[fwlug] Need a network guru's opinion on this

Rob Ludwick rob at rcludw.no-ip.org
Wed Jun 18 01:01:02 EDT 2008 

OpenVPN is good.  Clients for Windows, Linux, and MacOS exist.

Configuration can be done via X.509 certs as well as username/password
authentication (or hey, if you're paranoid, both).

It's more secure than Microsoft's PPTP, and it's faster than Tor. 

I do recommend you start here, it's the one I started off with.  
http://www.thebakershome.net/openvpn_tutorial

Proto should be TCP... and heck, use TAP0 (Ethernet Bridging).

It uses X.509 Certs, but if you look around there are configurations for
Username/Password.

--R


> Here's what I'm thinking. I want a VPN box (likely Ubuntu and SSH based)
> between my cable modem and my router. Any of my trusted machines run
> over open wireless or cat5 to the router and are configured to connect
> to the VPN. Then any connections over the open wireless or a tor exit
> node get logged (both CYA and traffic snooping) and go out to the
> internet.
> 
> Goal is to explore the networking side of IT a little more, help my
> paranoid bretheren with Tor, and learn how to build a system that can
> safely function in a hostile environment.
> 
> Depending on my mood I may also get a little grey-hat and see if
> anything interesting is coming through the unsecured wireless and Tor. 
> 
> Some questions:
> 1. Recommendations for a distro and VPN software for the VPN box? I'm
> most comfortable with Ubuntu, but I'm open to other options. Obviously
> the most common and easiest to configure VPN option wins.
> 2. How can I prevent the open connections from the outside from getting
> inside? I'm open to sharing my bandwidth, but I want to keep people from
> peeing in my pool.
> 3. How can I throttle (simple bandwidth cap) the unsecured traffic? The
> day will come when I decide to find out how far I can push Comcast, it
> will be the same day I decide to sign up for FiOS.
> 4. How can I give secured traffic priority over unsecured traffic? I.E.
> my ISO downloads come down BEFORE the tor node gets to myspace.
> 5. How can I readily configure my own Linux boxes, my wifes Mac, and any
> of my guests computers to connect to the VPN? Machines that regularly
> use the network should autoconfgure.
> 6. Any suggestions for dynamic DNS services? 
> 7. How can I sanely manage the logs for the open connections? Following
> Bruce Scheiers idea of having an open wireless router is interesting,
> but I would prefer a more reliable way of covering my ass.
> 
>

More information about the Fwlug mailing list