User Tools

Site Tools


doc:howto:vpn.overview

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.overview [2013/01/14 20:09]
birnenschnitzel
doc:howto:vpn.overview [2015/12/24 01:03] (current)
jedahan [strongSwan (recommended)] Move strongSwan UCI to to strongSwan section
Line 1: Line 1:
 +====== VPN overview ======
 +
 +see [[vpn.overview.old|archive page]] for outdated packages
 +
 +  - The term VPN stands for [[wp>​Virtual private network]].
 +  - Like a [[doc:​howto:​DMZ]] a VPN is a //security concept//, it is //not// a protocol (like SSH) nor a certain software package
 +  - There are multiple software packages available to set up a VPN between two or more hosts
 +  - they all use the [[wp>​Client–server model|Server ↔ Client concept]] and usually are //​**incompatible** with one another//!
 +  - have look at the [[wp>OSI model]] and make yourself aware that the encryption can be applied at different layers of the communications stack
 +
 +| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | If your hardware has some sort of **[[doc:​hardware:​cryptographic.hardware.accelerators|Cryptographic Hardware Acceleration]]** you should make sure it is supported by your OS (OpenWrt) and enabled. ​ |
 +| {{:​meta:​icons:​tango:​48px-migration.svg.png?​nolink}} | //​**Migration and merger wanted**: We already have a couple of articles about VPN on OpenWrt: [[http://​wiki.openwrt.org/?​do=search&​id=vpn]] you can start from scratch or migrate them// |
 +
 +
 +===== IPsec-based VPN Solutions =====
 +  * Protocol: [[wp>​IPsec]]
 +  * Free software: →[[wp>​strongSwan]],​ →[[wp>​Openswan]],​ →[[wp>​Racoon (KAME)|Racoon]]
 +
 +==== strongSwan (recommended) ====
 + ​→[[wp>​strongSwan]]
 +  * [[doc:​howto:​vpn.ipsec.basics]] Some basics, considerations and prerequisites for IPsec VPN
 +  * [[doc:​howto:​vpn.ipsec.roadwarrior]] OpenWrt as IPsec gateway for road warriors
 +  * [[doc:​howto:​vpn.ipsec.firewall]] Firewall and zones in IPsec VPN
 +  * [[doc:​howto:​vpn.ipsec.site2site]] Setup a site to site IPsec VPN
 +  * [[doc:​howto:​vpn.ipsec.overlappingsubnets]] IPsec VPN with overlapping subnets ​
 +  * [[doc:​howto:​vpn.ipsec.performance]] Get the most out of your IPsec connections
 +  * [[inbox:​strongswan.howto]] Install/​configure strongswan for IPhone/IPad
 +  * →[[http://​wiki.strongswan.org/​projects/​strongswan/​wiki/​IpsecUci|configure strongSwan with UCI]]
 +==== Racoon ====
 +:!: StrongSwan is recommended,​ though some of this documentation may be relevant for other configurations
 +
 +→[[wp>​Racoon (KAME)|Racoon]]
 +  * [[doc:​howto:​vpn.ipsec.basics.racoon]] Some basics, considerations and prerequisites for IPsec VPN
 +  * [[doc:​howto:​vpn.ipsec.firewall.racoon]] Firewall and zones in IPsec VPN
 +  * [[doc:​howto:​vpn.ipsec.site2site.racoon]] Setup a site to site IPsec VPN
 +  * [[doc:​howto:​vpn.ipsec.certificates.racoon]] IPsec VPN with certificates ​
 +  * [[doc:​howto:​vpn.ipsec.overlappingsubnets.racoon]] IPsec VPN with overlapping subnets ​
 +  * [[doc:​howto:​vpn.ipsec.roadwarrior.racoon]] OpenWrt as IPsec gateway for road warriors
 +  * [[doc:​howto:​vpn.ipsec.roadwarriorcertificates.racoon]] Road warrior setup with certificates
 +
 +==== OpenSwan ====
 +→[[wp>​Openswan]]
 +  * [[doc:​howto:​vpn.ipsec.site2site.openswan]] Setup a site to site IPsec VPN Using Openswan
 +  * [[oldwiki:​ipsec.openswantocisco851|Openswan (oldwiki)]]
 +
 +
 +===== OpenVPN-based VPN Solutions =====
 +  * Free software: →[[wp>​OpenVPN]],​ [[http://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​vpntype|bridged vs. routed]]
 +
 +Articles we have:
 +  * [[vpn.openvpn]] (recommended)
 +  * [[inbox:​vpn.howto]]
 +  * [[doc:​howto:​openvpn-streamlined-server-setup|OpenVPN Server Setup (Streamlined)]]
 +
 +Articles we want instead:
 +  * [[doc:​howto:​vpn.server.openvpn.tun]] describes a [[wp>​TUN/​TAP|TUN]]-based (routed tunnel, Layer3) solution
 +  * [[doc:​howto:​vpn.server.openvpn.tap]] describes a [[wp>​TUN/​TAP|TAP]]-based (bridged tunnel, Layer2) solution
 +  * [[doc:​howto:​vpn.client.openvpn.tun]] Howto install and setup an OpenVPN Client on OpenWrt with Luci
 +  * [[doc:​howto:​vpn.client.openvpn.tap]] Howto install and setup an OpenVPN Client on OpenWrt and share the VPN connection transparently with the router clients
 +
 +
 +Once you set up a VPN server on your OpenWrt router, you (and the other participants) will need to each install and configure a VPN client (compatible with the VPN server) on each of your host machines. For HowTos regarding that, you should visit the Wiki/Forum of your OS!
 +
 +===== OpenConnect-based VPN Solutions =====
 +You may setup openwrt as an [[http://​www.infradead.org/​openconnect/​|OpenConnect]] VPN client or server. This is a protocol based on SSL/TLS and datagram TLS and is compatible with CISCO'​s AnyConnect SSL VPN.
 +
 +  * Client side requirements:​
 +    * [[https://​github.com/​openwrt/​packages/​tree/​master/​net/​openconnect|openconnect]]:​ Follow for instructions to configure without luci interface
 +    * [[https://​github.com/​openwrt/​luci/​tree/​master/​protocols/​luci-proto-openconnect|luci-proto-openconnect]]
 +
 +  * Server side requirements:​
 +    * [[https://​github.com/​openwrt/​packages/​tree/​master/​net/​ocserv|ocserv]]
 +    * [[https://​github.com/​openwrt/​luci/​tree/​master/​applications/​luci-ocserv|luci-app-ocserv]]
 +    * [[doc:​howto:​openconnect-setup|A How-To for the server setup.]] Note: the instructions include comments on the Github advice which might not work for some. In addition, the instructions are for a FULL tunnel setup.
 +
 +There are various [[https://​en.wikipedia.org/​wiki/​OpenConnect#​Platforms|openconnect clients]], including in GNOME NetworkManager,​ [[https://​github.com/​nmav/​openconnect-gui/​releases|Windows]],​ and [[https://​play.google.com/​store/​apps/​details?​id=app.openconnect|Android]].
 +===== PPTP-based VPN Solutions =====
 +
 +:!: Not secure! Broken since 1997. see [[vpn.overview.old]]
 +
 +===== Other VPN solutions =====
 +  * [[doc:​howto:​vpn.client.vpnc]] ''​vpnc''​ = A VPN client compatible with Cisco'​s EasyVPN equipment
 +    * [[oldwiki/​vpn.client.vpnc|vpn.client.vpnc (oldwiki)]]
 +  * [[doc:​howto:​vpn.l2tp]] or [[doc/​howto/​connect_by_l2tp]], ​ see [[wp>​Layer 2 Tunneling Protocol]] and [[wp>​Template:​VPN]]
 +  * [[doc:​howto:​pseudowire]]
 +
 +===== VPN and mesh =====
 +  * [[http://​www.tinc-vpn.org/​]]
 +  * [[http://​www.ntop.org/​n2n/​]]
 +  * [[doc:​howto:​mesh.olsr|OLSR]]
 +  * [[doc:​howto:​mesh.batman|B.A.T.M.A.N.]]
 +
 +===== External Documentation =====
 +  * See our forum: [[https://​forum.openwrt.org/​viewtopic.php?​id=28776|Howto:​ IPSec and OpenVPN]]
 +  * A whole load of OpenVPN-related articles can be found on the Project Homepage of OpenVPN:
 +    * http://​openvpn.net/​index.php/​open-source/​faq.html#​bridge2
 +    * http://​www.openvpn.net/​index.php/​component/​content/​article/​60-faq/​84-faq.html
 +    * http://​www.openvpn.net/​index.php/​component/​content/​article/​65-general/​89-2xhowto.html
 +    * http://​www.openvpn.net/​index.php/​open-source/​documentation/​miscellaneous/​1xhowto.html
 +    * You can always read: http://​www.openvpn.net/​index.php/​open-source/​documentation/​manuals.html or search: http://​www.google.com/​search?​q=vpn&​hl=en
 +  * You do not need to read all of them, to get a VPN solution going. But for security reasons sooner or later you should make sure that all participant comprehend how your VPN works.