active VPN, the remote client machine acts very much
exactly as it would act if it were physically connected to your
office network. This is true even if your internal network is made
up of non-routable, private addresses (see Networking 101). For example, if your
internal pop mail server is at 192.168.2.5 and your application is
at 192.168.2.3, the remote client still accesses those addresses,
just as everyone in the physical office does.
My experience is that dial-in ppp is usually faster than a VPN
over dial-up internet access; the overhead of the VPN seems
generally to be more than the possible gain of 56K to an isp vs.
33.6 to another modem.
What happens is that the person at home first connects to the
Internet, using their modem, DSL, or whatever. At your office you
have a VPN server sitting at a real ip address on the Internet. You
have VPN software running on the client machine, so when they
attempt to connect to an address that the VPN software recognizes
as belonging to it (which is probably one of the internal
addresses, such as 192.168.2.3), it routes packets to the real IP
address and in turn the VPN server there passes them to the
internal address. It's all transparent to the clients: everything
looks to them as though they have a physical connection to your
internal network: if they would "telnet 10.1.36.3" in the building,
that's just what they'd do from home.
Exactly the same thing can be done with a direct modem to modem
( or other dedicated connection) from the client to your office.
Ordinary TCP/IP over dial up PPP just requires an inbound PPP
connection. The clients use DUN to acccess a modem at your
location, nothing to do with the Internet. Again, their perception
of addressing doesn't change, though of course there is no
encryption. Once the remote client has made the ppp connection, it
can access ip addresses within the internal network (assuming, of
course that proper routing is in place, etc.).
People sometimes find this confusing, but think of the Internet
as one giant private network and your local connection as a smaller
version. Once you are appropriately connected to either one, you
have access to that network, not just the machine you made the PPP
connection to. In fact, just as with the Internet, you may have no
intention of accessing that connection machine at all- it just is
there to let you get a connection so that you can access other
resources. There's probably no need for encryption over such a
connection, though you may want to use dial-back modems.
Windows clients with ssh capabilty are becoming common; most of
the well know names have added this to their products. A free
product that seems to be very good is PuTTY.
I also like the AlphaCom 3
If you have a real ip address on the Internet, you can also do
something similar using ssh.
This is not really a VPN, it's just encryption of packets. The
difference is that your clients connect to that known, public IP
address, not to the internal addresses you could use with a true
VPN. However, this requires much less work to set up, and of course
once they connect to that address you can automagically send them
along to where you really want them. For example, you can modify
their .profile on the ssh server so that they immediately ssh or
rsh to their same account on another server. Again, though, their
software has to use real, public ip addresses and you have to do
whatever is necessary to redirect the packets within the office.
Further, although ssh can set up tunnels for ftp or other access,
none of it happens automatically: your remote clients will either
need to be somewhat technical or you will have to do a lot of
scripting or programming on their machines.
Some VPN solutions include proprietary ones like Cisco and
completely free Linux implementations. The
proprietary packages generally require their own clients to be
installed on the Windows machines, PopTop uses the built in Windows
VPN client that Microsoft expected you to use with their NT VPN
server. If you don't want Cisco, but aren't up to doing it by
yourself, there is some middle ground: many routers contain VPN capability.
One particular disadvantage (or advantage, depending on your
viewpoint) of proprietary clients like the Cisco product is that
they are memory resident. The Windows VPN client is not; you have
to specifically make the VPN connection before attempting access to
the remote network. Memory resident clients are good for situations
where the client is always remote (never actually comes into the
office) and where the connection is to one VPN server. When you
have multiple possible connections (as I do with my clients) the
Windows VPN client is much easier- you are specifically choosing
what VPN server to connect to. In the case where the normally
remote client brings their laptop to the office and physically
connects to the network, the VPN software has to be unloaded,
because it will try to route what are now local accesses through
the VPN; this just won't work. It's usually easy enough to disable
(with Cisco, for example, you just choose "unload Security policy")
but people forget.
One important point with regard to VPN's: these are NOT
perfectly reliable connection. Unless you have rock solid internet
connections at BOTH ends, you are going to have disconnects and
lockouts now and then. If your software can't handle that, and you
can't fix it with something like "screen" or "dislocate" ( see
How can I reconnect to a
disconnected session?) , VPN's may not be for you.
Almost all routers today, even inexpensive home versions, have at least
basic VPN capability. Most offer at least PPTP, perhaps IPSEC, and some
offer LAN to LAN VPN's (great for branch offices).
For more VPN information, see www.vpnlabs.org
Got something to add? Send me email.
More Articles by Tony Lawrence
Find me on Google+
© 2011-05-09 Tony Lawrence