VPN Proposal

Darren Critchley darrenc at telus.net
Thu Oct 21 12:55:38 CDT 2004 

Ok, after being sent in the correct direction by Matt, I have now read 
the appropriate sections of the Ubuntu website: Code of Conduct, 
Participate, teams, etc. I have created the appropriate wiki homepage 
and I think I am on the right track :)

So on to VPN's
I mentioned this about a week or so ago that having worked with the 
Ipcop project, I have lots of experience with Ipsec VPNs using the 
Freeswan/Openswan codebase. However, seen as Ubuntu likes to be on the 
stable leading edge of things, I think the built 2.6 kernel Ipsec would 
probably be more appropriate

I propose the following:

     - An ipsec based vpn configuration utility written in Python
     - I plan on rewritting or porting this utility over to Python and 
packaging it or integrating it into the utility http://tinyca.sm-zone.net/
        (this is a GUI for open ssl that allows you to create 
certificates and authorities, etc. It is currently in GTK Perl)
     - I want the utility to support full x509 certificate abilities as 
that is the most secure method of doing a vpn, as well as Pre-shared keys.
     - It will initially support Ipsec VPN, but later add OpenVPN 
capabilities as it has been asked for by the user list  This I believe 
will allow us to address L2TP vpns - not that I am fond of them, but 
people have asked.
     - Since Ubuntu is a Desktop distribution, I will be teating the VPN 
scenario as a client to a corporate LAN, in other words the Ubuntu 
desktop would be a RoadWarrior. I currently do not see the need for a 
desktop based distro to do gateway to gateway connection (unless people 
can convince me otherwise - comments please)
     - I would also like some sort of icon or indicator in the toolbar 
to show that a VPN is up and running, I will need some direction on this 
as I don't have the foggiest idea how to do this on a linux box (I am 
referring to the desktop integration part of things).

    I will try to work with the built in ipsec of the 2.6 kernel, 
however I do have some reservations about this:
        Maturity of code - how stable is it, how reliable, how secure, 
how does it stack up standards wise I know some of the code did come 
from the Freeswan project, but even the freeswan project held back on 
many common items, which had to be patched in.
    If the 2.6 kernel ipsec does not stack up well, then I will use the 
Openswan project as it is known to be very standard compliant and works 
well with most Commercial products on the market - with the exception of 
DES based products (and DES isn't secure anyways so it isn't much of an 
issue)

I think that about covers the proposal. I hope everyone understands it. 
And I welcome discussion and direction on it.

At this point, having read all the relevent information, I have no idea 
which team this would fall under - perhaps security, perhaps desktop, 
perhaps someone can set me straight. Also when I finally produce some 
code, how do I get it to the appropriate person. Also this is something 
that I will be doing in my spare time, so it will probably take weeks to 
produce something useful.

Thanks for your time
Darren

More information about the ubuntu-devel mailing list