Gentoo Wiki


A VPN (Virtual Private Network) lets you create a secure link between two private networks over an unsecure public network such as the internet.


Protocol 50

Networking is composed of layers; usually, this is the OSI model (see wikipedia for details). IP is one of these layers, and can encapsulate data from the layer above. In the IP header, there is a marker identifying the type of data that is contained within the IP packet - this is just a number, such as 6 for TCP or 17 for UDP. Protocol 50 is one of these - it denotes encapsulating security payload, and is commonly used with VPN applications.

Protocol 50 differs from TCP port 50 in that TCP port 50 is specific to the TCP protocol in the transport layer (layer 4), whereas protocol 50 is specific to the IP protocol in the network layer (layer 3). ICMP is another example of a protocol number (it is number 1) - but ICMP does not use port numbers like protocols such as TCP and UDP do, i.e. not all IP protocols use port numbers.

See [1] for a list of protocol numbers.


A NAT router will block everything unless it is specifically forwarded from the router to a node on your internal network - because the traffic is sent to the router and the router will not know which node it needs to be sent to unless you define it specifically in the forwarding rules.

I haven't ever seen a router which will allow you to forward IP protocols (I've only ever seen the option to forward TCP and/or UDP ports) - but some routers allow you to designate a host on your internal network as a "DMZ host", in which case the router will forward all unclaimed traffic to that host. However, if you do do this it's a good idea to make sure you've got a solid firewall on that host as it exposes it to attacks from the internet.


See [2]


IPSec (Internet Security Protocol) is a generic framework to provide security enhancements to IP (Internet Protocol). Three protocols are used to handle encryption and authentication, namely AH (Authentication Header) provides a packet-level authentication service, ESP (Encapsulating Security Payload) provides encryption plus authentication and IKE (Internet Key Exchange) negotiates connection parameters, including keys, for the other two. IPSec supports two encryption modes, transport and tunnel. The transport mode encrypts only the payload part, while the tunnel mode encrypts both the header and the payload. The secure channel negotiated between any two IPSec peers is called an SA (Security Association). SAs are uni-directional, i.e. you need to establish a pair of them for bi-directional communication. IPSec is an open standard developed by IETF and is supported by all major operating systems and security product vendors.

VPN implementations


Zebedee is a simple program to establish an encrypted, compressed “tunnel” for TCP/IP or UDP data transfer between two systems. This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression.


tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet.



FreeS/WAN is a portable, open source implementation of IPSec specification for Linux available under GPL. It has three main parts, namely KLIPS (Kernel IPSec) implements AH, ESP, and packet handling within the kernel, pluto (an IKE daemon) implements IKE, negotiating connections with other systems and various scripts, that provide an adminstrator's interface to the machinery. FreeS/WAN currently only supports 3DES (triple Data Encryption Standard) for encryption. Authentication is carried out by using MD5 hash of a shared key. This shared key could be a character string (shared secret), RSA crypto keypair or X.509 certificate (requires a patch). For more information about IPSec, see the introduction and also the FAQ on the FreeS/WAN website.


Openssh has support for vpn


You can create a vpn connection for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP, using the linux pptpclient:


Automatic vpn on interface activation

If you need to authenticate in a network using vpn, and want it to be performed automatically, modify postup() and predown() in /etc/ This is an example using vpnc and a wireless interface.

Code: excerpt from /etc/conf.d/net
predown() {
	case "$IFACE" in 
			if(iwconfig wlan0 | grep -e "YourEssid" > /dev/null) ; then
				einfo "Connected to YourEssid"
				einfo "Stopping vpnc-client"
				vpnc-disconnect &
				einfo "Restoring resolv.conf"
				cp /etc/resolv.conf-home /etc/resolv.conf
	return 0

postup() {
	case "$IFACE" in
		if(iwconfig wlan0 | grep -e "YourEssid" > /dev/null) then
			einfo "Connected to YourEssid: Starting vpnc-client ..."
			vpnc /etc/vpnc.conf-wlan &
	return 0


Retrieved from ""

Last modified: Fri, 26 Sep 2008 09:50:00 +0000 Hits: 10,917