you can download a mostly configured OPEN VPN virtual machine. I use it to route traffic over from work sometimes.

just google open vpn and download vmware player, and the vm, it takes about 15 min to setup and configure.

He's usin Suse and it doesn't list an installer for it. IS he gonna need to install somethin too?

Forgive me but this is outside my realm of knowledge. any kind of networking>me

why is he using suse?

Cause he's a brit, he prefers Linux and it's free.

Tx Redneck, this is more of an application issue at this point then a network issue. Part of my job is installing firewalls/VPN termination devices along with anything else pretty much in the Cisco product line.

First and foremost you/he need to decide on what software/application you're going to terminate to. Which it seems like a Suse box is what you've decided on?

I don't like that, but for your purposes it should be fine. (I'm a dedicated firewall kind of person, even run a Cisco ASA at the house - cheap enough) Like mentioned above..



is your best bet I think. I spent some time researching it for Suse and that seemed like the best option to me. Googling "suse vpn server" really had more hits on how to connect to a VPN server then how to setup a VPN server.

Anyway, the other things to keep in mind are...

The encryption levels that you desire. A quick view of that openvpn indicates it can do all the popular encryption schemes, so I don't think that'll be a huge issue.

Authentication/Authorization methods. Authenticate against AD, local, ACS, RADIUS...etc? I was unable to ascertain the exact methods supported, but probably anything normally supported will be. Generally speaking I setup my VPN profiles for local authentication for a few minutes until tested and then offload authentication to whatever external method the customer desires. Usually that is via ACS or RADIUS.

Don't forget nat 0 rules, or otherwise to turn off NAT for tunnel traffic.

Split tunnel or no? So, you can tunnel all traffic through your VPN and hairpin back out for Internet traffic, you can deny all traffic that is not designated VPN traffic or you can do traditional split tunneling - which all that means is that you're encrypting the VPN traffic over the tunnel and anything not in a crypto map/ACL gets sent out the local network unencrypted as if is normal.

Finally, I just took a look through the raw commands and it's a lot different then what I"m generally used to seeing - but not that bad. I think...

1. You'll be able to figure it out. VPNs are not that hard, especially if they have a wizard or something.
2. Post up config snippets and questions here and someone should be able to figure it out.

I still recommend a Cisco ASA 5505 though.

Thanks for takin the time to post up Ceyko. What I'm tryin to do is make it so my buddy over in the UK can watch geo restricted content via my interweb connection. The box I'll be configuring is a Vista Ulti and he'll be on Suse.

Is it as simple as me configuring my box and givin him some info to connect w/?

Somethings I need to understand. Is your machine currently your Internet gateway? Meaning, does it have a public external IP and do your NAT for you?

Do you have static public IPs or are you using dynamic DNS?

Since you're mainly trying to use one application, does it make more sense to PAT? PAT simply put is when you have 1 public address and you can translate various ports to internal addresses. i.e. in my house I translate ftp to one internal address, ssh to another, bittorrent stuff to another and so on.

I'm not an openvpn guru by any stretch, never used it. Just commercial VPN products. The neat part is, it's all the same stuff - just the commands you use to make it work are different. So yes you setup a VPN server, that sits on the Internet. It await connection requests that do phase 1 authentication (usually a group name w/password) that is configured on the server and client. Once the client/server agree on encryption and get past phase 1 authentication it usually will require user authentication (which is authentication locally on the server, via RADIUS or other means, locally is easiest generally speaking) and if successful on that it'll negotiate phase 2 stuff and viola you're connected. Depending on how your tunnel is setup will dictate how it'll work.

For the purists, I'm just providing super high level descriptions here so don't nit-pick my outline.

Anyway, to be honest I think it would be easiest to do the VMWare side with a multi-homed box...



http://www.howstuffworks.com/vpn.htm - I found that and it's actually pretty decent. For this purpose you're doing a remote access VPN specifically. I would not do a site-to-site (l2l, lan to lan) tunnel. What that is to clarify is connecting two or more LANs over the Internet. i.e. it is used HEAVILY in the medical fields. As opposed to a hospital having 50 private circuits into their facility, they'll setup 50 site-to-site tunnels so they can access various apps or functions from a vendor and vice-versa. In otherwords, it's always up. It can be restricted heavily, but for your purpose I'd stick with the remote access VPN for now.

1 No, it's behind a Westell router from Verizon.

2 Dynamic IP's

3 I have no idea.

My buddy is on disability over there and can't afford a pay VPN service and that's also why he uses Suse. I have decent throughput here w/ Fios hence the reason I want to setup a VPN on one of my always on boxes that run F@H.

FIOS, not the actiontec? Did they switch that? When are you looking to try and set that up? Where are located? The honest truth is it maybe easiest if we crack some beers and figure it out. You linux knowledge and my network knowledge we should be able to figure it out.

I have a laptop that tethers to my phone so I can test the logins and such.

I'm not familiar with the box you're talking about. With the actiontec I had to bridge it in order for my ASA to get the external IP address and then I just use dynamic DNS via no-ip.

I'm in N Garland but we can use Logmein to remote into it since its setup in my garage w/out a monitor where it's nice and cool.

The last router in this list is the one I have.

I'm in Plano, your call. Or hit me up with specific questions as I've just kind of been rambling.

When do you need this going?

Pm coming your way.

Sign up for Dynamic DNS, open up 3389 on your router to the IP of the computer you want him to access, enable RDP on said computer and be done. Total cost $0.