From owner-freebsd-security Sun Apr 25 4:48:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 5C49214D03 for ; Sun, 25 Apr 1999 04:48:52 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id VAA03984; Sun, 25 Apr 1999 21:18:51 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA06174; Sun, 25 Apr 1999 21:19:20 +0930 Date: Sun, 25 Apr 1999 21:19:19 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Theo Purmer Cc: "'freebsd-security@freebsd.org'" Subject: Re: VPN In-Reply-To: <01BE8F18.6DF1C1E0@theo.tepucom.nl> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 25 Apr 1999, Theo Purmer wrote: > Does anybody know if its possible > to make a vpn (tunnel) with two freebsd > hosts? Absolutely - a system of PPP tunneled over SSH works well for me (the SSH provides the encryption layer and PPP handles the networking). If you're going between two freebsd hosts then tyou're probably best-off using the user-mode ppp driver (man 8 ppp) which is generally "better" than the alternative pppd. I haven't done this with ppp(8), but probably the way to go is to use the PPP-over-TCP function and connect to localhost:someport on both ends, and set up SSH to provide an encrypted tunnel via the -Lsomeport:remotehost:someport option. If you're wanting to communicate with a non-FreeBSD UNIX box then your best bet is probably PPPD (kernel-mode ppp) - I haven't figured out how to make ppp(8) inter-operate with pppd(8) when used as a tunnel (if anyone knows how to make this work it would be helpful). Actually the version of PPPD in the base tree doesn't support this as easily as the latest version (v2.3.7) - your best bet would be to compile it separately (which is simple). Using pppd I just do something like: pppd pty "ssh -t remote.host.com pppd" and then set up the network routes to route the desired IP addresses over the tunnel. These are both good "poor man's" solutions - a technically superior solution (less overhead from all the layering and encapsulations) is IPSEC - look into the KAME stuff if you're interested (www.kame.net). Kris ----- The Feynman problem-solving algorithm: 1. Write down the problem 2. Think real hard 3. Write down the solution To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message