Setting up a virtual private network (VPN) is a popular topic at TechRepublic, and there were a number of interesting discussion posts to a recent article describing how TechRepublic saved big money by deploying a site-to-site VPN using Cisco routers.
Within the discussion, many posters expressed interest in a Linux solution for VPN. So in this week’s From the Trenches column, we will follow the experiences of Jason, an administrator who works for a wholesale/retail company that currently has a metropolitan area network (MAN) and is planning to expand into the southeastern United States in the future. Previously, Jason’s company moved its retail outlet to another location in his city and needed to connect point of sale and accounting functions from the store to a server in the corporate office. Here’s how he used Linux to accomplish that task.
Get insights From the Trenches
You can learn quite a bit by reading about the methods other administrators and engineers use to resolve challenging technology issues. Our hope is that this column will provide you with unique solutions and valuable techniques that can help you become a better IT professional. If you have an experience that would be a good candidate for a future From the Trenches column, please e-mail us. All administrators and their companies remain anonymous in this column so that no sensitive company or network information is revealed.
A look at the options
Jason’s corporate offices house the executive and upper-management staff, drafting staff who are an integral part of the company’s product, creative staff who produce advertising, the staff of a semiannual magazine, and a number of other support personnel.
When the company replaced its old database software, it relocated the retail outlet for the company to another part of the city. There, it stationed its sales staff, some accounting staff, and an on-site draftsman. Future plans may have the entire drafting staff located at this retail location.
Jason needed to look at some way to network the retail outlet to the corporate offices so that point of sale transactions and accounting information could flow freely and securely between the locations. There were also times when the draftsman at the retail site needed to work on drawings on the corporate server, so he needed a reliable network connection.
Having separate servers at the retail location seemed redundant and expensive. The four solutions that Jason investigated for his connectivity included:
- Direct point-to-point wireless connections.
- Direct point-to-point T1 connections.
- Frame relay.
- Site-to-site VPN.
For the organization’s purposes, the first three solutions were too expensive, and the wireless solution couldn’t expand beyond the immediate geographic area. The T1 and frame relay solutions would have a more reasonable cost after the company expanded to other states, but both were way out of line for the company’s immediate needs.
“VPN actually held several possibilities, including a Microsoft Windows solution, Linux solution, and Telco-based solution,” Jason said, but cost factors rapidly narrowed [the choices] to Windows vs. Linux. Due to the general costs associated with the expansion of the company, the Linux solution won out.”
Setting up the Linux site-to-site VPN
Part of the decision to go with a Linux VPN solution evolved after the decision was made to use a Linux desktop environment for freestanding workstations in the retail outlet that would be used primarily for basic office chores and Internet research.
“Having decided on the cost savings of utilizing Linux to control the network at the Showcase location, it quickly became obvious that building another Windows server for VPN would be a ludicrous waste of assets, and that track was all but left behind,” Jason said.
He found FreeS/WAN for the Linux VPN solution. After checking it out, he decided it would work fine on the retail outlet’s server, along with handling the other tasks such as a firewall and gateway services for that small LAN. As its name implies, FreeS/WAN is a free VPN solution, but it does take some work to incorporate it.
Jason had to invest $700 for a server on the corporate end of the VPN to complete the FreeS/WAN site-to-site VPN. On the corporate side initially, and on both sides eventually, he installed Samba to connect his Windows network on the corporate end and Windows workstations on the retail outlet side.
The servers on both ends are simple “plain vanilla” PCs with 10-gig hard drives, 64 megs of RAM, and 600-MHz processors. They are running Red Hat Linux 7.1. Each machine is equipped with two NICs, one to the LAN and the other to Internet router devices.
A note about FreeS/WAN
Be sure to read the documentation on installing FreeS/WAN and also read about modifying and rebuilding the kernel on your Linux distribution. Because of the level of encryption that is involved with FreeS/WAN, most U.S. distributions of Linux will not have the kernel prepared for a FreeS/WAN installation. Obviously, you should proceed with caution if you have never rebuilt a Linux kernel. Successfully doing so will elevate you to a higher level of Linux geekdom.
“We had no real issues to speak of [when] deploying FreeS/WAN, other than remembering which machine we were working on at any given time and whether it was right or left in the config files,” Jason said. “Security for our VPN is set up using a shared-key method utilizing a randomly generated pass phrase as well as comparing the IP address of the client against a list of allowed IPs,” he said, adding that both machines at either end of the VPN will accept only the other’s IP.
No hurry on the remote access VPN
Jason is currently using FreeS/WAN only as a solution for his company’s site-to-site VPN and has no plans to allow remote users to access the VPN individually.
A remote access VPN is not a high priority for him because:
- There is no business need for high-speed telecommuting, and he already provides dial-up access to his Windows NT server (thus no benefit for VPN-allowed speeds to the server).
- He has no compelling reason to open the VPN to security risks inherent in a greater number of allowed users.
- Setting up and supporting clients for his VPN is too time-consuming for the moment.
- He has yet to find VPN clients for the Windows 9x machines, whose functionality and cost he is happy with.
“I have considered connecting my home LAN to the VPN (via cable Internet), but I’m not so sure I want work to be that available to me,” Jason said.
Are you using a Linux VPN solution?