As you know, IP addresses on the ADSL network are allocated via DHCP, this means, you'll never be able to use real VPN (IPSec, PPTP, etc) over ADSL.
However, there is a solution that you might want to look at. This requires you to have a FreeeBSD machine (specifically FreeBSD) at both ends of the connection.
The FreeBSD userspace ppp client supports a "TCP" connection device. This connection device simply connects to a hostname and port and starts talking PPP.
This can be very easily used to set up a VPN, which you might find is also much more secure than the normal IPSec approach, if done correctly.
First, you want the FreeBSD machine on your site to also be your PPPoE client. To get that right, make sure you get an ADSL modem which can act as an ethernet bridge (NOT a router/NAT).
I can highly recommend the D-Link DSL300G. It's reasonably priced (I got mine for R750) and has everything you need. It has built in PPPoE support, but we won't be using it here. It can be managed via telnet, SNMP or HTTP with a web interface.
Having set up your ethernet bridge, you now want to first set up userspace ppp on the FreeBSD machine to handle the PPPoE link to your ADSL ISP. Basically you will need to compile NETGRAPH and NETGRAPH_PPPOE into your kernel, and tune a few simple settings in /etc/ppp/ppp.conf(5)
If you already have a FreeBSD system running, you can find a HOWTO to configure it for PPPoE at http://www.oneyed.org/fribi-adsl.html
Now, having set up your ethernet bridge and FreeBSD machine to act as a PPPoE client, you should also set up your FreeBSD machine to act as a gateway and NAT for your LAN. Check the Handbook.
Right, if everything is working, we can move on to the VPN.
Doing this should be very simple. Instructions for userspace ppp are in the ppp(8) man page. Specifically, pay attention to the TCP device.
First off, you want to modify userspace ppp to run a script as soon as it establishes a PPPoE connection. Check the ppp(8) and ppp.conf(5) man pages.
What you want it to do is start an ssh(1) client which connects to the static IP of the FreeBSD machine on the other end. You want this all to be automated, so set up a DSA key (2048 bits highly recommended) without a passphrase to allow the SSH client to authenticate without user intervention.
Now, set up your SSH client not to request a command prompt on the other side, but instead, to fork to the background as a daemon and begin performing local port forwarding. With the DSA key set up, you might run ssh(1) like this:
ssh -f -n remote.server.net -L 6316:127.0.0.1:6316
This will get ssh(1) to connect, fork to the background and start forwarding any connections to port 6316 on the loopback interface of your machine, to port 6316 on the loopback interface of the remote machine. The port has been selected just for illustration, you may use any port you wish.
For better security, you can set up SSH to use strong stream ciphers in addition to your 2048-bit DSA key. 256-bit AES CBC and 168-bit SHA1 as your MAC comes to mind. Check the ssh_config(5) man page.
Now, once this is done, your script should move on to starting another ppp client. This time, to connect over TCP. Again, instructions for all of this are in the man pages.
First, you want to always have a ppp command running in background mode on the remote machine, listening for incoming "PPP-over-TCP" connections.
Now, the SSH port forward should point a port on your machine to the port of the ppp client on the remote machine.
Once this is set up, you want the ppp program being started by your script to connect to this port, thus connecting to the remote ppp program over a secure channel, provided by SSH.
Once connected, it will appear as though you have one PPP connection to your ISP for internet access, and another to the office machines. Make sure you use the ISP connection as your default route. Set up a static route in your start-up script to route to your hosted machines.
This will not provide speed comparable to that you will get with IPSec, PPTP or other "real" VPN solutions, but it will allow you to use VPN with a dynamic IP on one side of the link, and will provide significantly better security.
Willie Viljoen
Web Developer
Adaptive Web Development
