[pptp-server] a future poptop?

James B. MacLean macleajb at Trademart-1.EDnet.NS.CA
Tue Aug 17 07:50:55 CDT 1999


On Tue, 17 Aug 1999, Matthew Ramsay wrote:
> I've been thinking about this again recently and was wondering if anyone else
> would be interested in this kind of development. I seem to recall a "vpnd" for
> linux that may do just this.. I'm not sure?

I have been investigating a _dream_. 200,000 users connect via pptp to
separate but local hosts which _always_ give them the same IP (auditing)
and no matter where they are in the province, setup a rule bases access
list (firewall, routing) that gives them access to the resources they are
needing to use. 160,000 students that only want Internet, and 40,000 that
need specific, protected information. So no matter where ya go, you are
known by your IP :).

Local sites connect back to the central site secure and encrypted. Users
traffic is secure and encrypted by whatever pptp offers when they connect
to their local Linux box. Userids and rulesets exist in either LDAP or an
ODBC database (MySQL?).

Low bandwidth sites can (are) use the QoS capabilites of Linux to give
telnet the upper hand on priority, etc...

To connect the routing-boxes around the province you currently have some
options :

. IPSec - Not ready for Linux 2.2.x kernels which I depend on for QoS. 
	- Open Standard and scales well.
	- Takes over existing IP, so no tunnelling of private network.

. CIPE	- Have not used it yet...

 VPND	- Can use Linux ethertap device, or ppp, or just about anything.
	- Does _not_ allow multiple connects to one device (as I have
	  tested it) so with a limit of 15 ethertap devices, I could only
	  connect 15 sites :(.

. VTUN  - Not as malible as above, but works well.

. TAPTunnel - Very simple design to connect 2 points. Allows _all_ traffic
	  not just IP. Bug in the encryption makes link run slow :(.

. TINCD	- Uses ethertap.
	- Allows _multiple_ clients (sites) to connect back
	  to same local ethertap, creating virtual ethernet.
	- Only does IP.
	- Only routes traffic destined to ethertap devices :(.
	- Not stable enough for me :(.
	- Great system to keep links up and restart them when they go
	  down.

. PPTPD - Uses pppd (so scaling up to approx. 400 sites sounds like I
	  need a bit of horspower at the home site).
	- Currently my 2.2.11 boxes are having stalling problems with
	  ppp, both over LAN's and just modem links.
	- Not sure about its restart/linkup/linkdown capabilities

So... personally :), I've been leaning towards getting tincd stable for
connecting deseparte Linux boxes, and users connect to these boxes using
pptpd. But if pptpd can be the cat's meow :), I'm listening.

There may also be others, but this was from www.freshmeat.net searching
:).

> I was wondering if there would be a point to grabbing the existing PPTP
> client and adding in say blowfish encryption (?) and maybe some authentication
> stuff and then adding support in PoPToP (obviously in such a way as not to
> break the windows client support -- still thinking about that)..
> am I wasting my time?

It would not be a waste of time to me if the solution scaled well, and was
dependable for keeping the links live, even when the connecting medium
goes up and down :(.

> Another idea I was looking into developing (again for our NETtel boards.. and
> hopefully finding use in the linux community) was a VPN directory service:

I see others' responses with the Dynamic-DNS which seems open and popular.
The ICQ idea is also interesting as there is already an ICQ server clone
or 2 :). The E-mail idea is OK, but personally would not be as slick as
something that would be transparent to the user... SpeakEasy has their
server too for finding where people are...

> Cheers,
> Matt.

Just my 2 cents worth.

cheers,
JES
--
James B. MacLean        macleajb at ednet.ns.ca
Department of Education http://www.ednet.ns.ca/~macleajb
Nova Scotia, Canada
B3M 4B2





More information about the pptp-server mailing list