Promoting Linux Requires Advertising. It Matters to Me. TM
GnuCash Personal Finance Manager

Linux VPN Solutions and Tools

Sitting Penguin This page provides a survey of Virtual Private Network (VPN) tools and solutions that were available on Linux in the 1996-2000 time frame. Its a historical record of that era.

Enterprise Linux Banner

Definitions, Overview of Terminology

This section provides an overview of some of the terminology common to VPN's. See also the Free S/WAN Glossary for the definition of a many security-related terms. (which contains pointers to other glossaries).
Virtual Private Network. VPN's are usually needed when one has corporate offices in multiple locations (in the same city, or in different cities or even countries), and one wants to hook up the local office LAN's into one big, private corporate LAN. An office can be as small as a 'home office': in this case, the VPN allows a work-at-home employee to access corporate servers, printers, databases and the like. Traditionally, 'private networks' were built by installing a bank of modems in the main office, and having employees or field offices call in on plain-old telephone lines, or on 'leased lines'. Unfortunately, modems are slow, and the phone bills (especially for long-distance leased lines) can be killer-sized. These days, it is far more economical to layer a virtual private network over the public Internet, while providing security (authentication and encryption) to keep crackers, snoops and spies out and the information protected.

Tunnel, Encapsulation
Private networks are layered over the public Internet by 'encapsulating' the private data inside of ordinary TCP/IP packets. This flow of packets between two endpoints looks like a 'tunnel' connecting the two endpoints: this is because once the encapsulation has been stripped off, it looks like the two endpoints are right next to each other, without any intervening, bothersome Internet in the middle. Anything that's networkable can be tunneled: One can tunnel NetBIOS (the Microsoft file/printer-sharing protocol), Novel Netware, IPv6, SCSI, or even plain-old IPv4 over IPv4. A 'tunnel' does not imply that the data is encrypted, although you usually want it to be.

The defacto IP Security standard. It uses strong cryptography to both authenticate and encrypt IP packets. Authentication guarentees that packets are really from the sender that they claim to be from, and haven't been tampered with, while encryption prevents the unauthorized viewing of the packet contents. Essentially all vendors, including Microsoft and Cisco, are moving current and future products onto IPsec.

IPsec is a manditory part of IPv6 (the next generation of the Internet Protocol) and is widely deployed in IPv4 (what people currently run on the Internet). IPsec consists of three protocols: AH 'Authentication Header', which provides packet-level authentication, ESP, 'Encapsulation Security Payload', which provide encryption and authentication, and IKE, 'Internet Key Exchange', which negoatiates connection keys and parameters. In conjunction with IPsec, one must also deploy DNSSEC enabled DNS servers to publish public keys (the current version of BIND supports DNSSEC).

Point-to-Point Tunneling Protocol. A VPN protocol originally created by Microsoft, for enabling Windows-based VPN's. PPTP is perceived to have a variety of security flaws that leave it vulnerable (see conterpane, BUGTRAQ for 1999, others) Like most Microsoft products, PPTP is easy to configure. A large variety of 3rd party products exist for PPTP. PPTP encapsulates it's packets with GRE, Generic Routing Encapsulation.

Layer Two Tunneling Protocol. A protocol that merges the best of PPTP and Cisco's L2F. Not widely deployed. Fails to define an encryption standard.

SKIP was one of the closely-contested but ultimately rejected proposals for the IPsec standard; it is a strong technology that does provide some reliability and multi-user features that IPsec lacks, and is particularly useful when many simple clients (i.e. home users) are contacting a set of several servers.

NAT, Masquerading, Port Forwarding
A popular form of fire-walling goes under the technical name of 'NAT', Network Address Translation, also commonly referred to by its two sub-components, Masquerading and Port-Forwarding. A masquerading firewall allows internal, behind-the-firewall users to get onto the public net while hiding their true network addresses. It does this by 'masquerading' or re-writing each private-network packet with a public header; the header allows it to be routed on the Internet. Insiders can thus 'see' the outside world, but outsiders cannot 'see' in. Thus, internal machines can be more loosely secured; and the firewall is more easily guarded as the single point of entry.

Port-forwarding does, in a certain sense, the 'inverse' of masquerading: it allows outsiders to see one specific service (port) on an internal machine, without 'seeing' any other internal machines (or ports on that machine). Again, the service machine can be somewhat more lightly protected, as the firewall offers the first line of defense.

What is the relevance to VPN's? Simple: The VPN server (or client) can be placed behind the firewall, offering the traditional controls that a firewall offers, while adding VPN functionality to the network. Unfortunately, this cannot be done with all VPN technologies, due to the fact that some encryption systems encrypt the parts of the packet that a firewall needs to be able to modify.

NAT is built into all modern Linux kernels by default, and is configured by the 'ipchains' or 'iptables' utilities. There are also other, alternate NAT technologies, reviewed on the Port Forwarding page.

Free IPSEC Implementations for Linux and *BSD

The following section lists free implementations of IPsec for Linux and/or BSD. Be sure to view the next section on more general VPN solutions that follows this section; we split off the IPSEC listing into its own because there are so many of them.

Free S/WAN
Free S/WAN is the leading IPSEC implementation for Linux. Highly recommended.

NIST Cerberus
NIST Cerberus is a reference implementation of IPSEC for Linux. The web page provides a good amount of technical info about IPSEC. Co-sponsored by the NSA. Export-controlled. Last update May 2000.

KAME is am implementation of IPSEC and IPv6 for the BSD kernels. The project is active, and is staffed by full-time employees from several large Japanse corporations.

OpenBSD includes an implementation of IPsec in the default distribution.

DOD ISAKMP is a reference implementation of the ISAKMP IETF spec (now IPSEC) from the US Department of Defense (actually from the US Naval Research Labs) that is being distributed by MIT. For BSD, under the BSD license. Last updated December 1998. Export controlled.

pipsec is a simple SSL-based implementation of IPSEC-compliant IP tunneling. Simple and portable, does not require kernel patching. Last updated June 1999.

ipnsec is a Linux port of the OpenBSD IPsec code. Last updated March 1998.

IPsec for FreeBSD
IPsec for FreeBSD is no longer actively maintained; the web page directs BSD users to the KAME page.

Linux x-kernel
The Linux x-kernel project from the University of Arizona implements IPSEC in the linux kernel. The code is US-Export controlled. This project is defunct.

Free Tools and Solutions

The following is a listing of various HOWTO's and project references for GPL'ed and Open-Source software for Linux and other Unix's.

Masqueraded VPN's
The VPN-Masquerade HOWTO explains how to set up an IPsec or PPTP-based VPN that operates through a Linux masquerading (NAT) firewall. The advantage of running a VPN through a firewall is that one gains all of the traditional advantages of firewalling: an internal net protected from outsiders, IP addresses that do not have to be registered, etc. By keeping the VPN server or client hidden from the public Internet, the VPN machine does not have to be as tightly controlled or secured.

Pro's and Con's:

See also:

PPP over SSH
How to build a VPN using PPP using SSH as a tunnel is described in the VPN HOWTO. PPP, the 'Point-to-Point Protocol', is a way of carrying IP traffic over serial lines; typically modems connected to an Internet provider. But in fact PPP is more powerful and general than that, and it can carry IP traffic over any connection. SSH, the 'Secure Shell', is a secure, encrypted means for logging into a remote computer. In fact, SSH is more general than that, and can encrypt any traffic between two endpoints. Put them together, and voila! a VPN.

Using PPP over SSH is a low-tech, simple, reliable solution, but a bit crufty. On the plus side, its easy to understand and relatively easy to deploy. On the downside, it can have severe lag/performance problems on slow links, and can cause heartache on dead links: this is because the underlying transport protocol is not aware of the traffic above it, and can't effectively manage it. For example, ICMP (ping) packets are not dropped, but are rather stored indefinitely, waiting for the link to come back up. When the link comes back up, your (day old?) ping packets come flooding across it.

Build a Linux VPN (Virtual Private Network) with SKIP, and the Linux implementation of SKIP, ENSKIP. The ENSKIP kernel module and encryption daemon build on top of the Linux firewall/masquerade technology to provide a WAN bridge between LAN segments. EnSKIP patches that allow EnSKIP to build with Linux 2.2.xx kernels. An EnSKIP patch for the 2.0.33 kernel. See also here. SKIP was one of the closely-contested but ultimately rejected proposals for the IPsec standard; it is a strong technology that does provide some reliability and multi-user features that IPsec lacks, and is particularly useful when many simple clients (i.e. home users) are contacting a set of several servers.

X-Bone is a system for automated overlay network (VPN) deployment. The term 'overlay network' is the modern way of saying VPN. Since VPN's require considerable work to construct and deploy, automating this process is of considerable utility. Caution: X-Bone at this point is still a highly technical development.

PoPToP is a PPTP Server for Linux, BSD and Solaris. Allows Linux servers to be added to existing Microsoft PPTP VPN's. GPL'ed.

PPTP Client
A Microsoft PPTP client for Linux. See also the Linux VPN Masquerade page for additional PPTP info.

CIPE - Crypto IP Encapsulation is meant to be a simpler, smaller and faster means of passing IP tunnel traffic between routers. It does not offer the flexibility and features that IPsec of SKIP offer, but may be just the thing for two routers that need to push a lot of heavy traffic through a big, fat, insecure pipe between them.

Commercial Products

Aventail offers their commercial MobileVPN and Aventail PartnerVPN secure, encrypted VPN products for Linux.

SecureEdge, SnapGear
SecureEdge provides reference and custom hardware networking boards, useful as the starting point for designing custom network gear. SnapGear provides similar hardware, this time in nice-looking, consumer-ready boxes.

RedCreek provide a Linux driver for thier PCI bus VPN card. The card implements hardware encryption, but the operating system sees it as an ordinary ethernet network card.


Last updated May 2002 by Linas Vepstas (

Copyright (c) 1996-2002 Linas Vepstas.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included at the URL, the web page titled "GNU Free Documentation License".

The phrase 'Enterprise Linux' is a trademark of Linas Vepstas.
All trademarks on this page are property of their respective owners.
Go Back to the Enterprise Linux Home Page