Slashdot Mirror
Building Linux Virtual Private Networks
Rants
I've been on the lookout for a good VPN book since I first bought the O'Reilly VPN book in 1998. Yes, that book shattered my long standing belief that O'Reilly could do no wrong. The technical descriptions of VPN technologies were flawed and confusing, and they seemed to think that the only usable VPN technologies were commercial products. They only showed you implementations via screen shots of point-and-click GUI sessions. The one potentially portable section describing PPP over SSH was practically copyright infringement from the HOWTO, but with enough errors that they could make the case they had never actually read it.
For a while the O'Reilly VPN book was the only one out there. Then a few other publishers got into the mix. Unfortunately their results were no better. I could never find a book that had both a description of the protocols that would allow you to debug problems and implementation details that weren't so vague that they could apply to the installation of my washing machine. I must have bought half a dozen VPN books, all of which were severly lacking in crucial aspects that would make them usable. I had little stickies placed in them showing me which parts were correct and helpful, and would flop between them all whenever I needed to do something, because nothing got it all right.
Now I'm not here just to flame these other books, but I must let you get an idea for how I was feeling, because only then can you understand how much happier I am now. Now I can finally throw away all those other books.
Building Linux VPNs was written by Brian Hatch (of Hacking Linux Exposed fame) and Oleg Kolesnikov, and published by the New Riders, the same guys who do the SANS publications. It's not as thick as you might expect, coming in at 408 pages, but it's remarkably dense in a good way. No wasted space for boring screen shots, instead concentrating on well tailored diagrams when needed, code listings, and command line sessions.
Overview
Part one, the first two chapters, teaches you everything you need to know about general VPN technology, and discusses all the VPN issues you're going to face: various different network topologies you could use, how to get your routing set up on both servers and clients, DNS setups, how to use VPNs with firewalls (and where they could go) and more. These are the issues that the trickiest to get right when actually setting up a VPN, and something most other VPN books leave up to the reader to figure out.
Part two discusses standard VPN protocols. The first two chapters of this section discuss creating a VPN with PPP over SSH and SSL. For those of us who have implemented PPP over SSH following the HOWTO before, you'll remember how hackish it felt. The authors have come up with a much more modular (you can have any number of VPNs easily) and secure (they teach you how to set up your SSH keys or SSL certificates securely) method, and provide you all the code to do it. Following the step-by-step instructions, you could make a PPP over (SSH/SSL) VPN in about 30 minutes. Rock on.
They then dedicate two chapters to IPSec: one for the description of the protocol itself (which definitely deserves a chapter) and then one for the implementation of FreeS/WAN. IPSec is known to be a difficult beast to ride, and they do a really great job of giving you the information needed to get it right.
The last chapter of this part covers PPTP for both server and client. I was shocked to see PPTP discussed in a Linux book, but I guess the authors say it best when they said:
"There are times when you must support PPTP, either because you are forced to connect to a server that only runs PPTP or because you need to support remote Windows machines. In either of these cases, we offer our deepest sympathies."
Part three discusses non-standard VPN protocols. In the same detailed fashion, the authors devote three chapters to alternative VPN technologies VTun, CIPE, and tinc. While these technologies do not have IETF protocol drafts, they are nonetheless well defined, and work on multiple Unix platforms.
Analysis
In this day and age of '2nd/3rd/4th Edition' it's good to see a book that really hit the nail on the head the first time. Building Linux Virtual Private Networks has all the technical information you need to understand the protocols, set up your networks, and troubleshoot, and has the implementation details to get it all done almost entirely pain free.
It's extreemly easy to read, has a consistent style and tone, and uses just the right amount of humor to keep you interested in something that could be an extreemly boring technical topic.
One nice thing is that they defined their network early in the book, and they implemented each separate VPN technology using the same network, including host names, IP addresses, etc. This consistency really pays off in clarity to the reader.
Beefs
There's a good bit of code in the book, which is a great thing. They mention throughout that you can download the code online at their website, but it doesn't seem to be there yet. Hopefully this will get rectified. (You can still get a preview, though, at the book's official website. Good to see folks who don't blindly use ".com" for everything. )
Also, a lot of the software they discuss works on *BSD, Solaris, some even on Windows. Why does every book need to include the magic 'L' word in the title nowadays?
Kudos.
You can purchase Building Linux VPNs from Fatbrain. Want to see your own review here? Just read the book review guidelines, then use Slashdot's handy submission form.
What's complicated about FreeSWAN?
Well, a LOT. Not if you're deeply involved technically in the project, but if you back out and take the perspective of someone who's never used a VPN, plenty.
A lot of people don't even think about the fact that there's a separate protocol field in IP, or that people run any IP protocol but UDP or TCP. Getting 50/51 through your existing firmware firewall can be a real trick. FreeSWAN requires you to be able have the GNU Multi-Precision library installed for the crypto calculations before you compile it. Unless your distro can with FreeSWAN, you have to recompile your kernel with modifications.
And, like many tools, there's no single graphical GUI; unlike SAMBA's excellent SWAT, there's nothing to lead you to ipsec.conf or ipsec.secrets. There's a LOT of reading to be done.
Ok, so, for you or me, it's easy. Maybe a day of reading tops. But compare that to the commercial world where an application must install and be configured from a GUI in a few hours, and FreeSWAN is... nearly a toy. It's unusable in a business environment. As soon as you say "compile", a CTO is going to turn down your volume.
It's cool, but don't call it uncomplicated. That's part of it's coolness (-;
Loneliness is a power that we possess to give or take away forever
Sometimes, there are special constraints on the networks you are working with. For instance, I need to use stuff that uses IP, but since PPP over SSH is strictly TCP, I can't use that option. Moreover, my boss is a paranoid guy that doesn't trust some 24-year-old punk (me) to run his firewalls, so both offices have managed firewalls through different ISPs, ruling out the possibility of a single ISP routing traffic over its network to the other office so that I don't have to do anything. This adds additional constraints because since I can't control the firewall without going through pains with both ISPs for several days, I can't even open a port for something like PPTP (which I really wouldn't want to do anyway). Granted, I can probably find out what I need to know from a Google search, but it would be nice to have all the common VPN solutions covered--even just introduced--in a book format. I'm buying it.
for simple encrypted forwarding
LocalForward 8080 theproxy:8080
LocalForward 25 thesmtp:25
LocalForward 143 theimap:143
Don't forget your '-g' =)
I use Freeswan in a production environment. I have Embedded Linux routers using freeswan connecting to Linux boxes. They VPNs are relatively simple, 2 outgoing connections to central
systems. I did find there was a large learning curve at the beginning, but now it takes 5 min to setup a new vpn tunnel. The systems have been extremely reliable. I've never had a problem (other than net congestion) with keeping the tunnels up. A lot of the tunnels have 80+ days of uptime. As for compiling, most modern distros include IPSec (trustix, mandrake, etc.) or there are options like Astaro. Having a CTO "turn down your volume" based on the fact that you have to compile software, doesn't say anything about the quality or reliability of the software, that's a personal decision by CTO not to use OSS. I do agree it's not point and click, and that would be nice, but to say it's unusable in a business environment is just untrue. It's not pretty but it works, and works well.
IPSEC is wonderful, but many businesses don't think things through and use it for telecommuting. Why is this bad? Well, the way this works is that someone connects to the VPN system and gets a full tunnel that allows the authorized client to behave on the internal network as if it was actually there, bypassing the firewall. The problem here is pretty obvious. The client machine is not protected by a firewall,a nd so if the client is compromised, an attacker has a clear path straight past the firewall. So the effectiveness of the firewall is greatly reduced.
Now if you don't have a firewall protectecting the network, this won't hurt, but if you do, then a solution like ssh is somewhat more secure, as you only set up the tunnels you absolutely need to very specific hosts. While there is still a risk, it is greatly reduced and strikes a good balance between usability and security.
What IPSEC *is* good for is seamlessly connecting sites together without really expensive dedicated lines securely. While it makes no guarantee as to bandwidht or availability, it does provide almost the same level of security. If a company can't afford lines to sites but still wants to expand, IPSEC is ideal. I use it to connect my home private network to a friends home private network. The key here is that not only do you have to trust the clients whose keys you permit to connect, but you must also trust that the administrator of that client machine or network is sufficiently competent to keep his network secure, as the security of the two networks is tied a lot more closely together...
XML is like violence. If it doesn't solve the problem, use more.
With security software in general, and VPN software in particular, that's a very, very dangerous attitude: a GUI may fool you into thinking that you understand what's going on when in reality you haven't a clue. With most software, that's not an issue, but with security software, that can compromise the very goal you're trying to achieve.
How many days do you want to spend cleaning up after a security incident that occurred because the GUI let you get away without spending two days reading documentation? How much time will you save in the long run if every time you save two days reading documentation you spend three days cleaning up?
(We lose money on every item --- but we make it up in volume!)
Oh yeah, i forgot to mention that it works behind a NAT, which IPSEC has trouble with.
Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.
JonB
I never said a GUI wasn't useful to implement VPNs. Just that it was dangerous to implement them without reading the documentation, a problem that a GUI makes worse only because it tricks people into thinking they can get away without it.