All blogposts

OpenVPN to the rescue

Long time no blog. I was pretty busy in the last weeks and hadn't much time to do any blogging. Unfortunately the same was true for administrative tasks. Until this week, when I finally revamped our VPN setup. Our company LAN is divided into two zones: the intranet and the demilitarized zone (DMZ). The latter hosts several servers wich are (limited) accessable from the outside like our webservers or the mailserver. The intranet is our internal net, housing all the important work related servers…

Andreas Gohr, 06/14/2006 2:14 p.m.

OpenVPN to the rescue

Long time no blog. I was pretty busy in the last weeks and hadn't much time to do any blogging. Unfortunately the same was true for administrative tasks. Until this week, when I finally revamped our VPN setup.

Our company LAN is divided into two zones: the intranet and the demilitarized zone (DMZ). The latter hosts several servers wich are (limited) accessable from the outside like our webservers or the mailserver. The intranet is our internal net, housing all the important work related servers like the file- and development servers. This zone is not accessable from the outside. But of course from time to time you just need this access.

For some time we used an IPSEC based Virtual Private Network (VPN) solution using the Openswan package. IPSEC is an widely accepted industry standard with many products supporting it. So using it should be fairly easy - in therory. However in real life it is really hard to setup both on the server side and on the client side. When some additional requirements like the need to work from a NATed network come into play it sucks even more. Another downside is that it needs to run in kernel space which means upgrading the IPSEC stuff also needs patching and recompiling the Kernel. There may be some commercial packages available to ease the whole setup but we usually prefer to stay with Open Source.

So we had it running and it worked (well at least for me) but it wasn't nice.

The alternative I finally decided for is OpenVPN. OpenVPN isn't IPSEC based but uses TLS/SSL instead. It's running in user space and client software for Linux and Windows exist. The whole setup is really simple and following the HOWTO should give you a first working VPN in just a few hours.

What I like about OpenVPN is that it gives you certificate based authentication with strong encryption while still being very simple. All traffic is tunneled through a single UDP channel making it much easier to configure in the Firewall.

So what's the point of this post? Well, I'm happy with OpenVPN and if you're looking for a good and simple VPN solution you should give it a try as well.

Read more