VPN's and other remote access
Some material is very old and may be incorrect today
© April 2001 Tony Lawrence
A VPN is a Virtual Private Network. The concept is that you are using public or other shared lines (generally the Internet) to connect machines, but that all packets are encrypted (so your connections are "private").
You should understand first that you do not necessarily need a VPN if you want remote clients to connect to your Linux or Unix server. You don't even necessarily need this if your concern is encryption for security. There are other ways to do these things and I'll talk about them also; the advantage of a VPN is convenience.
If you have private lines, there's really no point to a VPN. Which one is "better"? That depends on many things. If "faster" is your concern, then a VPN can be fast if you have fast Internet access at both ends of the connection, but if you don't, then it won't be fast and you might be better off with private or dial-up lines.
With an active VPN, the remote client machine acts very much exactly as it would act if it were physically connected to your office network. This is true even if your internal network is made up of non-routable, private addresses (see Networking 101). For example, if your internal pop mail server is at 192.168.2.5 and your application is at 192.168.2.3, the remote client still accesses those addresses, just as everyone in the physical office does.
What happens is that the person at home first connects to the Internet, using their modem, DSL, or whatever. At your office you have a VPN server sitting at a real ip address on the Internet. You have VPN software running on the client machine, so when they attempt to connect to an address that the VPN software recognizes as belonging to it (which is probably one of the internal addresses, such as 192.168.2.3), it routes packets to the real IP address and in turn the VPN server there passes them to the internal address. It's all transparent to the clients: everything looks to them as though they have a physical connection to your internal network: if they would "telnet 10.1.36.3" in the building, that's just what they'd do from home.
Exactly the same thing can be done with a direct modem to modem ( or other dedicated connection) from the client to your office. Ordinary TCP/IP over dial up PPP just requires an inbound PPP connection. The clients use DUN to acccess a modem at your location, nothing to do with the Internet. Again, their perception of addressing doesn't change, though of course there is no encryption. Once the remote client has made the ppp connection, it can access ip addresses within the internal network (assuming, of course that proper routing is in place, etc.).
People sometimes find this confusing, but think of the Internet as one giant private network and your local connection as a smaller version. Once you are appropriately connected to either one, you have access to that network, not just the machine you made the PPP connection to. In fact, just as with the Internet, you may have no intention of accessing that connection machine at all- it just is there to let you get a connection so that you can access other resources. There's probably no need for encryption over such a connection, though you may want to use dial-back modems.
If you have a real ip address on the Internet, you can also do something similar using ssh. This is not really a VPN, it's just encryption of packets. The difference is that your clients connect to that known, public IP address, not to the internal addresses you could use with a true VPN. However, this requires much less work to set up, and of course once they connect to that address you can automagically send them along to where you really want them. For example, you can modify their .profile on the ssh server so that they immediately ssh or rsh to their same account on another server. Again, though, their software has to use real, public ip addresses and you have to do whatever is necessary to redirect the packets within the office. Further, although ssh can set up tunnels for ftp or other access, none of it happens automatically: your remote clients will either need to be somewhat technical or you will have to do a lot of scripting or programming on their machines.
Some VPN solutions include proprietary ones like Cisco and completely free Linux implementations. The proprietary packages generally require their own clients to be installed on the Windows machines, PopTop uses the built in Windows VPN client that Microsoft expected you to use with their NT VPN server. If you don't want Cisco, but aren't up to doing it by yourself, there is some middle ground: many routers contain VPN capability.
One particular disadvantage (or advantage, depending on your viewpoint) of proprietary clients like the Cisco product is that they are memory resident. The Windows VPN client is not; you have to specifically make the VPN connection before attempting access to the remote network. Memory resident clients are good for situations where the client is always remote (never actually comes into the office) and where the connection is to one VPN server. When you have multiple possible connections (as I do with my clients) the Windows VPN client is much easier- you are specifically choosing what VPN server to connect to. In the case where the normally remote client brings their laptop to the office and physically connects to the network, the VPN software has to be unloaded, because it will try to route what are now local accesses through the VPN; this just won't work. It's usually easy enough to disable (with Cisco, for example, you just choose "unload Security policy") but people forget.
One important point with regard to VPN's: these are NOT perfectly reliable connection. Unless you have rock solid internet connections at BOTH ends, you are going to have disconnects and lockouts now and then. If your software can't handle that, and you can't fix it with something like "screen" or "dislocate" ( see How can I reconnect to a disconnected session?) , VPN's may not be for you.
Almost all routers today, even inexpensive home versions, have at least basic VPN capability. Most offer at least PPTP, perhaps IPSEC, and some offer LAN to LAN VPN's (great for branch offices).
For more VPN information, see www.vpnlabs.org
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
More Articles by Tony Lawrence © 2011-05-09 Tony Lawrence