PPTP or L2TP are two well-known remote access VPN services. You have their client built in your MS Windows operating system. You can also install the client easily in your FreeBSD or Linux machine.
But……., those two VPN method are only working fine if you have public IP in your PC and do not located behind any firewall. PPTP for example, you need public IP and no firewall for proto GRE and TCP/UDP port 1723. Mostly, you will not be able to connect to the VPN server if you behind NAT, except your firewall has advanced feature that can support PPTP NAT transversal.
Now, in this post, i want to introduce one new VPN application that can work over HTTP proxy. I’m not going into detail right now but I’ll try to cover it in my next post.
Why vpn over HTTP proxy? HTTP proxy is the most common facility wherever you connect to internet. Even you are sitting in your office and only have very limited direct internet connection or let say you must use your corporate http proxy server to access the internet like in my office right now, you are still able to connect to the VPN server anywhere in the internet.
So, what am I using? I found that openvpn (http://openvpn.net/) is able to do this. As describe in its website, OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol.
By default, openvpn is using UDP port but you can configure it to use TCP port. And since openvpn is SSL based VPN, if you configure OpenVPN server to use port 443 or 80 (originally are used for HTTPS or HTTP), you are able to connect to our openvpn server through http proxy.
Why 443 or 80? Of course we can use any port number, but those two ports by default, i can guarantee it, are allowed in your HTTP proxy server.
OpenVPN is consist of server side and client side application. Both of them can run on many types of operating system. Usually, we put openvpn server in UNIX based server and the client is put on Windows OS. You can use different authentication method, you can choose certificate based authentication as well as username/password or combine those two method in same time.
I have tried those two method, the first is using certificate by using openvpn built in Easy CA and the second one is using username/password based on Unix passwd file. I’m still trying to utilize my existing radius and LDAP server to authenticate openvpn client but still not success. I will post my detailed configuration after I can use radius and LDAP as authentication method.
The other thing i want to share now is there is a basic difference between PPTP/L2TP VPN and OpenVPN. PPTP and L2TP are based on PPP connection. OpenVPN is based on Local Area connection like. If you examine your PPP connection for PPTP, you will noticed that your IP address has /32 subnet. OpenVPN is not using PPP but depends on point to point LAN connection. You will have IP address with /30 netmask.
What is the limitation of OpenVPN? I think the weakness of OpenVPN is its end-user configuration effort. You need to install its special client, no default client application in MS Windows or any other OS, and need to configure the client. Fortunately there is OpenVPN GUI client for Windows that give much help for end user to connect to OpenVPN server.
As the conclusion, by using openVPN, if you configured it correctly and properly, you are able to connect it using our normal internet connection wherever you are. No need special firewall configuration, you just need to configure the client to use HTTP proxy that available in your network as well as to connect directly to openVPN server if there is no blocking firewall in your network.
See you in my next post for this OpenVPN.
-rendo-
