Linux open-source VPN packages
I needed to install an open-source VPN package for a Linux network, and
had trouble finding a good listing of the options available or any
comparisons between them. I did a little research and am posting the
results here in case it helps anyone else.
I was looking specifically for Linux solutions, but most of the packages below
have peen ported to *BSD and other Unix implementations.
(This research originally done in June 2002, with sporatic updates since
then, most recently in Janurary 2010.)
- tinc
http://www.tinc-vpn.org/
last release Nov 2009, active mailing list
Debian: available in Woody and later, actively maintained
kernel interface: Universal TUN/TAP devices
tunnel transmission protocol: UDP, TCP
encryption algorithm: RSA authentication, then Blowfish
note: one daemon process can handle multiple tunnels
note: versions after v1.0 support Windows 2000/XP
note: also supports FreeBSD, OpenBSD, NetBSD, Solaris, and MacOS/X
note: full IPv6 support (both the carrier connection and the virtual
network can be IPv6)
- openvpn
http://openvpn.sourceforge.net/
http://www.openvpn.net/index.php/open-source.html
last release Dec 2009, active mailing list
Debian: available in Sarge and later, actively maintained
kernel interface: Universal TUN/TAP devices
tunnel transmisison protocol: UDP, TCP
encryption algorithm: TLS authentication, then Blowfish
(others available)
note: As of v2.0, one daemon process can handle multiple tunnels
note: As of Nov 2003 (v1.5_beta14) a Windows 2000/XP port is
available
note: also supports FreeBSD, OpenBSD, NetBSD, Solaris, and MacOS/X
note: In v2.0 and 2.1, limited support for IPv6 private networks;
the carrier connections must be IPv4.
note: Some third-party IPv6-related patches are available:
- Openswan
http://www.openswan.org/
last release Mar 2009, active mailing list
Debian: available in Etch and later, actively maintained
implementation of IPSec standard (fork of Free/SWAN)
kernel interface: kernel patch required for Linux 2.4.x; for 2.6.x, uses
kernel native Crypto support
- Strongswan
http://www.strongswan.org/
Debian: available in Etch and later, actively maintained
last release Mar 2009, active mailing list
implementation of IPSec standard (fork of Free/SWAN)
kernel interface: kernel patch required for Linux 2.4.x; for 2.6.x, uses
kernel native Crypto support
- vtun
http://vtun.sourceforge.net/
http://sourceforge.net/projects/vtun/
last release Feb 2008; almost-inactive mailing list
Debian: available in Woody at later, actively maintained
kernel interface: Universal TUN/TAP devices
tunnel transmission protocol: TCP or UDP
encryption algorithm: ??? authentication, then Blowfish
note: each daemon process can handle only one tunnel
note: didn't find documentation of intra-daemon authentication protocol
- secvpn
http://packages.qa.debian.org/s/secvpn.html
Debian: available in Woody and later, actively maintained
last release Aug 2007
based on ssh (need ability to connect as root on the tunnel's server-side
machine)
- CIPE
http://sites.inka.de/sites/bigred/devel/cipe.html
last release Aug 2004, mailing list essentially dead
Debian: available in Sarge and Etch; not available in Lenny or later
kernel interface: custom CIPE kernel module/device
transmission protocol: UDP
encryption algorithm: Blowfish
- Free/SWAN
http://www.freeswan.org/
last release April 2004 [active development has ceased],
mailing list dead
Debian: available in Woody (v1.96); now replaced by OpenSwan
implementation of IPSec standard
kernel interface: kernel patch required
- tunnelv [homepage used to be
http://open.nit.ca/wiki/index.php?page=TunnelVision , now defunct]
appears to be dead (no mailing list discussion, last release Feb 1999 )
Debian: available in Potato, Woody, and Sarge; not available in Etch or later
kernel interface: eithertap (which is obsolete as of Linux 2.4.x)
and netlink
transmission protocol: TCP
encryption algorithm: RSA authentication, then Blowfish
- vpnd
http://sunsite.dk/vpnd/
http://vpnd.dotsrc.org/
last release Dec 2007
Debian: available in Woody; not available in Sarge or later
kernel interface: slip
transmission protocol: TCP
encryption algorithm: VPND-specific authentication, then Blowfish
note: each daemon process can handle only one tunnel