VPN on a hosted dedicated linux server

[otkaz]

I'm trying to set up a VPN on a dedicated hosted linux server running ubuntu 12.04 64 bit. I'm probably going to use pptpd for compatibility with windows built in VPN client. I've never set up a VPN before so I have some questions. While reading a setup tutorial I saw that each connection has to be assigned to an IP address on the LAN. Since I have no control over that LAN the server is hosted on I did some looking on how to accomplish this and read I have to have a kernel with TUN or TAP support. Was wanting to ask if I'm heading in the right direction? The server is still being setup by the provider so I don't have access yet but want to get everything lined up so I know what all this setup is going to entail. Can anyone offer some advice or point me to some direction to learn how I can accomplish my goal?
Thanks in advance for any info

 

[Noway2]

If I understand you correctly, your VPN will be into this host only. This will greatly simplify your objective as normally one uses a VPN they receive an IP address associated with the remote network.

You mention wanting compatibility with Windows. I would suggest you look at OpenVPN, which uses a more modern SSL approach thant pptpd. If you want to go the IPSec route instead (I don't see this as being necessary, just a lot of headache for you), look into either OpenSWAN or StrongSWAN.

 

[otkaz]

Pretty much all I'm trying to accomplish is I have some contractors that need to make a secure connection to a bank. The bank will only accept connections from a listed static IP. All the contractors are working from home dynamic IPs. so I was setting up a VPN for them to tunnel through on a static IP. The reason I was going with pptpd is as I understood in order to use openvpn on a windows client machine you have to install a openvpn client to connect but windows has a built in client that will connect to pptpd if its configured correctly? If their is something different I should use other then pptpd I'm all ears but I would rather not have one more piece of software to setup on all the client machines. Most are not local to me and I don't know how easy its going to be to walk them through setting up the software themselves. so I just got access to the server and my big question is when I set up pptpd or any other vpn software It looks to me that I have to specify a ip for each vpn connection but I have no control over the LAN its on. So how do I reserve IP addresses for the VPN connections and direct them back out to the Internet? Here is an excerpt from PPTPDs sample config

# TAG: bcrelay <if>
#       Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: localip
# TAG: remoteip
#       Specifies the local and remote IP address ranges.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#       You can specify single IP addresses seperated by commas or you can
#       specify ranges, or both. For example:
#
#               192.168.0.234,192.168.0.245-249,192.168.0.254
#
#       IMPORTANT RESTRICTIONS:
#
#       1. No spaces are permitted between commas or within addresses.
#
#       2. If you give more IP addresses than MAX_CONNECTIONS, it will
#          start at the beginning of the list and go until it gets
#          MAX_CONNECTIONS IPs. Others will be ignored.
#
#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#          you must type 234-238 if you mean this.
#
#       4. If you give a single localIP, that's ok - all local IPs will
#          be set to the given one. You MUST still give at least one remote
#          IP for each simultaneous client.
#
# (Recommended)
#localip 192.168.1.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

 

[otkaz]

Just got pptpd configured. I can connect using my ubuntu desktop. I don't have any windows computers to test it out with at the moment but hopeful that wont be any kind of a problem. I didn't have to do anything fancy to allocate IP addresses for the connections just set the local IP to the servers address, left remoteip committed out, used NAT through iptables, and enabled ip forwarding. Everything seems to be working ok. Sure hope this solves their problems. They waited till the last minute to ask me for help. Would like to hear any suggestions someone may have about the setup I used such as if there is a better way I should have done this?

 

[Noway2]

Pretty much all I'm trying to accomplish is I have some contractors that need to make a secure connection to a bank. The bank will only accept connections from a listed static IP. All the contractors are working from home dynamic IPs. so I was setting up a VPN for them to tunnel through on a static IP. ... Would like to hear any suggestions someone may have about the setup I used such as if there is a better way I should have done this?

Yes, there is a very easy way to do this. Use SSH. Your Ubuntu server is undoubtedly already running it. You just need to configure and secure it sufficiently to your tastes. At a minimum, use good passwords. If you can set it up, use RSA keys instead and turn passwords off.

Then on the windows clients, have them use PUTTY and create a "tunnel" (there is a section in the menu for that) and have them create a socks proxy (tunnel) to on a port such as 9999 and connect to your SSH server.

Then open the web browser, go to connections, and select SOCKS PROXY on localhost and voila, they will magically appear as browsing from your server, not their location.

There are a bazillion how to documents on how to do this. Just find one that looks good to you.

 

[otkaz]

Thanks for the responce. I've setup a socks proxy before the problem i have is this is what they are using to make a secure connection to the bank. The bank uses a ip whitelist. Thats why i have to have a static ip. Can you easily chain a socks proxy in windows? I know this can easily be accomplished in linux but im not a windows user and didnt think it was possible. Also the contractors are not very computer literate so i need a one click solution for them to make the connection.