How to Setup A VPN ServerBefore proceeding to the comparison, denote the number of tasks to be solved by the VPN:
- Addressing packets destined for specific clients.
- Efficient and at the same time not too greedy resource to encrypt "on the fly", precluding the passage of information in the clear.
- Authentication of participants to connect to the network and checking the data sources to protect the network from getting into unauthorized nodes and packages.
VPN Solutions for Corporate or Personal Goals
We will evaluate the flexibility, security, speed and stability of the following implementations:
- PPTP (Point-to-Point tunneling protocol),
- IPSec (IP Security),
- L2TP (Layer 2 Tunneling Protocol) and L2TP + IPSec,
- SSTP (Secure Socket Tunneling Protocol).
- PPTP (POINT-TO-POINT TUNNELING PROTOCOL)
Good Stuff to Read : New Technologies Data CentersPPTP VPN prevalence is associated with ease of configuration and cross-platform - its support is built into most modern operating systems (including OS and mobile operating system for routers) by default. Among other reasons for the popularity of this solution is to provide a minimum load on computational resources, high speed stability.
But from the point of PPTP security perspective it has compromised itself - today it found a large number of vulnerabilities in the device MMPE protocol (such as changing the outgoing RC4 stream), and the MS-CHAP authentication element (in 2012 even appeared online service, Pick key MS-CHAPv2 for 23 hours). Despite the fact that the latter problem is solved by changing the authentication mechanism with MS-CHAP on the PEAP , itself, Microsoft now recommends use L2TP or SSTP.
IPSEC (IP SECURITY) - How to Setup A VPN ServerIPSec is a group of protocols that ensure the confidentiality of data transmitted over IP-based networks by checking their authenticity and integrity, and encryption of packets. IPsec can operate in transport and tunnel mode. In the first case only the encrypted data transport packet header and source is retained, the second all traffic is encrypted, which is then encapsulated into the data field of a new IP-packet.
When you create a VPN-network IPsec transport mode is used in conjunction with other implementations (typically L2TP), the tunnel itself is a method of creating VPN-tunnel.
IPsec connections Encryption is provided such protocols and algorithms as the IKE (of Internet the Key the Exchange Protocol), the ISAKMP (of Internet Security Association and the Key the Management Protocol), the AH (the Authentication the Header Protocol), the STS (Station then-to-Station then protocol), the SHA-1 ( Security Hash Algorithm) and others.
IPsec feature that few separates it from the definition of the VPN, is that it does not create the system an additional virtual network adapter and uses a standard external interface, and in general is not even the implementation of virtual private network technology, as a tool to protect against substitution transmitted IP-packets. The deployment of the virtual tunnel, rather, his "side" property.
IPsec is supported by all modern operating systems (server, desktop, mobile), as well as a number of routers, and when you set up a VPN on the past there is no need for manipulation kakih-libo client behind the router. Due to the above characteristics of IPsec is considered one of the best solutions for VPN deployment.
But here, not without vulnerabilities. It is known that this implementation may be subject to attack on the ISAKMP Protocol when operating in transport mode. In addition, when using IPsec without AH header, an attacker can perform an injection of their own data in the transmitted packets, which, of course, will have adverse consequences for the recipient. Also known attack method in which packet transmission route is replaced. Moreover, there is an exploit that allows you to decode the IPsec traffic through a vulnerability in the IKE.
L2TP (LAYER 2 TUNNELING PROTOCOL)L2TP - this is a tunneling protocol for virtual private networks. It is a symbiosis of protocol L2F (Layer 2 Forwarding) from Cisco and PPTP described above. It allows you to create a VPN-network with access rights, but it has one drawback - does not encrypt traffic.
He assumes responsibility for the privacy and the integrity of the L2TP-packet inside the tunnel and at the same time requires the provision of encryption for all traffic passing through it at the packet level. For this problem, usually used IPsec.
L2TP / IPsec is present in all modern operating systems and is easily configured by the client. However, it is worth remembering that L2TP uses UDP port 500, which is sometimes blocked if you are behind a NAT. In this connection, it may require additional configuration or firewall router (port forwarding) that is not needed for solutions that use standard for HTTPS TCP port 443.
LT2P / IPsec is currently considered a very secure solution using encryption algorithms such as the AES, but because it encapsulates data twice, it works a little slower implementations using SSL (such as OpenVPN or SSTP).
From the standpoint of the stability of the L2TP / IPsec deserves an excellent rating. Minus LT2P / IPsec is that it uses nearly twice as much processing resources the processor to provide a dual encapsulation.
SSTP (SECURE SOCKET TUNNELING PROTOCOL)Secure socket tunneling protocol - another brainchild of Microsoft, presented with the release Windows Vista. Today, as the SSTP-Server can act not only Windows Server 2008/2012, but also machine running Linux or RouterOS, although in the latter cases, the decision can not be called a full-featured.
By supporting SSL v.3 SSTP can operate without the configuration of the router / firewall, and integration with Windows simplifies setup and ensures stable operation. For encryption uses the AES-resistant.
While the SSTP has many advantages and is a young emerging technology, best of all it works in Windows-network - in other cases, you may encounter restrictions.
OPENVPN - How to Setup A VPN ServerOpenVPN - is relatively young (was published in 2002) opened VPN implementation, distributed under the GNU GPL. Security deployed tunnels are provided by the library the OpenSSL , which, in turn, offers a range of tools encryption (Blowfish, AES, Camelia, 3DES , CAST). From the selected algorithm depends on the speed of the OpenVPN, but as a rule, this implementation is faster and uses less resources than L2TP / IPsec.
Another significant plus OpenVPN - to pass through NAT and firewall without additional configuration on the standard TCP port for HTTPS 443 through SSL / TLS-encapsulation. Provided and work on UDP protocol - this option is the default.
TCP provides better reliability of data transmission, but it has high latency compared to UDP, and who wins in speed due to the lack of confirmation of the delivery of packages. When using the TCP OpenVPN protocol is very slow implementation of the presented.
The OpenVPN also provides a tool for the LZO data compression. Due to the vast possibilities of configuration and support of the majority of the OS OpenVPN it has become a very popular solution. The only caveat is you need to install third-party software.
OpenVPN Flexibility can produce only one problem - to make the configuration is very tedious, but this problem is solved the preparation of pre-configured client installation packages, or, for example, using OpenVPN the Access the Remote Server.
Among our manual you will find step by step instructions on the basic setup OpenVPN-server of Ubuntu / the Debian , the CentOS , the Windows. You can use cloud to deploy a Virtual Private Network VPS Server. In this embodiment also includes a number of additional security features private network. Overview of them can be found in our knowledge base.
How to Setup A VPN Server - CONCLUSIONTo sum up a little on the article. PPTP is stable and easy to use, but is very vulnerable, so it is suitable for situations in which the confidentiality of the tunnel does not play a special role. If it is important, that all the advantages of PPTP has a bunch of L2TP + IPsec, but it offers a much higher level of security.
IPsec can handle a large number of encryption algorithms and authentication for VPN, although itself is not implementing virtual private network technology and protocol stack for IP-protection packet during transmission. Thus IPsec is well suited for the deployment of virtual private network, "sharpened" the security.
Previously, for this purpose, as a rule, the IPsec was used in conjunction with the L2TP, but today the situation is beginning to change. In general, opportunities IPsec allow to consider it one of the best for VPN solutions.
L2TP in conjunction with IPsec shows the well-behaved and in terms of security and in terms of compatibility with popular operating systems. Here, however, may require additional configuration ports. Another minus - double encapsulation, resulting in a slowing down of the tunnel work.
SSTP Convenient Configuration, stable and safe enough, but it is a product to Microsoft, because his work is strongly tied to of Windows. In other systems, the functionality of SSTP is often not as attractive.
OpenVPN can be called a very reasonable choice in view of the balance of indicators such as the rate (due to compression of LZO and work through default the UDP), stability (especially when working through the TCP), configuration flexibility, cross-platform (presence client applications for most modern operating systems), safety (thanks to the work with all the tools OpenSSL library).
However, the lack of opportunities rise, compared to other implementations of the initial configuration can be tricky. However, this problem is partly offset by the use of standard server configurations and the ability to automatically transfer a substantial part of the settings for connecting to clients. Anyway, OpenVPN implementation seems to us the most balanced software solution.
To implement VPN in your infrastructure, you can use multiple VPN service-providers, but this solution usually does not come cheap, especially when you want to connect to the network of a large number of clients. Moreover, you have to trust the provider of their corporate or personal data.
More reliable and flexible scenario seems self-configuring VPN on a physical or virtual server (the VPS / the VDS). For example, you can create a virtual private network OpenVPN on one of our step by step instructions (the Windows , the Linux), using cloud VPS / VDS Server.
For this task to be quite minimal hardware configuration of the server, and the cost of equipment per month lower than the average on the market in the provision of VPN for multiple devices. In addition, this solution can be easily scaled to the current load on the virtual private network.