| home | products | services | library | members | search:
 

Accessing a LAN from abroad

Can I use the Shaman to setup token-protected LAN access?

spin-off  weblog  edit  RSS 2.0

Yes, people have reported positively on running PPP over an SSH connection.

The term Road Warrior is used for people who frequently travel away from their company or other home base, and who wish to have access to the private LAN of that home base. A Virtual Private Network (or VPN) can be used to allow secure access to a private LAN.

The trick is to use an encrypted connection, so that private company data cannot be tapped while in transit over the Internet. And while setting up that connection, the road warrior and VPN server must authenticate each other, to ensure that only Road Warriors can connect to the private LAN.

A commonly proposed method to do this is running PPP over an SSH-connection. Using the Shaman to authenticate the SSH-connection is trivial, it works like any other use of the Shaman. A decent explanation of how to make this work is the VPN PPP-SSH Mini-HOWTO from the Linux Documentation Project.

Please read the documented problems, and why TCP over TCP is a bad idea in some extreme situations -- but do note that all SSL VPNs suffer from the same problem, and they seem to be sufficiently stable to be sold commercially. The same holds for most practical uses of the Microsoft-promoted L2TP mechanism. The older Windows protocol, PPTP is not secure and is therefore ill-advised.

Some claim that an ideal VPN would use IPsec, but a quick cryptographic evaluation demonstrates that this protocol also has its problems, notably its complexity.

In conclusion, there are no perfect solutions for VPNs, whatever commercial vendors may claim. If you think PPP over an SSH-connection works for you, expect it to be fairly usable, but not flawless. If you choose to use this solution, you can follow the PPP-SSH explanation with a few side-steps to employ the Shaman.

Skip the setup of authenticated login; this is easier with the Shaman Setup utility. Enter the VPN host and account under the Remote Server pane and enable the SSH Key on the account.

When using the VPN, ensure that the Shaman Agent is visible to the SSH command; normally this is taken care of by the login scripts, but if this fails it is possible to insert a few extra statements in the vpn-pppssh script:

AGENT=/usr/bin/shaman-agent

and a bit more down:

if ! test -f $AGENT ; then echo "can't find $AGENT"; exit 5; fi
eval `$AGENT -q`

The last line should be placed before the first use of $SSH, not counting the test line.

The PPP-SSH document continues to discuss methods for connecting entire networks; this may not be a good idea if the network turns out to be unstable in practice. A test period with a few Road Warriors is advised before connecting network locations over a PPP-SSH VPN.

Posted on Sun, 21 Mar 2004, 00:00.


 
------ 8< ---------- 8< ----------- 8< ------ | OpenFortress*

 | home | products | services | library | members | search: