Contributed by phessler on from the blarg-need-to-eat-brains dept.
I'm aware of authpf, but that doesn't solve the encrypted tunnel part. The client can also use ssh tunneling, but that sounds like hell for a Windows box. PTPP or IPSec tunneling with user authetication is built into both Windows (XP and later), and OSX, so those would be a huge win. I don't know of a server side solution for that though. :/
Undeadliers, Corbets needs your help.
(Comments are closed)
By Paul (208.38.59.91) spawn@maltliquor.ca on
By djm (61.95.66.134) djm@ on
IPsec is probably the most secure solution, though you generally have to pay for Windows clients (MS having lobotomised their inbuilt IPsec support in various ways). Most sane IPsec clients interop fine with isakmpd. I have personally tested the old PGPnet, Timestep/IRE and SSH.COM ones.
PoPTop is another solution (already mentioned), replete with all the issues that PPTP with MSCHAP is famous for. It looks like this project is just starting to wake from a long slumber, for a long time the stable version was very flakey on multipath links (it didn't deal with reordered packets).
Compared to these two choices, tunneling over SSH isn't so bad :) You can use OpenSSH on Cygwin or the most recent PuTTY. Both of these support "dynamic tunnelling" that automatically supports anything with SOCKS (see DynamicForward in "man ssh_config").
By Anon E. Muss (24.65.17.217) on http://www.cs.umd.edu/users/mvanopst/xp2obsd.pdf
By Bobby Johnson (67.166.26.180) bob@nospam-plexuscomp.com on
By Guldan (212.129.231.66) robert_nospam_@guldan.demon.nl on
Comments
By Guldan (62.216.13.38) on
By sthen (213.152.51.85) on
Latest betas have a connection multiplexer, making server setup of multiple clients very much easier. These are early betas but it's on the way. (for those who don't know OpenVPN, standard versions have each client connect to a separate copy of the program bound to it's own UDP port - this works well).
OpenVPN supports Win2k+ and unix-like OS with tun or tap devices available. Win9x is not supported. Since it's OpenSSL-based, assuming you choose suitable ciphers, you can use it with hardware crypto accelerators, which is helpful if you want to terminate a larger number of tunnels to a low-power machine (e.g. net4801 or some C3-with-Padlock EPIA).
Comments
By Heinz (207.248.43.254) heinz@bsdcoders.org on http://www.bsdcoders.org
regards
Comments
By Anonymous Coward (62.235.14.244) on
By Michael Sullenszino (66.239.244.41) nospam@sullenszino.org on
By Corbets (24.12.223.67) on http://www.lancemcgrath.com
Comments
By Anonymous Coward (80.139.96.193) on
By Corbets (24.12.223.67) undeadly@lancemcgrath.com on http://www.lancemcgrath.com
Comments
By Ryan Baldwin (213.48.13.39) ryan.baldwin@nexusalpha.com on
dev tap0
instead say
dev tun0
dev-type tap
Obviously you can use tun1 etc and create many of these(since 3.5 I believe)
Hope this helps
By Anonymous Coward (65.110.240.244) on
By jack (24.215.169.90) on
i use a macos x powerbook and use that ipsecuritas thing recommended on that airlok site and it works great with my obsd box.
Comments
By Anonymous Coward (128.59.21.5) on
By Sacha (145.222.169.66) on
By A Non Moose Cow Herd (64.81.227.16) on
References:
http://mirror.huxley.org.ar/ipsec/isakmpd.htm
http://vpn.ebootis.de/
the incredible ipsec,vpn,isakmpd and related manpages
Notable issues:
- setting the pf scrub rule to include 'max mss 1440' helped with Windows remote desktop...ping's worked (small packets) but RDP didn't.
-Windows XP is very particular about importing the CA and users certs.
I may do a write-up of my experiences later.
Comments
By Anonymous Coward (67.70.164.207) on
By Alan DeWitt (198.36.163.30) on
[...] setting the pf scrub rule to include 'max mss 1440' helped with Windows remote desktop...ping's worked (small packets) but RDP didn't
Do you mean to say that RDP works with this setting to scrub, or that it still does not work? Thanks!