<HTML ><HEAD ><TITLE >Introduction</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.63 "><LINK REL="HOME" TITLE="VPN PPP-SSH Mini-HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="Introduction" HREF="intro.html"><LINK REL="NEXT" TITLE="Software Installation" HREF="installation.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >VPN PPP-SSH Mini-HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="intro.html" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="installation.html" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="INTRODUCTION" >2. Introduction</A ></H1 ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="BENEFITS" >2.1. PPP-SSH Benefits</A ></H2 ><P >There are a number of benefits to setting up a PPP-SSH VPN. It's relatively simple, it uses common off-the-shelf tools, and it probably won't require a reboot before bringing up the link. Here's a more comprehensive list:</P ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT >Easy to install</DT ><DD ><P >You probably won't need to patch or recompile your kernel, run LILO, reboot, or perform any other perilous administration activities. PPP and SSH are included with most distributions, and most kernels come preconfigured to use them properly. </P ></DD ><DT >Easy to set up</DT ><DD ><P >You should not have to edit any existing configuration files. You simply customize the script file provided later in this document, which contains all the VPN configuration info, and then execute it on the client machine. Any existing PPP or SSH configurations should continue to work just fine. </P ></DD ><DT >No mucking with firewalling</DT ><DD ><P >If the SSH protocol currently traverses your firewall, then PPP over SSH will traverse your firewall as well. (If you aren't using SSH, then why not? It is almost a required tool for system administrators nowadays.) </P ></DD ><DT >No mucking with manual routing</DT ><DD ><P >pppd automatically sets up routing for you. And, if you have very complex routing needs, it's very easy to put the custom routing commands in the script file. </P ></DD ><DT >No need for static IP addresses</DT ><DD ><P >PPP-SSH VPNs have no trouble whatsoever with dynamic IP addressess. The client must be able to find the server to connect to, of course, but dynamic DNS would work fine for that. Setting up a VPN over a dialup connection is no problem. </P ></DD ><DT >Multiple Tunnels are Easy</DT ><DD ><P >It's easy to set up multiple tunnels to a single computer. You simply need to make sure that the IP address for each tunnel's network interface is distinct. </P ></DD ></DL ></DIV ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="DRAWBACKS" >2.2. PPP-SSH Drawbacks</A ></H2 ><P >This type of VPN is not without a few difficulties. Basically, it doesn't run unattended very well. If you're looking for a production-quality VPN that you can set up and forget about, you will proabably find PPP-SSH a little disappointing. Some alternatives are described in <A HREF="introduction.html#ALTERNATIVES" >Section 2.4</A >.</P ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT >Trying to maintain a TCP connection</DT ><DD ><P >If the SSH TCP connection is broken for any reason, your VPN goes down hard and takes all tunnelled TCP connections with it. If you have a less than reliable link -- say it's difficult to download more than a few tens of megabytes at one go -- you will be re-starting the VPN a lot. </P ></DD ><DT >Running IP packets over a TCP stream</DT ><DD ><P >The TCP protocol consists of streams layered on top of IP packets. When you <EM >then</EM > run IP packets over the TCP stream (as we're attempting to do), the personality conflict between the two can become very apparent. Mostly, this manifests itself as weird delays, dropouts, and oscillations. Sometimes you'll see problems at load, sometimes with next to no traffic. Short of changing the entire OSI model (ha ha), there's not much that can be done about this. </P ></DD ><DT >Tends to be bursty</DT ><DD ><P >For some reason, when network load gets high, one tunneled TCP connection tends to get all the bandwidth and the others get ignored. This leads to timeouts and dropped connections. Theoretically, this is fixable. </P ></DD ><DT >Can't reliably tell when link is down</DT ><DD ><P >Keepalives are small packets sent to tell the machine on the other end that the connection is still up. If the network load gets too high, keepalives will be delayed. The other machine will mistakenly assume the connection has been dropped and take down its end of the link. </P ><P >Without keepalives, however, there's no way for either machine tell if the link has been dropped. When one machine tries to bring the link back up, if the other machine thinks it already has it up, confusion can reign. Most often this will show up as multiple ppp network devices, duplicate routes, and tunnels that appear to be up but drop every packet. A liberal use of "killall -9 pppd" will usually set things back in order. A more intelligent start script could probably improve this. </P ></DD ><DT >Too many simultaneous connections avalanches fast</DT ><DD ><P >When I use regular PPP over a 56K modem and Postfix opens 10+ connections to deliver my outgoing mail, everything works well. However, when I try to run this exact traffic over a VPN tunneled over a much faster DSL link, it stalls out. Ping times skyrocket for a spell (2 minutes and beyond), traffic moves at a trickle for a while, then it stops completely. The only way to get packets moving again is to restart the tunnel. I'm not sure if this is a bug or an inherent limitation. Reducing the number of connections that Postfix maintains for outgoing mail fixed this problem for me.. </P ></DD ><DT >It's high-overhead, high-latency</DT ><DD ><P >Ping times over my 57.6 modem connection are normally in the 130-170 ms range. However, ping times for a PPP-SSH VPN running over the same modem connection are in the 300-330 ms range. Turning on PPP compression can help a lot if you're transmitting compressible data. Email is compressible, Vorbis files are not. </P ></DD ></DL ></DIV ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN99" >2.3. Suggested Reading</A ></H2 ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT >VPN FAQ</DT ><DD ><P >The VPN FAQ at <A HREF="http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html" TARGET="_top" >http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html</A > is a very good resource. It's comprehensive, kept reasonably up-to-date, and not afraid to express an opinion. </P ></DD ><DT >Linux Kernel HOWTO</DT ><DD ><P >If your kernel doesn't already have PPP and IP Forwarding capability built-in, the <A HREF="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html" TARGET="_top" >Linux Kernel HOWTO</A > will tell you how to recompile your kernel to add it. It will also tell you how to load and unload the PPP kernel modules. </P ></DD ><DT >PPP HOWTO</DT ><DD ><P >Tells how to install and set up the PPP daemon if your distribution did not automatically install it for you. Also has an excellent section on linking two networks using PPP. That's pretty much what we're doing, except that we're also encrypting it. You can find it at <A HREF="http://www.linuxdoc.org/HOWTO/PPP-HOWTO/index.html" TARGET="_top" >http://www.linuxdoc.org/HOWTO/PPP-HOWTO/index.html</A >. </P ></DD ><DT >SSH HOWTO</DT ><DD ><P >I wish there were an SSH HOWTO! For now, the documentation that comes with your distribution should be a good start. You might also check the <A HREF="http://www.openssh.org/" TARGET="_top" >OpenSSH web site</A >. </P ></DD ><DT >Networking Documentation</DT ><DD ><P >If you're not very familiar with networking, you'll want to scour the <A HREF="http://www.linuxdoc.org/LDP/nag2/index.html" TARGET="_top" >Linux Network Administrators Guide</A >. It's an excellent introduction to most of the concepts we'll be using here. You may also find the Linux Networking HOWTO at <A HREF="http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html" TARGET="_top" >http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html</A > to be a useful introduction, especially itse sections on TCP/IP, PPP, and tunneling. </P ></DD ></DL ></DIV ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="ALTERNATIVES" >2.4. Alternatives</A ></H2 ><P >There are a ton of VPN technologies in the world now. If PPP-SSH doesn't fit all your needs, you might want to check one of the following packages.</P ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT >ipsec</DT ><DD ><P >ipsec describes a set of low-level protocols, <A HREF="http://andrew2.andrew.cmu.edu/rfc/rfc2406.html" TARGET="_top" >ESP</A > and <A HREF="http://andrew2.andrew.cmu.edu/rfc/rfc2402.html" TARGET="_top" >AH</A >, to perform authentication and encryption at the packet level. It also uses a higher-level protocol, <A HREF="http://andrew2.andrew.cmu.edu/rfc/rfc2408.html" TARGET="_top" >IKE</A >, to negotiate connection parameters and exchange encryption keys. </P ><P >FreeS/WAN is probably the best Linux ipsec implementation today. Although it can be very difficult to set up, especially for those who are not terribly familiar with networking, it is amazingly stable once it is working. You can find out more at the <A HREF="http://www.freeswan.org/" TARGET="_top" >FreeS/WAN home page</A >. </P ><P >Another good, free ipsec implementation is <A HREF="http://www.antd.nist.gov/cerberus/" TARGET="_top" >Cerberus</A >. Unfortunately, the National Institute of Standards and Technology only distributes Cerberus to US or Candadian citizens currently located in either the US or Canada. Therefore, depending on who you are, obtaining Cerberus ranges from moderately difficult to effectively impossible. </P ></DD ><DT >PPTP</DT ><DD ><P >PPTP (Point-to-Point Tunnelling Protocol) is a Microsoft-developed VPN protocol, described in <A HREF="http://andrew2.andrew.cmu.edu/rfc/rfc2637.html" TARGET="_top" >RFC2637</A >. It is a very common and well-understood technology and has many mature implementations on all commonly-used computer platforms. However PPTP is generally considered to have <A HREF="http://www.counterpane.com/pptp.html" TARGET="_top" >somewhat weak security</A >. </P ><P >Probably the best Linux PPTP implementation is PoPToP, found at <A HREF="http://poptop.lineo.com/" TARGET="_top" >http://poptop.lineo.com/</A >. </P ></DD ><DT >CIPE</DT ><DD ><P >CIPE is Olaf Titz's protocol to encapsulate IP traffic over UDP packets. It has both a <A HREF="http://sites.inka.de/sites/bigred/devel/cipe.html" TARGET="_top" >Linux version</A > and a <A HREF="http://cipe-win32.sourceforge.net/" TARGET="_top" >Windows version</A >. I haven't used it yet, but it is in strong development and looks very promising. For more information, the <A HREF="http://www.linuxdoc.org/HOWTO/mini/Cipe+Masq.html" TARGET="_top" >CIPE-MASQ Mini-HOWTO</A > is a terse but informative read. </P ></DD ></DL ></DIV ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="intro.html" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="installation.html" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Introduction</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Software Installation</TD ></TR ></TABLE ></DIV ></BODY ></HTML >