Linux open-source VPN packages
I needed to install an open-source VPN package for a Linux network, and
had trouble finding a good listing of the options available or any
comparisons between them. I did a little research and am posting the
results here in case it helps anyone else.
I was looking specifically for Linux solutions, but most of the packages below
have peen ported to *BSD and other Unix implementations.
(This research originally done in June 2002, with sporatic updates since
then.)
- tinc
http://www.tinc-vpn.org/
last release May 2005, active mailing list
Debian: available in Woody (v1.0pre7); latest version available in
Sarge
kernel interface: Universal TUN/TAP devices
tunnel transmission protocol: UDP, TCP
encryption algorithm: RSA authentication, then Blowfish
note: one daemon process can handle multiple tunnels
note: versions after v1.0 support Windows 2000/XP as well
as various Unixes.
- openvpn
http://openvpn.sourceforge.net/
last release Aug 2005, active mailing list
Debian: available in Sarge/Sid
kernel interface: Universal TUN/TAP devices
tunnel transmisison protocol: UDP, TCP
encryption algorithm: TLS authentication, then Blowfish
(others available)
note: each daemon process can handle only one tunnel
note: As of Nov 2003 (v1.5_beta14) a Windows 2000/XP port is
available
- vtun
http://vtun.sourceforge.net/
last release Apr 2003, active mailing list
Debian: available in Woody
kernel interface: Universal TUN/TAP devices
tunnel transmission protocol: TCP or UDP
encryption algorithm: ??? authentication, then Blowfish
note: each daemon process can handle only one tunnel
note: didn't find documentation of intra-daemon authentication protocol
- CIPE
http://sites.inka.de/sites/bigred/devel/cipe.html
last release Feb 2001, active mailing list
Debian: recent version available in Sarge/Sid
kernel interface: custom CIPE kernel module/device
transmission protocol: UDP
encryption algorithm: Blowfish
- Free/SWAN
http://www.freeswan.org/
last release April 2004 [active development has ceased],
active mailing list
Debian: available in Woody (v1.96); recent version available in Sarge/Sid
implementation of IPSec standard
kernel interface: kernel patch required
- Openswan
http://www.openswan.org/
last release Sept 2005, active mailing list
Debian: available in Sarge/Sid
implementation of IPSec standard (fork of Free/SWAN)
kernel interface: kernel patch required for Linux 2.4.x; for 2.6.x, uses
kernel native Crypto support
- Strongswan
http://www.strongswan.org/
Debian: not available
last release Sept 2005, active mailing list
implementation of IPSec standard (fork of Free/SWAN)
kernel interface: kernel patch required for Linux 2.4.x; for 2.6.x, uses
kernel native Crypto support
- tunnelv
http://open.nit.ca/wiki/index.php?page=TunnelVision
appears to be dead (no mailing list discussion, last release Feb 1999 )
Debian: available in Potato, Woody, and Sarge/Sid
kernel interface: eithertap (which is obsolete as of Linux 2.4.x)
and netlink
transmission protocol: TCP
encryption algorithm: RSA authentication, then Blowfish
- vpnd
http://sunsite.dk/vpnd/
last release Nov 1999
Debian: available in Woody (removed from Sarge/Sid)
kernel interface: slip
transmission protocol: TCP
encryption algorithm: VPND-specific authentication, then Blowfish
note: each daemon process can handle only one tunnel
- secvpn(can't find any web site)
Debian: available in Woody and Sarge/Sid
seems to be unchanged since Jan 2001
based on ssh (need ability to connect as root to tunnel server side machine)