Hi

I'd like to set up a VPN server on my Linode, so I can browse from a Windows laptop securely when using public hotspots. Has anyone any ideas on what to use and how to do it? I'm using CentOS.

I'm a big fan of OpenVPN (http://www.openvpn.net/index.php/open-source.html). I use it for all my VPN needs and platforms (Linux, OSX, Windows). I use the client on all three platforms and have a mixture of Linux and Windows servers. I'd suggest using the 2.1 version - even though its still an RC, it's got a lot of nice improvements and I've been using it for at least a year without any issues (it stuck at RC7 for a long time). The 2.1 Windows installer also automatically includes the GUI application (system tray). I think a 2.1 client can interoperate with a 2.0 server if CentOS doesn't have 2.1 packaged yet (my Ubuntu 8.04 LTS server is currently at 2.1rc7).

You will have a little learning curve if you aren't already familiar with SSL and certificate handling, but it comes with scripts to help manage the certificate creation. You can choose to augment certificated based with passwords if desired (I don't bother with most of my clients).

Note that the VPN link will only get your traffic to your Linode, so if you want to then use it for external browsing you'll need to make sure that you're permitting IP forwarding and any filters/firewalls you have in place will let traffic flow from the VPN interface (tap/tun) to the public interface. You can normally handle this with a single rule that covers all traffic on the VPN interface. Also, the OpenVPN traffic itself is UDP by default so you'll want to ensure that any public side filtering will let that traffic in.

Edit: You'll also need to establish an iptables NAT setup for the inbound OpenVPN traffic so it shares your Linode public address (as opposed to the OpenVPN interface private address) when traffic is relayed back out to the public network.

-- David

Thank you David, I will try it out.

I've read about SSH tunneling... is this a viable alternative or not?

If all you're interested in doing is proxying your web traffic through your linode, then yes, an ssh tunnel will work just fine.

You just need to create a dynamic tunnel, listening on say localhost:8080. Then set up your browser's SOCKS proxy to point to localhost:8080 and you should be all set.

Depending on your needs, certainly - I wouldn't categorize it as a VPN though, so didn't think about it based on your initial question. But it's likely to be simpler to operate if it serves your needs.

If you're trying to reach a single target host/port, a plain ssh forwarding tunnel (e.g., the client "-L" option) will work fine, though you then have to tell your client to connect to the local end of the tunnel, and have to set up different local endpoints for multiple targets (you can use multiple "-L" options on a single connection).

If you just want browser support, then it's easier to use the SSH SOCKS support (the client "-D" option) instead, and reconfigure your browser to use the local SOCKS interface. The advantage to this is that it can dynamically switch endpoints, so can cover most browsing requirements in terms of visiting any hosts, but still needs you to switch browser configuration when you're back in a non-tunneled configuration.

I use CopSSH as a simple self-contained (with installer) SSH implementation for Windows, which you could use as a command line client. I'm sure there are a bunch of other implementations, and probably GUI wrappers, but am not familiar with any others personally.

But if you want general IP access to the net, the VPN link is the most general, and requires no changes to any client applications. Essentially, once set up, you right click the tray icon (on the Windows client), pick the server to connect to, and after you're connected that becomes your default route out (if you so configure it) and all applications will just work normally. It does require more initial setup but that's pretty much a one time thing.

But for basic browser support, you could use the SOCKS setup initially (it just needs sshd running on your server) as then decide if you want to try setting up OpenVPN. Note that in either case any firewall filters your server has will need to let the appropriate inbound traffic in, and for the OpenVPN case, back out again since the traffic will be arriving on your server via a separate VPN interface.

Oh, and one other OpenVPN complexity I forgot in my first post - you'll probably need to set up iptables for NATing the OpenVPN traffic. That's because the addresses OpenVPN is assigning to clients will not be globally reachable, so won't work for traffic going back out to the general Internet, and will need to be NATed so they look like they're coming from your Linode address. Not terribly hard, but another setup step. (I'd probably work on that after you had the basic OpenVPN link working and could access your Linode itself)

-- David

Thank you very much for your help. I think I will set up a separate Linode for this while I figure it out as I am likely to break my main one otherwise

If you want to do that, you sure can. It's actually pretty difficult to do any permanent damage to your server either by playing with openvpn or with iptables rules. Sure, you may accidentally firewall yourself out of the server, but that's what lish is for, right? Just sign in there and flush the iptables rules and you're back to square one.

As for using the dynamic ssh port forward, there's no possible way that can do anything damaging to your linode since all the "configuration" is on the client side.

I'm also a fan of OpenVPN. I have never had good luck with a dynamic forward, and usually use a full VPN when I can, otherwise I will use a simple port forward to Squid running on my Linode and set the http_proxy.

I don't think I've ever had any web browsing problems with dynamic forward and a browser set to use the local SOCKS port, but I've definitely run into issues sometimes just using a plain tcp tunnel (-L) to a server and pointing the browser at the local endpoint. Sometimes I do that to reach a single private server as it doesn't require reconfiguring the browser (so I can keep using existing open windows/tabs), but it can break down with various sorts of redirects from the server end that don't maintain the original URL (e.g., localhost based) used to reach the server.

-- David

What I mean is I'm likely to break my production server and lose business

Well if ya put it *that* way...