Monday, October 5, 2009

Using OpenVPN to access SL from behind a firewall


Warning: Geeky content:-)

The corporation where I work has some rather strict security standards. All the serious systems are connected to an internal network, almost fully decoupled from the Internet. No work stations or servers have direct connections outside. To access the net, we have a totally separate LAN with separate workstations.

And even that network is firewalled, blocking all UDP and high port connections, sigh. I can't even read my email because they block the POP port.

So: How then to access SL? By company regulations, we do allow hired consultants to connect to their corporate network using VPN. So I thougth, why can't I do the same thing? I'm allowed, so it's just a matter of setting it up.

So I tried to install OpenVPN on an old Linux server at home. Running Ubuntu 9.04 it's extremely stable, and with just 384K RAM it runs Apache2, mysql, Logitech Squeezecenter and now OpenVPN with no breathing problems. OpenVPN is directly supported in Ubuntu, so it can be installed from the standard package handler. The HOWTO is rather elaborate, but even so you should have some experience with linux and networking before you start on such a project.

I connected the client through port 443 using the tcp protocol. This is the shttp port, and few firewalls will block tcp communication on this port.

I have set up OpenVPN in socalled Bridged Mode, and are using a directive called

push "redirect-gateway def1"

This makes the windows client route all internet traffic to my vpn host. In the OpenVPN documentation this is not recommended, as they say it will slow down browsing. But actually I have found that almost all kinds of access is FASTER when sent through the vpn. My theory is that OpenVPN circumvents microsoft's IP stack, replacing it with the IP stack in Linux on my vpn server. It was very notably when I ran the vpn over the cellular modem. Also, I guess that through a small bandwith line, its faster to have one connection open and speeding all the time instead of continuosly openening and closing connections to the servers. Linux on a fast net connections is much more efficient for handling that.

So now Hagrid (my big laptop) is for all practical purposes connected to my home network, which has a 25/15 mb fibre optic connection to the net with no ports blocked. Performance is great, with graphics set on High I can walk around my favourite skin and hair shop Adam n Eve with 20+ fps, ping time < 300 ms and bandwith rates bursting up above 1gb.

To stess test the connection I started streaming FLAC music files while I was running around in SL. I had a downloadrate to the PC of about a mb/sec, SL was doing fine, music was fine and uninterrupted, and still the OpenVPN process used less than 2% of the really old CPU in my server. So even topping with Squeezecenter and its associated mysql database the server ran 94% idle..... I wonder how a Windows server would on the same hardware would have performed? Hmm, I guess it would still be downloading all the security fixes:-)

So, if you are bothered with firewalls at the office or in hotels while travelling, and are not afraid to get your hands a little dirty by digging into the interior of a Linux installation, this is a highly recommended setup. And all the software is free and open, so no hassle or expenses there either. I guess it could work equally well running on a vps server, if you just have enough bandwith the CPU load is almost negligable.

No comments: