0

I would like to set up a VPN server on debian linux to encrypt wireless traffic coming from my Mac or iOS device. I would like to use a certificate-based solution. Setting up a PKI infrastructure and managing certificates is OK for me.

1. Which server to pick?

By looking through the internet and here on stackoverflow I found the following possible solutions:

  • strongSwan
  • IPSec and racoon

Which solution is feasible for a linode running debian squeeze?

2. How to configure the network?

If I understood correctly a VPN has a virtual network interface as an endpoint on the server side. Naively I would think that I need a DHCP server running on the server to assign a dynamic private IP (like of the class C network 192.168.xxx.xxx) to the connecting clients. Next I think I would need to set up masquerading to NAT the incoming VPN traffic to the real interface directly connected to the internet.

Is this the right way to go? Do you have any configuration examples? I often saw VPN configurations used to connect to your home network, but that is not what I am looking for. I have a server up in the internet and want to use it as a proxy to encrypt traffic in insecure network environments like public WLANs.

Community
  • 1
GorillaPatch
  • 477
  • 3
  • 9
  • 19
  • Not sure about those VPN systems you mention, but many like OpenVPN have the VPN server act as the DHCP server. – Zoredache Jul 12 '11 at 21:23
  • I'm no fan of WPA, but the cost-benefit of that versus setting up some unholy mess of IPSec weighs *firmly* in favour of WPA. – womble Jul 12 '11 at 23:32
  • @womble You are right about WPA, but sometimes you are using a public WLAN and you want to take care of your encryption yourself. It is more like a road warrior setup. – GorillaPatch Jul 13 '11 at 20:47
  • @Zoredache That is exactly my question. Unfortunately I cannot use OpenVPN because jailbreaking my iOS devices is not an option. – GorillaPatch Jul 13 '11 at 20:48
  • I'm in the process of decommissioning my OpenVPN connection from my laptop to my Linode; it turns out that using SSL for everything important (IMAP, IRC proxy, etc) is less annoying than dealing with the VPN, and now that I have (reasonably) ubiquitous wireless connectivity, the "tunnel everything over OpenVPN on tcp/443" requirement is gone too. – womble Jul 13 '11 at 23:10
  • obviously setting up a VPN is a more advanced topic. thanks for your thoughts. This question seems to be discussed many times here but there is no complete solution including the network setup. I think I have to try things using a Linx VM befo deploying it to a server. – GorillaPatch Jul 14 '11 at 07:19

1 Answers1

0

Finally I figured out how to use it. I chose strongswan with xauthrsasig authentication. It works flawlessly with iOS. I managed to implement it along the lines of this blogpost: http://www.hosthop.com/hop/knowledgebase/21/StrongswanorOpenswan-Pure-IPSEC-Tunnel-Configuration-for-iPhone-and-Similar-Devices.html

GorillaPatch
  • 477
  • 3
  • 9
  • 19