Linked by David Bogen on Mon 26th Jan 2004 04:47 UTC
Internet & Networking For many systems administrators, choosing and managing a VPN system is often quite a headache. Inflexible clients, servers, and protocols often prevent VPN's from being smoothly integrated into an already functioning network. The fact that many VPN clients are installed on users' home computers, well out of the reach of the systems administration team, often means that troubleshooting and upgrading VPN systems is time consuming and a struggle for both admins and users.
Order by: Score:
best solution
by raiten on Mon 26th Jan 2004 05:11 UTC

Openvpn is very good vpn solution:
- easy multiplatforms, no differences in conf like with ipsec
- very easy configuration files (about 6 to 10 short lines)
- support for win, macosx, linux, solaris, *bsd
- very good options for debugging
- and a good community (mailing-lists & co)

on the security aspect, there was once an article on slashdot on the poor security of cipe, vtun and some others. on the opposite, openvpn was granted as a very secure solution.

IPX?
by gallen I on Mon 26th Jan 2004 05:12 UTC

Does openVPN Support IPX traffic?

Is it usable for WAN gaming?

Re: IPX?
by Anonymous on Mon 26th Jan 2004 05:40 UTC

OpenVPN can operate in TAP mode, which is a virtual ethernet connection. Anything that will run across ethernet will run over openvpn (although I don't think its the most efficient way). I have my VPN handing out ips via dhcp.

so, yes it will do IPX.

what about clients ?
by Anonymous on Mon 26th Jan 2004 06:25 UTC

What kind of client does it comes with or support?

RE: what about clients ?
by raiten on Mon 26th Jan 2004 06:54 UTC

same than server: so nearly anything than support tun/tap device:
win, macosx, *bsd, solaris, ...

RE: what about clients?
by Anonymous on Mon 26th Jan 2004 07:22 UTC

sorry, I mean can I use like [ Cisco VPN client, CheckPoint Secure Remote, or Lucent VPN client] connect to OPENVPN server.

Or dose the OpenVPN provide its own client? if so, does it run on Win32?

Thanks

RE: what about clients?
by jk on Mon 26th Jan 2004 07:51 UTC

Anonymous: yes, it provides its own client for all OSes. I've tested it under Win32 and it works like a charm (both as a NT service or as a standalone application). I never had problems with it.

WLAN
by HufflePuff on Mon 26th Jan 2004 07:51 UTC

We are using OpenVPN with a Linux server and some Linux laptops connected through WLAN for many month without hassle. Easy and no problems so far.

Alternative authentication?
by Anonymous on Mon 26th Jan 2004 10:47 UTC

I've been looking for a VPN solution that's based on other methods than key authentication. Does anyone know of VPN servers that is PAM based? It would be nice to intergrate this with the LDAP user database(and such).

Ports
by Chris on Mon 26th Jan 2004 10:49 UTC

So do I understand correctly that a server requires multiple listening ports if it wants more users to connect? How does the client software know which port to use if the first handful are already in use?

Its biggest plus compared to bare-bones l2tp server is that it encrypts traffic. Everything else is pretty much the same as an l2tp tunnel.

RE: Ports
by Mark R on Mon 26th Jan 2004 11:50 UTC

The port no is predefined per tunnel. So 5001 is set on the server and the client for that tunnel.

Best VPN software I have used
by Mark R on Mon 26th Jan 2004 11:55 UTC

I have to say that I've used ipsec with cisco, watchguard and FreeSwan but in the 3 months I been using OpenvVPN I nearly replaced everything with it where possible. As of ver 1.5 the quality of this software is truely fantastic. I cannot recomend it enough.

RE: RE: Ports
by Bill Sykes on Mon 26th Jan 2004 12:41 UTC

"The port no is predefined per tunnel. So 5001 is set on the server and the client for that tunnel."

Do you have to do this manually? If you do this seems like it would be a nightmare to administer more than a few clients.

Also I was wondering about the speed of SSL encryption vs. hardware based IPSEC.

RE: RE: RE: Ports
by Gabriel Ebner on Mon 26th Jan 2004 12:46 UTC

> Also I was wondering about the speed of SSL encryption vs. hardware based IPSEC.

Aren't there also hw ssl impls?

RE: RE: Ports
by Mark R on Mon 26th Jan 2004 14:43 UTC

>"The port no is predefined per tunnel. So 5001 is set on >the server and the client for that tunnel."

>Do you have to do this manually? If you do this seems >like it would be a nightmare to administer more than a >few clients.

>Also I was wondering about the speed of SSL encryption >vs. hardware based IPSEC.

Yes it's manual but it takes 2 mins to create a tunnel. I've written my own scripts which cuts it down to a few seconds, but once you have good configs then you can use them as templates for the other tunnels. One template per os is fine.

The first patches are coming thru for multiple tunnels to a single port but dont expect anything in the mainline too soon.

I dont know anything about hardware acceleration but there's quite a few comments on the openvpn mailing list.

Great Product
by linux_baby on Mon 26th Jan 2004 15:10 UTC

Yup, this is a really good product, all the more so for being multi-platform.

Re: Great Product
by mmu_man on Mon 26th Jan 2004 16:30 UTC

> multiplatform

Which should soon count one more, when I get vtun working with my tuntap driver for BeOS BONE (it currently compiles but fails in select() after connecting), I should jump on that one.

advantage of this over making SSH tunnels?
by Chris Hamant on Mon 26th Jan 2004 16:39 UTC

I understand and use other VPN solutions (IPSEC and PPTP), but this seems at first glance to be just like creating a tunnel with SSH.. Am I missing the boat here?

Re: advantage of this over making SSH tunnels?
by mmu_man on Mon 26th Jan 2004 16:55 UTC

AFAIK ssh only tunnels *ports*, that is, it can tunnel your local port 80 (http), 6000 (X11), ..., but you need to specify each of them.
Here we want to tunnel the whole path from one box to another.

Plop
by dpi on Mon 26th Jan 2004 17:12 UTC

@ Gabriel Ebner

Yes. See for example "Cryptographic Hardware Support" (OpenBSD's support, not OpenVPN's support) at http://www.openbsd.org/crypto.html for a list.

@ Chris Hamant

IPsec / VPN -> Transport layer.
SSL / SSH -> Application layer.

The difference or preference depends on what you want.

Imagine you work at a company and there's 2 offices. 1 in Great Britain, the main office. One in Germany, a small one. Now, a new software package got released which has to be moved to Germany over the internet in a secure way.

FTP to 10.0.200.1 which is then encrypted over the internet by VPN/IPsec. It goes a bit slower than over LAN but otherwise it is transparent.

Otherwise the internet address has to run FTP over SSL [the horror] or SSH.

VPN / IPsec also gets rid of NAT.

Those are a few practical differences...

A few years ago there was a brilliant article in C'T about VPN.

A port for every user?
by Carl on Mon 26th Jan 2004 18:17 UTC

The article says that I have to open a firewall port for every user. In an Enterprise environment, this is simply unacceptable. I can't go opening 500 or 1,000 ports for VPN users. Other VPN solutions run over ONE port. The firewall port issue alone is enough to discount OpenVPN as a solution. Is the port information correct, or am I misunderstanding?

RE : A port for every user?
by Mark R on Mon 26th Jan 2004 22:38 UTC

>The article says that I have to open a firewall port for >every user. In an Enterprise environment, this is simply >unacceptable. I can't go opening 500 or 1,000 ports for >VPN users. Other VPN solutions run over ONE port. The >firewall port issue alone is enough to discount OpenVPN >as a solution. Is the port information correct, or am I >misunderstanding?

It's messy yes, but not unacceptable. good scripting can manage the ports. It's no more insecure, the last 999 ports have the same security as the 1st 1.
If you are in an Enterprise environment then chances are this will not be your solution because it is not backed by a bluechip support company. If this is not a problem then you could write a decent management script(s) in a day. One day is nothing for 500-1000 tunnels.

Why Bother?
by slash on Mon 26th Jan 2004 23:02 UTC

I don't see any reason why anyone should bother with OpenVPN.
For permanent connections or certificate based solutions, IPSEC is the way to go. Seeing how it is now part of the 2.6 Linux kernel, and has been in FreeBSD and Solaris for years, there is no reason why you should go with anything else. It is available everywhere and requires no additional installations. Also, it is simply unbeatable in security.
For VPN solutions requiring user entered authentication, PPTP is probably the best choice. Great security and almost all Unix OS support interopperability with it (they can act as both server and client). L2TP is also a great solution, providing the best of both worlds (certificate and user entered authentication) and IPSEC for security. However, it is currently proprietary to Microsoft so I would stay away from it until we get Linux clients and servers.

RE: Why Bother?
by Florin Andrei on Mon 26th Jan 2004 23:40 UTC

I don't see any reason why anyone should bother with OpenVPN. For permanent connections or certificate based solutions, IPSEC is the way to go.

Have you tried to deal with IPSec through NAT? It's doable, but if you're a small company that cannot buy a commercial IPSec solution (one that comes with Windows clients that can tunnel IPSec through UDP), it won't work.

I played with FreeS/WAN and Win2K IPSec and it's a nightmare if you must open a VPN link through NAT (you must be able to do that if you want to give your road warriors enough flexibility).
OpenVPN deals with that issue gracefully.

I know the issue is not the protocol itself, but a lack of a free Win2K client that can tunnel IPSec through NAT, but whatever the cause, if it doesn't work, then you must search for something else.

Why bother
by Chris on Tue 27th Jan 2004 03:34 UTC

slash: As Florin said, IPSec isn't easy. Having commercial solutions - Watchguard, Checkpoint, Cisco makes the pain easier, but having both protocol types as well as port types (IPSec) makes NAT hard. ALGs are often required in NAT deployments to keep it all working nicely.

PPTP is similar in that you need a TCP port and another protocol to be supported in your NAT gateway.

As I said earlier, L2TP is great that it's only one port and protocol type to support. This is pretty much L2TP but with encryption.

Also the more complicated with your security you get, the harder it is to support. Suddenly you have you get a self-signed CA for your organisation if you don't want a commercial variety. How do you distribute the PKIs and revocation servers for IPSec? You'll have to face all these questions, and more.

Man...
by Dave on Tue 27th Jan 2004 08:30 UTC

This looks very promising. I've been having a headache about setting a vpn network up for a while, and this looks like just the ticket. I bought that fvs318 netgear router and it only really has good support with router to router vpn networking. Otherwise you have to pay hundred plus bucks for an exceptionally confusing client program that doesn't seem to work half the time with the windows version you are using.

I will say one thing about the fvs318, it is very easy to configure if it is a router to router connection, and does the best job of a vpn router setup that I have ever seen outside of the CISCO relm.

IPSE C
by Eric Koome on Tue 27th Jan 2004 14:38 UTC

I have worked with FreesWan Linux and Win2k roadwarriors over NAT and it works like a charm. I guess you need to combine the Freeswan Nat support and IPtables firewall rules
(i prefer using shorewall to get the job done).
Configuring many ports for OPen VPN is a nightmare.

Moved to SSH
by Anonymous on Tue 27th Jan 2004 16:11 UTC

I moved all VPN type functions to SSH. One port, no management. Clients can be pre-configured to tunnel the needed ports, so no configuration by the client needed. Very secure. All the applications we needed (file transfer, email, intranet web access, remote GUI application execution, etc.) can be transferred over SSH tunnels. Wide availability of clients (even Java implementations, loadable via web browser). Available for every platform and architecture, and cross-platform compatible. As an ad-hoc solution, no resources are consumed when the connection is not in use. Works easily with NAT (port forward) and firewalls. Support one client or 10,000 makes no different (size the server for concurrent use).

Why vpn?
by Francisco on Tue 27th Jan 2004 18:05 UTC

Ok, can someone explain me what this program is for? I dont know what VPN is, i already have a router with a firewall

Re: Why vpn?
by Bruce on Wed 28th Jan 2004 00:07 UTC

Let's say that you have a private local area network (LAN) at your house and your friend has a private LAN at his house and you want to connect your LAN and your friend's LAN together as though it was one big LAN. A VPN solution will enable you to do it. You can also limit what your friend sees in your LAN and vice-versa. I hope that this helps.

keeping the tunnel up
by Dom on Wed 28th Jan 2004 13:07 UTC

How does OpenVPN compare to IPSec when it comes to re-establish a broken tunnel (say 1 of the boxes loses connection to Net for 1/2 hour).
Compare to PPTP, IPSec is fantastic as you dont't to worry
about re-establishing the link. IPSec does it automatically, unlike PPTP. Does OPenVPN automatically re-establish the link?
And how to long does it take to establish it?

Dom

ss
by luc-br on Wed 4th Feb 2004 23:21 UTC

muito bom realmente