VPN-server question. Help!

ArNiS · Posted: Sun Jan 22, 2006 5:04 pm Post subject: VPN-server question. Help!

I need to connect 6-8 clients from my LAN to Internet. But I can not find the best solution. My VPN-server will have Internet access through VPN-access from local LAN provider. All the users have WinXP installed so I need a Windows-friendly VPN solution. I red about openvpn and openswan. I am not sure it is better to use openvpn and I am not experienced in openswan. I did not found how to connect openVPN server to Internet through VPN-tunnel. Any suggestions? I need the most simple solution. Are there some docs to read?
_________________
Today is the first day of the remained life

tuxmin · l33t Joined: 24 Apr 2004 Posts: 838 Location: Heidelberg

If I understand you right it all depends on the VPN implementation of your VPN-Server... it is unlikely that it supports all the protocols you mentioned... do you know anything about it?
For Windows, the most convenient way is PPTP. Since W2k you don't need to install any software.

Alex!!!
_________________
ALT-F4

think4urs11 · Posted: Sun Jan 22, 2006 5:24 pm Post subject:

ArNiS · Posted: Sun Jan 22, 2006 9:08 pm Post subject:

Pals, do you know any docs exactly about "tunneling to another tunnel"? I tried to read a lot of threads at Gentoo forums and many pages from Google but I did not found anything similiar to me. It is not a problem to setup VPN-server for incoming connections, but how to set up a VPN-server providing another VPN tunnel access - this is my really trouble.

_________________
Today is the first day of the remained life

tuxmin · l33t Joined: 24 Apr 2004 Posts: 838 Location: Heidelberg

OK, I understand you have a VPN server for your Windows-Clients which in turn holds a second tunnel to your ISP, right?

Well, consider a VPN gateway as a transparent router. I.e. from a clients point of view you have one default route through the tunnel to *your* VPN server. The server itself has it's default route through the tunnel to your ISP.
It's all about routing, isn't it?

Still I have the odd feeling I don't recognize your problem to the full extent. Could you please give some more information on your network topology.
Is this VPN server you mention a Linux machine at all? Or is it an appliance? I

Alex!!
_________________
ALT-F4

ArNiS · Posted: Sun Jan 22, 2006 10:00 pm Post subject:

So. My LAN is 192.168.1.0/255.255.255.0 with 192.168.1.1 gateway. This LAN is linked with another LAN's from wide area. Such as 192.168.0.0, 192.168.7.0, 10.4.2.0 and a lot of others. There is a MS-compatible (FreeBSD - I guess) VPN-server without encryption at some address (I am not sure for example 172.31.1.2) providing internet access for all registered users from linked subnetworks via NAT (at the present moment). The idea is to have only one VPN-connected host providing internet access for another MS-hosts from some subnetworks. It is not absolutely necessary for my MS-hosts to be connected via VPN. But I guess this is the best way for the clients to be connected isn't it? It is not good to use a proxy and so on because of many client's issues.
_________________
Today is the first day of the remained life

tuxmin · l33t Joined: 24 Apr 2004 Posts: 838 Location: Heidelberg

OK,

as far as I understand, you have a large number of Windows machines in several locations/subnets connected to a central VPN-Server. All internet traffic goes through this VPN-Server, right? All machines have their own tunnel?
Please confirm.

Given this, I guess what you are looking for are VPN gateways in each subnet. Each gateway provides a tunnel to your central VPN server. The client machines have this VPN gateway as default gateway
The rest is about routing. You can either NAT any outgoing traffic to the tunnel IP of a certain gateway, or you can create routes to any subnet on the central server.
It doesn't matter which type of VPN you use, but I guess PPTP is easiest to setup. I wouldn't recommend OpenVPN as the throughput is considerably lower than with PPTP or IPsec.
If your concerns are about security go for IPsec or OpenVPN. PPTP has some design flaws which makes it a second choice if you really want to protect your data.
_________________
ALT-F4

Jeremy_Z · l33t Joined: 05 Apr 2004 Posts: 671 Location: Shanghai

I am not sure i understand your problem, you have clients connected to a server via VPN, the server have internet access and you want your client to use this internet access ?

Then once a client is connected (ie: 172.16.0.x to the server (ie: 172.16.0.1)) :
-on the client, set the server as the gateway and default route (on linux that would be : route add default gw 172.16.0.1) -> that can be done in the openvpn config file
-on the server do NAT from your VPN network to the internet.

What is not working ?
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals

ArNiS · Posted: Mon Jan 23, 2006 10:56 am Post subject:

I am sorry for misunderstanding I did not described the situation correctly. So I have many subnetworks linked in one network with Internet access via FreeBSD gateway. Two months ago my LAN provider announced a new service - it is high-speed unlimited internet access via MS-compatible VPN-server. The idea is to connect a Gentoo-box client to provider's VPN-server and make it running as an Internet-gateway for some LAN clients. That is all. But because of some clients issues (not actually a security) I found the most useful to run a VPN service for my MS-clients. Actually I want to have a local Gentoo-mirror in the future. But it is not necessery now.
_________________
Today is the first day of the remained life

ArNiS · Posted: Tue Jan 24, 2006 3:16 am Post subject:

Could anyone help me to find a solution? I need to connect a Gentoo-box client to provider's VPN-server and make it running as an Internet-gateway for some LAN MSoft-clients. Any suggestions about where to get any docs?
_________________
Today is the first day of the remained life

Jeremy_Z · l33t Joined: 05 Apr 2004 Posts: 671 Location: Shanghai

I use openvpn for that. I found the openvpn howto on openvpn.net (http://openvpn.net/howto.html) enough to set up a linux vpn server while MS client can also use openvpn to connect to it.

After as i said, it is just a matter of setting the iptables masquerading on the openvpn server, and setting the gateway on the windows client side.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals

tuxmin · l33t Joined: 24 Apr 2004 Posts: 838 Location: Heidelberg

As I mentioned above: the question is, which VPN protocols your ISP offers. The rest is, as Jeremy_Z said, about routing and NAT.
_________________
ALT-F4

ArNiS · Posted: Tue Jan 24, 2006 5:45 pm Post subject:

Thanks a lot, I will try.
_________________
Today is the first day of the remained life