JDPFu.com 2025

What Is Needed For a VPN

For a VPN running on a system inside any network to be available from outside that network, a few things are required.

1. The VPN server must be up and listening on a previously known port.
2. The firewall on the server OS must allow inbound connections on that previously known port.
3. The network router/firewall must both allow connections in on the previously known port from the public internet AND
4. the network router must forward those inbound connections to the internal VPN server IP on the known port.
5. The VPN must be configured properly with PKI keys so that a properly configured client will pass challenge response tests.
6. The public IP for the VPN server/router will need to be known. Either static or by using a Dynamic IP manager like DynDNS.org.
7. The internal IP address of the VPN server must be known to the router. Just use static IPs on your internal network.

Simple? Maybe not with the way I wrote it, but it isn’t any different than a web server listening on port 80 and the setup required for that to work. Ok, it is a little different, because you are potentially opening your entire network to anyone from the outside, so being cautious and concerned about security for a VPN server is smart. Paranoia is a good thing for this.

I have good news – an website that I respect posted a How To VPN Guide this week so you won’t be bored with my writing. He even covered how to setup Linux AND Windows clients.

As always, the man pages for OpenVPN are very extensive and are known for being extremely complete.
GRC also has multiple pages on setting up OpenVPN.
A few years ago, I needed a simple-to-use VPN for marketing people and deployed Adito. I would not use that today. Note that article was written in 2009, things have changed since then.

Running a VPN inside a virtual machine is great! After you get them running, provided their aren’t any huge design flaws in a VPN deployment, they are pretty much set it and forget it. Just be certain to patch it weekly. Ah, patching under Linux is so very nice.

Enterprise VPNs

Deploying an enterprise VPN is not this simple. You’d want the VPN server to be on a separate network zone from most of your other systems and definitely not on the same LAN as your internal servers or desktops. For home and extremely small businesses, this extra network security isn’t usually possible due to budget constraints.

Why You Want A VPN At Home

There’s the obvious reason – so you can connect to your home machines securely while you are away. Then there are the not so obvious reasons like whenever you are in public, using WiFi and don’t want to risk having your sessions hijacked by any of the people around you or can’t trust the network provider.

Public WiFi or Hotspots

These are very dangerous from a network security standpoint. If the wifi is open, anyone nearby can see and record all your traffic. If the traffic is encrypted via standard SSL, even then you may not be able to trust it, since the network settings, like DNS, may be completely compromised. It doesn’t take much to setup a DNS server and redirect any SSL connection to a spoofed, on-the-fly-generated website that appears to be the real one with a valid SSL certificate.

Coffee Shop Networking

Should you really trust any coffee shop network? These people aren’t in the IT business. Exactly how well do you think they protect the network? Do you believe they would even notice an attack on their network? I don’t.

Use Your Own VPN

When you don’t trust other networks, and I don’t think you should, you can VPN back to your home and surf from there. It is also handy when you travel overseas and want to watch Hulu or BBC or use other local-only services. Because OpenVPN uses private keys only known between the client and server, you don’t have to worry about broken DNS and SSL certificates. That means foreign governments can’t see your traffic. Of course, you must trust your home ISP, but giving the choice of trusting them or the Syrian or Chinese or Egyptian or Turkish governments, I’m happy with my ISP. I have no belief they won’t turn over all of my network traffic to my country’s government. They will. I know they can’t see the data inside the VPN tunnels. That doesn’t mean the relayed traffic from my home to outside server isn’t all seen. If that’s a concern, TOR is the best answer.

Key Things to Understand

VPNs are not security by themselves. The traffic between the VPN client and the VPN server is secure, but any traffic on either side of those systems is just as open as always. If you are in China and your home is in the USA running a VPN server, your traffic from China to that home machine is secure. If you hope from your home to any web pages outside your internal network, all that traffic is just like you were sitting at home and surfing. It is not encrypted any more than any traffic would be sitting at home.

For most of us, that is more than enough security, but if your home is in a country with a known anti-freedom regime, perhaps you’d like to have a VPN in a different country? Even if you can’t get a true VPN working, at least use ssh tunnels or TOR for your web traffic.

Now What?

Now that you’ve setup a VPN – that’s great and all – but don’t you want to remotely run applications? Here’s how to run remote applications. Sometimes I explain why you want something. In that like, I show the details for Linux, Windows, and which remote clients work most efficiently.

It is a scary world out there.