VPN Solutions for Distributed Installations?

merreborn asks: "I work for a very small software company (10 employees) that's developing a Point of Sale solution for a small retail chain (~20 stores in several states) on the other side of the country. We're going to be shipping Debian systems with our software installed to these locations -- all of which are connected to the Internet via consumer-grade DSL, and inevitably behind some sort of NAT box. Our office is similarly connected, and we've got a couple of dedicated, co-located servers off-site with static IPs. We'd like to be able to access these systems remotely for maintenance from the office -- what would that entail? Which VPN solutions are best suited to this situation these days (IPSec, PPTP, vtun, ssh, ssl/OpenVPN)? Are there any detailed, current books on the subject? (O'reilly's VPN book is 6 years old now)"

Yes.

[numbski]

Next question? :D

Seriously, OpenVPN would do the trick, and I do it right now. The only thing that bugs me about OpenVPN is that you either have to set up a key signing authority, or use pre-shared keys. The key signing authority process is well documented, it's just that I've never actually been able to make it work. Pre-shared keys works just fine though. The protection isn't as good however.

Once I get key signed OpenVPN working then this solution is a no-brainer.

Re:Yes.

[arivanov]

If you are doing it yourself the choice is between OpenVPN and OpenVPN.

Advantages:

• Ease of setup. Once you have an SSL CA setup the OpenVPN part is a piece of cake
• Possibility to use multiple links, load balance, failover, hang yourself by any means necessary. See Caveats though...
• Possibility to use QoS and run VOIP on top with no worries. While IPSEC security is considerably better studied than OpenVPN (this does not mean it is better, it is just a devil we know), IPSEC has a major failing. In its most common VPN use which is tunnel mode it is utter piece of horrid shite as far as QoS is concerned. Shameless plug: you can lift off QoS setup for OpenVPN off my website
• Possibility to get hardware acceleration on the cheap. It is trivial to get OpenVPN to work with an SSL library which has via padlock support. A padlock capable motherboard is around 120$. This theoretically gives you 50Mbit hardware accelerated AES. Practically - see caveats
• Ease of debug and understanding. It provides you with the notion of interface. You can tcpdump it, collect stats, check its status, you name it. You do not get any of that with IPSEC.

What you need to keep in mind are a list of

Caveats:

• OpenVPN will copy from userland to kernel and back to perform its task. As a result it has a speed limit per client which cannot be worked around. It is a fundamental limitation and is around 5MBit per client (multiple clients bandwidth grows as a log of the number to a total of around 15-20MBit). For a distributed installation or road warriors this may prove to your advantage, because no single client can eat all the resources. There is always some resource to go around. If you want higher speeds on a single encrypted point to point link you are better off with IPSEC transport mode overlay of IP-in-IP or IPSEC overlay of PPTP.
• OpenVPN route mechanism has minimal error checks and will bugger up your routing table majestically of you decide to do something really fancy. If you want to run a large distributed infrastructure you have to run quagga and use OSPF or RIP for routing. Either works fine provided that you can do them and you use peer-to-peer mode of OpenVPN. This also allows you to interoperate nicely with any failover within your network and this is something you never get out of IPSEC.
• You cannot use the Server mode of OpenVPN along with routing protocols. Actually I think that there are some fixes in the Quagga CVS head that will allow this but I will advise against this. This is a mode for road warriors. If you want infrastructure you better set your tunnels properly as peer mode ones.

If you are doing it vs someone else, especially someone with an overgrown IT department full of certification waving droids you have to use IPSEC. I have had some bad experience with SWAN varieties and personally I would suggest using Racoon and the KAME stack. Anything else aside they have some good debugging and so far I have managed to make them interop versus every implementation I have tried.

Re:Yes.

[arivanov]

Under IPSEC I mean any standards compliant implementation floating around. I am speaking based on some experience with Checkpoint, Cisco, Nortel, KAME, FreeSwan and a few others. When used in tunnel mode they all suck by design because they do not offer an interface notion to the OS so there is no way to run a routing protocol on the tunnel. They similarly suck QoS-wise. I am using IPSEC because the suckiness is actually a natural result of the RFC definitions of the protocol.

If you use transport mode IPSEC to protect a suitable tunnel protocol like IP in IP you are OK. Unfortunately, this is not an IPSEC use which is common and well supported by most security vendors. Most have serious performance problems when running in this mode.

As far as OpenVPN you are deeply mistaken. It has nothing to do with IPSEC. It uses TLS over TCP or TLS over UDP. The second case requires some sequencing. None of the packet formats has anything to do with the IPSEC RFCs, the OS level abstractions have nothing to do with the RFCs and the keying is not anywhere near the madness specified in the IKE RFC.

Re:Debian... and PPTP

[Rekolitus]

Or you could install Debian with boot: linux26.

IPCOP Works Well

In a similar fashion we provide support for an application base that we are growing. If they want "Premium" support then we provide an IPCOP firewall for the location and turn the VPN tunnels on only when we need to support them. IPCOP is free and very reliable and we then deploy it on a low profile microATX desktop case not much larger than a Cisco PIX. Works well.

ssh could be good enough

[georgewilliamherbert]

If you know what the remote IP addresses are going to be (consumer grade but fixed IP addresses at remote ends) then ssh would be an adequate solution by itself, and a lot simpler than most of the alternatives. With its ability to forward ports and X windows displays, it can handle pretty much anything.

If you need constant monitoring and interaction a real VPN may make more sense, but ... think carefully about how much complexity you add in the management layer here. Does that overall improve or degrade the total environment's reliability and managability?

"Some sort of NAT box"

[Gothmolly]

Its called a commercial firewall. Its tempting to roll your own using a $45 Linksys and CIPE/OpenVPN/IPSEC/PPTP/Freeswan, but seriously, do you want to spend your time watching messages like "Processing a NONCE.." ?

Buy some small, even older, used, Netscreen firewalls for a few hundred each. If you do the preshared keys trick, and put them in aggressive mode, they'll all connect back to the central hub firewall, a Netscreen 10, or whatever model replaced it.

It just works, no dicking around with /etc/ubuntu/foo.key or chintzy NAT boxes that can't pass protocol 50, etc. etc.

OpenVPN rocks for this

[pavera]

We currently use openvpn for a remote management service that my company offers have been using it for over a year now, more than 50 customers up, works from behind nat, with dynamic IPs, through all sorts of nasty things, and as long as the internet is up, the VPN is up and we have connectivity. Ive used alot of different VPNs (openswan, cisco, PPTP) nothing comes close to the stability of openvpn tunnels, especially when dealing with adverse network conditions (NAT of any sort, multiple NATs, poor link quality, etc) even if the internet link is pretty spotty, openvpn does a very good job of automatically renegotiating the tunnels as soon as it has connectivity.

Easier

[ratboy666]

Create a web site that echoes back the requesters IP address. Put it on the "dark web" so it isn't spidered, and you don't get hit with traffic.

On your client box, run a script that hits the web site (wget) and fetches the IP address. If that has changed, post the new IP address, and installation name.

Now you have the clients and the assigned IP addresses. You can then use SSH to build whatever infrastructure you need to the client box, securely. No need to worry about the brand of router used, etc. About the only problem is if the client uses a dialup on demand connection. To accomodate this, the "poll for IP" can be modified to always submit information, and ask if the connection should be retained.

If the connection should be retained, the remote operator can be notified.

I used this approach to securely administer remote Linux machines over direct connection and dialup for years. Now I find none of my users use dialup anymore (finally).

Ratboy

Re:Easier

[TCM]

I disagree, it's quite a hack. Personally, I use a script that gets invoked whenever a new PPPoE connection is established. From there, I do an update to a DNS server.

Voila, DNS is my "db", I don't run a script every minute and still get better time granularity, because the update is only done when a state change on the interface occurs.

OpenVPN

[dimss]

I would recommend OpenVPN because I have some experience with it. OpenVPN is very reliable solution when you have to connect several remote sites to single L2 (ethernet) segment.

We use Intel-based Linux server at our datacenter as VPN server. It runs several instances of OpenVPN on different UDP ports (OpenVPN can use TCP as well) for different customers. Endpoints are Asus WL-500g Deluxe routers with OpenWRT Linux and OpenVPN installed. Maximum throughput is 3Mbps with blowfish encryption and authentication (limited by 200 MHz CPU). These devices are small, silent, inexpensive and reliable enough. Endpoints are connected using various types of Internet access -- DSL, Cable, LAN, WiFi etc. Some customers have ~70 endpoints without problems.

If you insist on using Debian computers as VPN endpoints, do not use harddisks!!! They will die. Use IDE flash, for example. Use fanless CPU and PSU if possible.

Made in Japan - The Teriyaki Experience

[viewtouch]

This Canadian customer of ours has about 80 restaurants and has fully deployed our Linux & X Window System POS solution in all of its restaurants all across Canada. HQ enjoys an open VPN link with each of them and all data from the restaurants, including credit/debit cards is remotely synchronized with the storage system at their Toronto HQ. The company's IT staff is actually just one person, Doug deLeeuw. The company is increasing its units by about 25% this year. When you have the kind of control that this company has you find something like that much easier to undertake and you're much more likely to succeed. I doubt that there's another restaurant organization in the world with this kind of advanced POS deployment, not to mention that one person did it all by himself. Perhaps in another five to ten years you'll be able to read about it in a book.

Re:compartmentalize!

[gregmac]

I'd have to disrecommend running a VPN between these sites simply for your convenience; it would mean that a security failure at any point on the network could jeopardize all of the machines in the network. I recommend you stick with ssh/scp for access to those machines.

Actually the way the OpenVPN server is configured by default, each machine is put onto its own network basically (ie, you get a 10.8.0.9, with netmask 255.255.255.252), and the server will not route between clients. If you're running the VPN network in a different subnet from your regular network, you can tightly control the routing between the two. A security failure at one endpoint will only comprimise that endpoint and provide access to what it can normally access on the server - not the whole network. You still need to provide other protection on the client (eg, tripwire) to protect it seperately.

Comprimising the server is still going to get you access to everything, and this is true with pretty much any setup.

Router-based (Cisco 800)

[dago]

I guess that if you're asking this question, you don't have any experience with linux-based VPN. I also think that if you are have to do troubleshooting, the last thing you want to debug is your VPN.

For my part, I also started with linux-based VPN (openvpn, ipsec) for private use (3 sites), but then, I come to the conclusion it wasn't worth the effort & time spent. I switched to the Cisco SoHo routers (the 800 series) who are just working. I have automatic tunnels between all sites, and can to VPN connection directly to any of the sites, plus many other funny things (IPv6). All this with just simple configurations, mostly through the wizard (SDM) or by copy, adaptation & paste of sample configs.

Of course, these routers may be a little bit too much (of configuration or price) for you, so you may also want to try consumer-grade solutions (e.g. Linksys BEFSX41, Netgear FR114P, ...).

Disclaimer : I wish I could get a percentage of Cisco sales ;)

PS : oh, and port tunneling with SSH is, from my experience, an awful solution for VPN.