Virtual Private Network (VPN)

Host to LAN VPN

The increasing mobility of users of an organization together with the need of these users to access their LAN as if they were physically connected even when far from their offices, has lead to the development of host to LAN VPNs. This type of connection includes an encrypted tunnel which, via Internet, connects the external client to a VPN server inside the LAN. A point to point connection is started within this tunnel with the two ends assigned IP addresses belonging to the organization. By doing this the remote client appears inside the firewall and can thus dialog with the LAN hosts without the risk of being filtered.

To implement this type of VPN Zeroshell uses the L2TP/IPSec protocol. Authentication is via RADIUS in MS-CHAP2 with the same username and password used to authenticate for the Kerberos 5 services. This type of VPN was selected because for the L2TP/IPSec there are clients for every platform and most Microsoft systems already include an integrated support.


The presence of branch offices within an organization, combined with the high cost of dedicated communication lines has lead to the necessity of using Internet as a medium for data exchange. On the other hand, since the public network is open and insecure, it does not guarantee confidentiality for the data travelling on it. Thus the generalization of the VPN model seen in the previous paragraph is used.

A lan-to-lan (or site-to-site) VPN is an encrypted tunnel which connects two LANs (geographically separated) via the Internet. In others words a VPN can be thought of as a virtual cable linking two LANs: it does not matter how many routers are necessary to cross over the Internet, the two LANs will appear separated by a single network segment.

VPN tunnels can be classified based on whether they contain encapsulated Layer 2 (Data Link) packets or Layer 3 (Network) packets. In the first case the two LANs are generally bridged and thus any level 3 protocol (IP, IPX, Apple Talk) can pass through them. Naturally the level 2 broadcast also propagates between the 2 LANs.
Instead, in the second type of VPN, a single Layer 3 protocol can transit (generally IP) and the traffic is routed via static routes. From this it is possible to deduce that the two LANs must belong to separate subnets.

Different standard protocols exist for constructing VPNs. The best known for IP type VPNs is definitely IPSEC where for each single packet the header is authenticated by the AH protocol and the payload encrypted by the ESP protocol. However, the fact of encrypting the payload, also containing the source and destination port number of the TCP/UDP transmission level, creates problems for intermediate routers effecting NAT. These latter, furthermore, generate checksum errors for the AH authentication protocol by changing the packet source IP. The solution, known as NAT Traversal (NAT-T), is generally to encapsulate IPSEC into UDP datagrams on port 4500. Another problem of IPSEC is that in order to be able to authenticate and encrypt the packets a key exchange structure called IKE (Internet Key Exchange) is required. This server, which replies on the UDP 500 port, generally supports authentication with preshared keys or with X.509 certificates.

Zeroshell prefers to encapsulate Ethernet datagrams in TLS tunnels authenticated via X509 certificates on both endpoints as a solution to the site-to-site VPNs. This non-standardized solution requires the use of a Zeroshell box in both LANs or another system using the OpenVPN opensource software. This solution has been chosen because it has the following advantages:

  • By creating an Ethernet (Layer 2) connection between the two LANs, in addition to routing, bridging of the networks is made possible guaranteeing the passage of any level 3 protocol (IP, IPX, Apple Talk);
  • The 802.1Q VLAN protocol is supported. This means that if a network is broken into Virtual LANs, the latter can also be transported on the peer network with a single VPN tunnel;
  • Bonding of two or more VPNs is supported in load balancing or fault tolerance configuration. This means, for example, that if there are two or more ADSL connections, a VPN can be created for each connection and they can be combined increasing the band or reliability
  • Thanks to the LZO real-time compression algorithm, data is compressed in an adaptive manner. In other words, compression only occurs when the data on the VPN really can be compressed;
  • The use of TLS tunnels on TCP or UDP ports makes it possible to transit the router where the NAT is enabled without problems.