What Is It?

DynVPN enables you to set up a Virtual Private Network between many networks that only have dynamic IP addresses. The Virtual Private Network secures the traffic between those networks and every computer in it (also those behind the gateways) gets a static IP address. We use it in our, to connect the networks that are too far away from the main network in Lahm via the Intenet.



DynVPN is actually two Python scripts. A CGI script, "nexus", to run at a server with static IP (or at least a dyndns name), and one, "packthread", to run at the gateways of each connected network. So you can simply use you webserver as the DynVPN server.


  • Python (the interpreter for the scripts)
  • IPsec in the kernel of the gateways (see FreeS/WAN for a patch)
  • FreeS/WAN on the gateways


You can download the DynVPN package directly from here:
dynvpn.tar.gz (11 KB)
DynVPN is released under the terms of the GPL.

Installation Of The Clients

Copy to /usr/local/sbin, or where you like. Then, adjust the configuration parameters at the top of the file:

# config

server_addr = ''
server_port = 80
cgi_script = '/cgi-bin/nexus/nexus.cgi' # if emtpy string, use
                                        # direct method, not http
port = 2002
password = 'PASSWORD'

server_addr is the address of the server where nexus runs. server_port is 80, if it runs as a CGI in the webserver (normally the case). cgi_script is the relative URL to the nexus script, port is the listening port of the client (leave it at 2002, if it is not already used), and password is the password, the server and the client use for authentication (change it!).

Modification Of Firewall Rules At The Gateways

For IPsec to work, the IP protocols named "AH" and "ESP" must get from the other gateways through your firewall. Also, port 500 UDP must be open. And for packthread to work, port 2002 TCP (or whatever you configured) must be open to the server.
Normally, packets emerging directly from the gateway do not get through the VPN. You have to do a little trick to let this work: (iptables)

iptables -t nat -A POSTROUTING -s <IP address of the default interface> \
	-d <complete VPN subnet> -j SNAT \
	--to-source <VPN address of the gateway>

Installation Of The Server

Copy nexus.cgi to a place in your webserver where CGI is enabled and adjust the configuration parameters at the top of the file:

# config

port = 2002
password = "PASSWORD"
config_path = "/usr/lib/cgi-bin/nexus/config"
gw_addrs_path = "/tmp/nexus/gw_addrs"

Port should simply match the client configuration, as should password (change it!). config_path is the location of the networks configuration file (see below), and gw_addrs_path is the location of a file that is created by nexus and that is used to store the IP addresses of the gateways.

Now, create this network-configuration file. Its structure is as follows:

<network name>
	key=<public key>

<network name>
	key=<public key>


	key=0sAQPWVrkZO2KH8oYzYMLk [...] uvbbgNFBBxQ==

        key=0sAQODVFZMP+zqRs0T/iwF [...] 4DENhhS5e3Q==

network name is simply a name you choose. It must be specified when the respective client is started. subnet is the IP subnet that is assigned to the client network, and key is the IPsec public key of the client. You get it by running "ipsec showhostkey --right" on the gateway.

Starting The Client

Just run " <network name>" when you go online (via /etc/ppp/ip-up.d) or when your IP address changes. After some seconds, your routing tables should contain routes to the other networks.