Gallery

Open-source VPN

Posted on 12 Jul 2007 at 16:50

Simon Brock and Ian Wrigley examine two open-source VPNs that promise to deliver as much as their commercial rivals.

The truth is that no-one actually wants to work when they're not in the office. Every McDonalds and Starbucks seems to have a Wi-Fi point nowadays, but they're not full of road warriors sipping cappuccinos while pounding their laptops. Similarly, many working people have laptops they use at home, but very few people can fit their corporate world onto their laptop - it may have their email and the document they're currently working on, but all the other critical resources remain on the office servers. Moreover, many companies now use bespoke applications that can be accessed only via the corporate network. No IT manager is going to open the corporate network to the outside world, since even opening a few ports on the firewall presents a vulnerability.

As you probably already know, the solution to this dilemma is the VPN (virtual private network). If a company has a private corporate network, it would like to ensure all external access to that network is via another, separate private network. Historically, this used to be possible by providing a few private modems connected to the network, via which the road warriors and home workers dialled in, but who uses a modem any more? A way had to be found to emulate such a private network over the public internet, and so there are now many types of VPN and many vendors offering VPN solutions. We're going to look at two open-source solutions and, as usual, we're not interested in the second-rate - we want solutions that work as well as their commercial brethren.

There are two main types of VPN: those that connect together two sites and those that allow individuals to access a central network. These two styles of VPN are normally realised using the same network technologies, but their different endpoints - a network or an individual - mean they're handled differently. We probably want an individual to appear as if they're directly part of the central network - when they're accessing the VPN from outside the office, the network makes them feel as though they're in the office. With a site-to-site link between two networks, on the other hand, we'd probably want the two networks to remain separate, for it to appear that we have two separate but linked networks.

All VPNs have a number of things in common. First, they all employ a technique called tunnelling, which involves wrapping up a network packet within another packet to send it over the VPN. You need to know a little bit about how this works, so you can understand what the packages we're going to talk about are doing. A packet sent over the network by an application typically contains some data and two addresses, the source address saying where it came from and the destination address saying where it's going to. In the case of our laptop owner using a VPN, the destination address is going to be a private address, which isn't directly accessible, so the VPN software wraps the packet within another packet to send it, whose destination address is then the device that implements the VPN endpoint. The packets are wrapped and unwrapped and never get sent in their "normal" form - indeed, most VPNs will encrypt the traffic they carry, since obviously if you're accessing a private resource over the public internet you want to be sure that if anyone snoops on those packets they can't easily find out what they say.

How tunnelling is implemented varies between different VPN systems. In the IP (internet protocol) world, there's a standard for VPNs called IPsec. There are now two versions of IP in use, the majority of systems still using IPv4 rather than the newer IPv6, and the reason for mentioning this is that there's a VPN built into some IPv4 implementations and all IPv6 implementations. However, IPsec isn't without its problems: it employs different packet headers from normal IP packets and therefore isn't supported by all routers. In particular, some firewalls that use NAT (Network Address Translation) have problems with IPsec, and so IPsec packets are often embedded in normal IP packets. Neither of the VPNs we're going to look at uses IPsec, although there are open-source implementations available, the best known being Openswan, which is available for Linux (for more information on Openswan, visit the website at www.openswan.org).