Scope

For creating VPN connections from a remote Linux workstation to a Windows 2000 VPN server.

Installation

SuSE 8.2 comes with pre-compiled RPMs for PPTP Client and PPP. Use Yast2 to check if these have been installed. Do not "upgrade" the PPTP Client software nor the CVS PPP package with sources or RPMs from the PPTP Client software page at SourceForge; these packages (even if built from source) did not work on a test SuSE 8.2 system due to conflicts with the ppp_mppe.o kernel module.

(Editors note: this is due to version skew, and a kernel module upgrade for MPPE support would fix it -- James)

You may also want to install the Lisa network daemon with YaST, if you are using KDE, so that you can browse the remote LAN once you connect. This package is included with KDE (search for "Lisa" in YaST to find it).

Configuration

Use pptp-command as root from a command line window to create a tunnel to your Windows 2000 VPN server, according to the documentation on the PPTP Client pages at SourceForge. The PHP-GTK GUI interface was not tested.

Connection

SuSE's installation creates scripts to modify your routing table during your VPN session. Specifically, all traffic from your workstation will be routed through the gateway at the other end of the VPN tunnel. This is to prevent opening an insecure "back door" to the Windows network, by allowing traffic to come from the Internet, through your workstation, and then directly in to the remote network, bypassing the remote network's firewall.

(Editors note: the ip_forward kernel variable would have to be enabled before the "back door" would work, and as a control these routes are not guaranteed to prevent a "back door" anyway; the client system user could easily delete them -- James)

This SuSE security "feature" may slow down your Internet browsing somewhat, if your Internet connection is fast relative to the remote network's gateway connection, if the remote network's gateway typically handles a lot of traffic, or if you are a continent or more away from the VPN server. On the test system, the workstation had a cable modem connection that benchmarks at T-1 speeds, and the VPN server has a full T-1 connection, with pretty heavy bandwidth usage. The VPN server was only a few hundred miles away from the test system. Some slight speed loss, in loading complex web pages, for example, was noted. In addition, applications that had already established a pre-VPN connection to the Internet may no longer function during the VPN session (rDesktop, for example).

When you use pptp-command to terminate the VPN session, SuSE will execute a script to restore the routing table. In the test system, an open rDesktop session created before the VPN session was established began functioning again after the VPN session was terminated. You should test your own software, especially if you telecommute and need to keep a VPN session up for hours at a time. You may want to establish a VPN connection as the first order of business, and then begin to launch your regular Internet-enabled applications.

Comments

ChangeLog