Sunday, September 24, 2006

Virtual Private Networking for Everyone - OpenVPN

I own a small tech firm on the East coast, and have long wanted a safe, secure method of connecting from my residence (about 15 miles outside of the city) to the LAN at the office. My network at the office is mixed, consisting of Windows XP machines, various Macs, and both Linux and FreeBSD servers. At home we have a single XP machine, and several Mac notebooks (iBooks and Intel-based MacBooks).

Naturally, the best solution for connecting between the two locations would be a Virtual Private Network of some sort. Given the fact that I am notoriously cheap, I decided to search around and see if I could come up with some sort of open source solution... and it took me all of fifteen minutes with my favourite search engine to come up with a viable alternative: OpenVPN. It took me a bit longer to get everything working as well as I wanted to, but not all that long. Read on if you'd like to see how I did it.


Why use a VPN?
There are any number of reasons why you might want to have a VPN in place. For example, with a properly set up VPN, you can access resources at one location from the other. So if I want to print something at the office from home, I can do that. Similarly, if I need to recover a file from offsite back up (read: the backup server I keep in my basement) I can do that without having to drive all the way home.

Of course, there are the more obvious things a VPN will give you. If you use a wireless home router that's more than a year or two old, chances are it uses one of the more archaic forms of encryption, like WEP. The problem with these encryption methods is that they don't actually protect your data; anyone with the inclination could park outside your house, apartment building, whatever, and "sniff" your network traffic. Encrypting all traffic between your web browser and some secure gateway will take the wind out of some potential hacker's sails. Remember, just because you're paranoid doesn't mean they're not out to get you....

Or, if you're so paranoid you don't even trust your ISP, you can use a VPN between your home computer and a secure gateway you control somewhere else (like your office) and encrypt allthe traffic that exists on your ISP's network. It won't get decrypted until it hits your gateway machine. Of course, assuming you are a relatively law abiding citizen, this might be going a bit far (unless you are partial to tinfoil hats, that is).


Why OpenVPN?
OpenVPN is free, cross platform, and relatively easy to install and maintain. It also uses a very secure ecryption algorithm -- 128 bit Secure Sockets Layer (SSL) or the same level of encryption you probably use when you access your banking information online. I figure if it's good enough for the major North American financial institutions, it's probably sufficient for my purposes.


Installing OpenVPN
We decided to install OpenVPN on a FreeBSD box, using ports. It was trivial. We'll post a detailed howto here in a week or so. But if you have access to a FreeBSD box, ports is the way to go. Trust me.


Installing OpenVPN clients
Reading the documentatation found on OpenVPN's web site suggests that this is a daunting task. It probably is, if you elect to go their route. We decided to stand on the shoulders of those who have gone before, and use some simple solutions where the heavy lifting is done for us.

For the Windows clients, we went with OpenVPN GUI (http://openvpn.se). Installing it took about 30 seconds, and configuring it took a bit longer (but not much).

For the Macintosh clients, we went with Tunnelblick (http://www.tunnelblick.net). Granted, it has a rather silly name, but it works very, very well, and didn't give us any problems on either the G4 based Macs, or the Intel based machines.

Stay tuned for the technical details of how we made this all work...

Update: Part two is here.