Virtual Private Network - VPN 4

A Virtual Private Network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization's network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization. It encapsulates data transfers between two or more networked devices which are not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks. There are many different classifications, implementations, and uses for VPNs.

Firewalls
OpenVPN's usage of a single UDP port makes it fairly firewall-friendly. You should add an entry to your firewall rules to allow incoming OpenVPN packets. On Linux 2.4+:
iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) from an Open- VPN peer at 1.2.3.4. If you are using HMAC-based packet authentication (the default in any of OpenVPN's secure modes), having the firewall filter on source address can be considered optional, since HMAC packet authentication is a much more secure method of verifying the authenticity of a packet source. In that case:
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
would be adequate and would not render the host inflexible with respect to its peer having a dynamic IP address. OpenVPN also works well on stateful firewalls. In some cases, you may not need to add any static rules to the firewall list if you are using a stateful firewall that knows how to track UDP connections. If you specify
--ping n OpenVPN will be guaranteed to send a packet to its peer at least once every n seconds. If n is less than the stateful firewall connection timeout, you can maintain an OpenVPN connection indefinitely without explicit firewall rules. You should also add firewall rules to allow incoming IP traffic on TUN or TAP devices such as:
iptables -A INPUT -i tun+ -j ACCEPT
to allow input packets from tun devices
iptables -A FORWARD -i tun+ -j ACCEPT
to allow input packets from tun devices to be forwarded to other hosts on the local network
iptables -A INPUT -i tap+ -j ACCEPT
to allow input packets from tap devices and
iptables -A FORWARD -i tap+ -j ACCEPT
to allow input packets from tap devices to be forwarded to other hosts on the local network. These rules are secure if you use packet authentication, since no incoming packets will arrive on a TUN or TAP virtual device unless they first pass an HMAC authentication test.

Virtual Private Server
Virtual private server (VPS) is a marketing term used by Internet hosting services to refer to a virtual machine for use exclusively by an individual customer of the service. The term is used to emphasize that the virtual machine, although running in software on the same physical computer as other customers' virtual machines, is functionally equivalent to a separate physical computer, is dedicated to the individual customer's needs, has the privacy of a separate physical computer, and can be configured to run as a server computer (i.e. to run server software). The term Virtual Dedicated Server or VDS is used less often for the same concept.
Each virtual server can run its own full-fledged operating system and can be independently rebooted. The practice of partitioning a single server so that it appears as multiple servers has long been common practice on mainframe computers and mid-range computers such as the IBM AS/400. It has become more prevalent with the development of virtualization software and technologies for microcomputers.
The physical server typically runs a hypervisor which is tasked with creating, destroying, and managing the resources of "guest" operating systems, or virtual machines. These guest operating systems are allocated a share of resources of the physical server, typically in a manner in which the guest is not aware of any other physical resources save for those allocated to it by the hypervisor.
The Guest system may be fully virtualized, paravirtualized, or a hybrid of the two. In a fully virtualized environment, the guest is presented with an emulated or virtualized set of hardware and is unaware that this hardware is not strictly physical. The hypervisor in this case must translate, map, and convert requests from the guest system into the appropriate resource requests on the host, resulting in significant overhead. Almost all systems can be virtualized using this method, as it requires no modification of the operating system, however a CPU supporting virtualization is required for most hypervisors that perform full virtualization.
In a paravirtualized environment, the guest is aware of the hypervisor and interfaces directly with the host system's resources, with the hypervisor implementing real-time access control and resource allocation. This results in near-native performance since the guest sees the same hardware as the host and can thus communicate with it natively. UNIX-like systems, such as Linux, some variants of BSD, Plan9, and OpenSolaris are currently known to support this method of virtualization. However, installing operating systems as paravirtualized guests tends to require more knowledge about the operating system in order to have it use special hypervisor-aware kernels and devices.
Some examples of paravirtualization-capable hypervisors are Xen, Virtuozzo, Vserver, and Open- VZ (which is the open source and development version of Parallels Virtuozzo Containers). Hybrid or partial paravirtualization, is full virtualization, but in which the guest uses paravirtualized drivers for key components such as Networking and Disk I/O, resulting in greatly increased I/O performance. As such, it is a common solution for operating systems which cannot be modified (for various reasons) to support paravirtualiztion. One example of a hybrid hypervisor is Kernel-based Virtual Machine.

Uses
Virtual private servers bridge the gap between shared web hosting services and dedicated hosting services, giving independence from other customers of the VPS service in software terms but at less cost than a physical dedicated server. As a VPS runs its own copy of its operating system, customers have superuser-level access to that operating system instance, and can install almost any software that runs on the OS. Certain software does not run well in a virtualized environment, including firewalls, anti-virus clients, and indeed virtualizers themselves; some VPS providers place further restrictions, but they are generally lax compared to those in shared hosting environments. Due to the number of virtualization clients typically running on a single machine, a VPS generally has limited processor time, RAM, and disk space.

Virtual Private Server Hosting
A growing number of companies offer virtual private server hosting, or virtual dedicated server hosting as an extension for web hosting services. Some web hosting companies call a Virtual Private Server a Virtual Dedicated Server/Dynamic Dedicated Server or the other way around. There are several challenges to consider when licensing proprietary software in multi-tenant virtual environments.

Unmanaged Hosting
The customer is left to monitor and administer their own server.

Unmetered Hosting
This type of service is generally offered with no limit on the amount of data-transferred on a fixed bandwidth line. Usually, unmetered hosting is offered with 10 Mbit/s, 100 Mbit/s or 1000 Mbit/s. The customer is theoretically able to use 3.33~ TB on 10 Mbit/s, 33~ TB on 100 Mbit/s and 333~ TB on a 1000 Mbit/s line.

Continue next page 1 - 2 - 3 - 4