[pptp-server] a future poptop?

[Paul Boyer]

Matthew Ramsay wrote:
> 
[...]
> I've been thinking about this again recently and was wondering if anyone else
> would be interested in this kind of development. I seem to recall a "vpnd" for
> linux that may do just this.. I'm not sure?

VPNd is an option, Free S/WAN is probably a more long lasting one since
IPSEC will 
undoubtly get more and more used as a VPN standard. Also, IPSEC will be
part of IPv6
Doing IPSEC allows compatibility with other (commercial or not) IPSEC
implementation.
As an exemple, you can set up a VPN tunnel between a Free S/WAN linux
box and a Cisco
VPN router.

I am myself planning to work on the integration of PoPToP and Free S/WAN
in order to
get a running VPN host that can allow some PPTP host to network
connection (the remote
laptop user you are talking about) and serious IPSEC tunnels for network
to network
tunnels, or secure-hosts to network links.

> 
> I was wondering if there would be a point to grabbing the existing PPTP
> client and adding in say blowfish encryption (?) and maybe some authentication
> stuff and then adding support in PoPToP (obviously in such a way as not to
> break the windows client support -- still thinking about that)..
> 
> am I wasting my time?

I have the feeling PoPToP is a very great help for using the de facto MS
standard,
PPTP, but _the_ standard will most probably be IPSEC. Since, I would
chose to work
towards ipsec for the future, while providing compatibility with pptp

> 
> My ultimate goal would be to put this on our NETtel boards to do NETtel to
> NETtel blowfish VPNs and not have any extra costs for RC4 code.

vpnd allows you to do it. IPSEC, with Free S/Wan allows you to think
about 
Moreton Bay's Nettel talking to <any other brand>'s <any similar
product> or even 
to <any IP stack> using blowfish, or other encryption.

> 
> Another idea I was looking into developing (again for our NETtel boards.. and
> hopefully finding use in the linux community) was a VPN directory service:
> 
> Say you have a small office that connects to the Net each morning at 8am and
> disconnects at 5pm.. You get your ip address via dhcp from the isp.. and hence
> every morning your ip changes.. now say you have a salesman on the road who
> wants to VPN (with poptop of course :-).. instead of having to ring up the
> office to find the IP address a VPN directory service online tells him what
> it is and connects him transparently.

This is implemented with dynamic-DNS. Some free DNS server offers you
the ability
to get a DNS resolution changing every time you change your IP.
simply set your new IP on the DNS server, use a short time to live for
the SOA,
and voila.

alternatively, you can set it up yourself using any dns software, but
you need one
box with static IP for the dns.

> 
> that's another thing i'll be looking into hacking together.. unless someone has
> a better solution?

Better or worse, your mileage may vary. An other option is to implement
a kind of
server (on a static IP machine, hard to get rid of that one ;-) ) that
gives the
information to the remote users. DNS is a standard, but you can think of
ICQ as a
similar thing: a server where everyone register when they connect, so
anyone 
"knows" where to "find" each other. You then rules your own protocol,
which can be
better, or worse than any other.
If you also have other information to pass to the user (such as what is
the public
key of the VPN server, etc.) you will love to read about DNSSEC which is
a similar
idea.

> 
> Anyways.. I guess this email is more for letting everyone know my thoughts and
> directions on future PoPToP and related developments.
> 
> Cheers,
> Matt.
hope this helps.

Paul