OpenBSD Journal

Ask Undeadly?

Contributed by phessler on from the blarg-need-to-eat-brains dept.

Corbets writes "I'm looking for information on how to set up a multi-platform VPN that authenticates to my OpenBSD box. I'd like to use it for wireless security as well as remote access. IPSec seems to be very difficult to configure, and OpenVPN (available at SourceForge) requires additional software to be installed on both client and server machines. Have any of your readers come up with a simple-yet-worthy solution for secure access to networks protected by an OBSD firewall?"

I'm aware of authpf, but that doesn't solve the encrypted tunnel part. The client can also use ssh tunneling, but that sounds like hell for a Windows box. PTPP or IPSec tunneling with user authetication is built into both Windows (XP and later), and OSX, so those would be a huge win. I don't know of a server side solution for that though. :/

Undeadliers, Corbets needs your help.

(Comments are closed)


Comments
  1. By Paul (208.38.59.91) spawn@maltliquor.ca on

    PopTop works very well and is in ports. I regularly use it to auth Windows clients to my OpenBSD firewall. The pptp clients in everything from Win98 and up work great. Check out www.poptop.org

  2. By djm (61.95.66.134) djm@ on

    IPsec is probably the most secure solution, though you generally have to pay for Windows clients (MS having lobotomised their inbuilt IPsec support in various ways). Most sane IPsec clients interop fine with isakmpd. I have personally tested the old PGPnet, Timestep/IRE and SSH.COM ones.

    PoPTop is another solution (already mentioned), replete with all the issues that PPTP with MSCHAP is famous for. It looks like this project is just starting to wake from a long slumber, for a long time the stable version was very flakey on multipath links (it didn't deal with reordered packets).

    Compared to these two choices, tunneling over SSH isn't so bad :) You can use OpenSSH on Cygwin or the most recent PuTTY. Both of these support "dynamic tunnelling" that automatically supports anything with SOCKS (see DynamicForward in "man ssh_config").

  3. By Bobby Johnson (67.166.26.180) bob@nospam-plexuscomp.com on

    Links from my bookmarks, most found from searching on deadly. Ipsec will interoperate with most everything. http://www.etla.net/~willey/projects/vpn/ http://hem.passagen.se/hojg/isakmpd/ http://www.klake.org/~jt/mkca/ http://www.allard.nu/pipermail/openbsd-ipsec-clients/2002-November/000736.html http://www.tek-tips.com/gthreadminder.cfm/pid/463/page/2 http://vpn.ebootis.de - Good program to configure win 2k or xp clients with builtin ipsec software.

  4. By Guldan (212.129.231.66) robert_nospam_@guldan.demon.nl on

    Hi, I'me currently working on a setup like that. Using OpenBSD and poptop with user ppp to authenticate to a radius server. Currently i'me testing with FreeBSD user ppp but have some problem with the user ppp radius part. It looks like it never sends its username to the radius server. I will try later after release of 3.5 of OpenBSD with a OpenBSD setup. Gul'dan

    Comments
    1. By Guldan (62.216.13.38) on

      Ok i'me a morron... I did some thing wrong on the client ... I have it working now on FreeBSD, but have some troubles on OpenBSD. Without GRE and with GRE it will complain about gre stuff. I'me trying to find out whats going wrong...

  5. By sthen (213.152.51.85) on

    OpenVPN works well enough to be worth adding the relevant component, imho. You can package up an installer with everything that's required making the installation quite simple if you're not doing it yourself, and it will just use whatever internet connection is available (I have set it up for someone to access an Exchange server and had it running over GPRS, 802.11b, wired ethernet and modem through different ISPs - all without Outlook dropping the session during changeover).

    Latest betas have a connection multiplexer, making server setup of multiple clients very much easier. These are early betas but it's on the way. (for those who don't know OpenVPN, standard versions have each client connect to a separate copy of the program bound to it's own UDP port - this works well).

    OpenVPN supports Win2k+ and unix-like OS with tun or tap devices available. Win9x is not supported. Since it's OpenSSL-based, assuming you choose suitable ciphers, you can use it with hardware crypto accelerators, which is helpful if you want to terminate a larger number of tunnels to a low-power machine (e.g. net4801 or some C3-with-Padlock EPIA).

    Comments
    1. Comments
      1. By Anonymous Coward (62.235.14.244) on

        And it works perfectly, certainly with 3.5. openvpn relies on tun devices which are created dynamically since 3.5.

    2. By Michael Sullenszino (66.239.244.41) nospam@sullenszino.org on

      OpenVPN is great, complies on 3.3, 3.4 and there is a port for 3.5. Use it to connect laptops and a few home users for multiple clients running OpenBSD firewalls/gateways. I can provide basic config files for both the OpenBSD server and the Windows Clients. I had a few issues with some versions of windows which the documentation covered in terms of packet fragmenting, otherwise smooth sailing and no issues.

    3. By Corbets (24.12.223.67) on http://www.lancemcgrath.com

      This would be the other problem I forgot to mention. I'd really prefer not to have to set up a different config file for every client that wants to simultaneously connect. :( This might be the answer in the next version.

      Comments
      1. By Anonymous Coward (80.139.96.193) on

        OpenVPN does this job great in V2, it compiles great on 3.5 and i think its stable enough to give it a try.

    4. By Corbets (24.12.223.67) undeadly@lancemcgrath.com on http://www.lancemcgrath.com

      As I understand it, I'll have to add TAP support to the OBSD kernel to make OVPN work correctly with Windows devices. Do I have the right of it? Thanks, Corbets

      Comments
      1. By Ryan Baldwin (213.48.13.39) ryan.baldwin@nexusalpha.com on

        As far as I'm aware tap device is only required for setting up bridged VPN. If this is what you want then as of openbsd 3.6 I beleive 'tap' support has been added to kernel. To use this with OpenVPN use 'ifconfig tun0 create link0' and then in your open vpn config file where you might say

        dev tap0

        instead say

        dev tun0
        dev-type tap

        Obviously you can use tun1 etc and create many of these(since 3.5 I believe)

        Hope this helps

  6. By Anonymous Coward (65.110.240.244) on

    > can also use ssh tunneling, but that sounds like hell for a Windows box. it's actually quite simple with putty. (use google... ) .... it's pretty easy to do, even with windows.

  7. By jack (24.215.169.90) on

    a while ago there was a mention of this product called airlok that is based on obsd. well... if you check out their support website , they have got documentation that shows exactly how to get the job done (ipsec configuration to connect to OpenBSD) on windows without downloading any software. a lot of times when i need linux configuration related documentation i surf to products that are built on linux and it looks like doing that for openbsd will work too.

    i use a macos x powerbook and use that ipsecuritas thing recommended on that airlok site and it works great with my obsd box.

    Comments
    1. By Anonymous Coward (128.59.21.5) on

      I couldn't get that one to work, but this one does. The winxp documentation is exactly what I was looking for. http://www.air-lok.com/support

  8. By Sacha (145.222.169.66) on

    You could try TINC

  9. By A Non Moose Cow Herd (64.81.227.16) on

    I would say give IPSec a shot but I may be a bit biased. I just set up an IPSec VPN between OpenBSD 3.4 and WinXP for a client about a month ago using X.509 certs for authentication. I followed instructions from a few different websites. After solving a few silly problems on the Windows side everything is running smoothly.

    References:
    http://mirror.huxley.org.ar/ipsec/isakmpd.htm
    http://vpn.ebootis.de/
    the incredible ipsec,vpn,isakmpd and related manpages

    Notable issues:
    - setting the pf scrub rule to include 'max mss 1440' helped with Windows remote desktop...ping's worked (small packets) but RDP didn't.
    -Windows XP is very particular about importing the CA and users certs.

    I may do a write-up of my experiences later.

    Comments
    1. By Anonymous Coward (67.70.164.207) on

      Please post if you do, do a write up. I for one would really like it.

    2. By Alan DeWitt (198.36.163.30) on

      Would you be so kind as to clarify something?

      [...] setting the pf scrub rule to include 'max mss 1440' helped with Windows remote desktop...ping's worked (small packets) but RDP didn't

      Do you mean to say that RDP works with this setting to scrub, or that it still does not work? Thanks!

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]