| Documentation / Chapter 15. Configuring VPN Server | ||||
|---|---|---|---|---|
 | 14.5. For More Information | 15.2. Creating the Simplest VPN Example |  | |
| Documentation / Chapter 15. Configuring VPN Server | ||||
|---|---|---|---|---|
| 14.5. For More Information | 15.2. Creating the Simplest VPN Example | | |
Contents
Abstract
Internet connections these days are cheap and available almost everywhere, although insecure. VPN, the Virtual Private Network, is a secure network within a second, insecure network such as the Internet or WLAN. It can be implemented in different ways and has several meanings. In this chapter we focus on VPNs to link branch offices via secure wide area networks (WANs).
This section gives you a brief overview of some scenarios which are possible with VPN and some relevant terminology.
There are many packages (and even more combinations) that enable the setting up and building of a VPN connection. This chapter focuses on OpenVPN. In comparison to other VPN software, OpenVPN can be operated in two modes:
Routing is easier to set up. It is more efficient and scales better than bridged VPN. Futhermore it allows the user to tune MTU (Maximum Transfer Unit) to raise efficiency. However, in a hetergeneous environment NetBIOS broadcasts do not work if you do not have a Samba server on the gateway. If you need IPv6 each tun drivers on both ends must support this protocol explicitly.
Bridging is more complicated and is recommended when you need to browse Windows file shares across the VPN without setting up a Samba or WINS server. Bridged VPN is also needed if you want to use non IP protocols (such as IPX) or applications relying on network broadcasts. However, this is less efficient than routed VPN. Another disadvantage is that it does not scale well.
The major difference between bridging and routing is that a routed VPN cannot IP-broadcast while a bridged VPN can.
Whenever you setup a VPN connection your IP packets are transferred over your secured tunnel. The connection between the client's device and the server's device is called a tunnel. A tunnel can use a so-called tun or tap device. They are virtual network kernel drivers which implement the transmission of ethernet frames or ip frames/packets:
A tun device simulates a point-to-point network (layer 3 packets in the OSI model such as Ethernet frames). A tun device is used with routing. It works with IP frames.
A tap device simulates an ethernet device (layer 2 packets in the OSI model such as IP packets). A tap device is used for creating a network bridge. It works with Ethernet frames.
The userspace program OpenVPN can attach itself to a tun or tap device
to receive packets sent by your OS. The program is also able to write
packets to the device. Read more details in
/usr/src/linux/Documentation/networking/tuntap.txt.
