Put simply, to make a VPN, you create a secure tunnel between the two
networks and route IP through it. If I've lost you already, you should
read
The Linux Networking Overview HOWTO to learn more about networking
with Linux.
Here are some diagrams to illustrate this concept:
\ \
-------- / / --------
Remote ______| Client |______\ Internet \_____| Server |______ Private
Network | Router | / / | Router | Network
-------- \ \ --------
/ /
Client Router
----------------------------------------------------
| /-> 10.0.0.0/255.0.0.0 \ |
Remote | |--> 172.16.0.0/255.240.0.0 |--> Tunnel >---\ |
Network >---|--|--> 192.168.0.0/255.255.0.0 / |--|----> Internet
192.168.12.0 | | | |
| \-----> 0.0.0.0/0.0.0.0 --> IP Masquerade >--/ |
----------------------------------------------------
Server Router
----------------------------------------------------
| /-> 10.0.0.0/255.0.0.0 \ |
| /--> Tunnel >--|--> 172.16.0.0/255.240.0.0 |--|----> Private
Internet >--|--| \--> 192.168.0.0/255.255.0.0 / | Network
| | | 172.16.0.0/12
| \-----> 0.0.0.0/0.0.0.0 -----> /dev/null | 192.168.0.0/16
----------------------------------------------------
The above diagram shows how the network might be set up. If you don't
know what IP Masquerading is, you should probably read the
The Linux Networking
Overview HOWTO and come back once you understand how it works.
The Client Router is a Linux box acting as the gateway/firewall for the
remote network. The remote network uses the local IP address
192.168.12.0. For the sake of a simple diagram, I left out the local
routing information on the routers. The basic idea is to route traffic
for all of the private networks (10.0.0.0, 172.16.0.0, and 192.168.0.0)
through the tunnel. The setup shown here is one way. That is, while
the remote network can see the private network, the private network
cannot necessarily see the remote network. In order for that to happen,
you must specify that the routes are bidirectional.
From the diagram you should also note that all of the traffic coming out
of the client router appears to be from the client router, that is, all from
one IP address. You could route real numbers from inside your
network but that brings all sorts of security problems with it.
