Contributed by
phessler
on
from the blarg-need-to-eat-brains dept.
Corbets writes "I'm looking for information on how to set up a multi-platform VPN that authenticates to my OpenBSD box. I'd like to use it for wireless security as well as remote access. IPSec seems to be very difficult to configure, and OpenVPN (available at SourceForge) requires additional software to be installed on both client and server machines. Have any of your readers come up with a simple-yet-worthy solution for secure access to networks protected by an OBSD firewall?"
I'm aware of authpf, but that doesn't solve the encrypted tunnel part. The client can also use ssh tunneling, but that sounds like hell for a Windows box. PTPP or IPSec tunneling with user authetication is built into both Windows (XP and later), and OSX, so those would be a huge win. I don't know of a server side solution for that though. :/
Undeadliers, Corbets needs your help.
(Comments are closed)
Comments
By
Paul (208.38.59.91) spawn@maltliquor.ca
on
PopTop works very well and is in ports. I regularly use it to auth Windows clients to my OpenBSD firewall.
The pptp clients in everything from Win98 and up work great. Check out www.poptop.org
By
djm (61.95.66.134) djm@
on
IPsec is probably the most secure solution, though you generally have to pay for Windows clients (MS having lobotomised their inbuilt IPsec support in various ways). Most sane IPsec clients interop fine with isakmpd. I have personally tested the old PGPnet, Timestep/IRE and SSH.COM ones.
PoPTop is another solution (already mentioned), replete with all the issues that PPTP with MSCHAP is famous for. It looks like this project is just starting to wake from a long slumber, for a long time the stable version was very flakey on multipath links (it didn't deal with reordered packets).
Compared to these two choices, tunneling over SSH isn't so bad :) You can use OpenSSH on Cygwin or the most recent PuTTY. Both of these support "dynamic tunnelling" that automatically supports anything with SOCKS (see DynamicForward in "man ssh_config").
By
Bobby Johnson (67.166.26.180) bob@nospam-plexuscomp.com
on
Links from my bookmarks, most found from searching on deadly. Ipsec will interoperate with most everything.
http://www.etla.net/~willey/projects/vpn/
http://hem.passagen.se/hojg/isakmpd/
http://www.klake.org/~jt/mkca/
http://www.allard.nu/pipermail/openbsd-ipsec-clients/2002-November/000736.html
http://www.tek-tips.com/gthreadminder.cfm/pid/463/page/2
http://vpn.ebootis.de - Good program to configure win 2k or xp clients with builtin ipsec software.
By
Guldan (212.129.231.66) robert_nospam_@guldan.demon.nl
on
Hi,
I'me currently working on a setup like that. Using OpenBSD and poptop with user ppp to authenticate to a radius server. Currently i'me testing with FreeBSD user ppp but have some problem with the user ppp radius part.
It looks like it never sends its username to the radius server.
I will try later after release of 3.5 of OpenBSD with a OpenBSD setup.
Gul'dan
Comments
By
Guldan (62.216.13.38)
on
Ok i'me a morron... I did some thing wrong on the client ...
I have it working now on FreeBSD, but have some troubles on OpenBSD.
Without GRE and with GRE it will complain about gre stuff. I'me trying
to find out whats going wrong...
By
sthen (213.152.51.85)
on
OpenVPN works well enough to be worth adding the relevant component, imho. You can package up an installer with everything that's required making the installation quite simple if you're not doing it yourself, and it will just use whatever internet connection is available (I have set it up for someone to access an Exchange server and had it running over GPRS, 802.11b, wired ethernet and modem through different ISPs - all without Outlook dropping the session during changeover).
Latest betas have a connection multiplexer, making server setup of multiple clients very much easier. These are early betas but it's on the way. (for those who don't know OpenVPN, standard versions have each client connect to a separate copy of the program bound to it's own UDP port - this works well).
OpenVPN supports Win2k+ and unix-like OS with tun or tap devices available. Win9x is not supported. Since it's OpenSSL-based, assuming you choose suitable ciphers, you can use it with hardware crypto accelerators, which is helpful if you want to terminate a larger number of tunnels to a low-power machine (e.g. net4801 or some C3-with-Padlock EPIA).
And it works perfectly, certainly with 3.5. openvpn relies on tun devices which are created dynamically since 3.5.
By
Michael Sullenszino (66.239.244.41) nospam@sullenszino.org
on
OpenVPN is great, complies on 3.3, 3.4 and there is a port for 3.5. Use it to connect laptops and a few home users for multiple clients running OpenBSD firewalls/gateways. I can provide basic config files for both the OpenBSD server and the Windows Clients. I had a few issues with some versions of windows which the documentation covered in terms of packet fragmenting, otherwise smooth sailing and no issues.
This would be the other problem I forgot to mention. I'd really prefer not to have to set up a different config file for every client that wants to simultaneously connect. :( This might be the answer in the next version.
Comments
By
Anonymous Coward (80.139.96.193)
on
OpenVPN does this job great in V2, it compiles great on 3.5 and i think its stable enough to give it a try.
As I understand it, I'll have to add TAP support to the OBSD kernel to make OVPN work correctly with Windows devices. Do I have the right of it?
Thanks,
Corbets
Comments
By
Ryan Baldwin (213.48.13.39) ryan.baldwin@nexusalpha.com
on
As far as I'm aware tap device is only required for setting up bridged VPN. If this is what you want then as of openbsd 3.6 I beleive 'tap' support has been added to kernel. To use this with OpenVPN use 'ifconfig tun0 create link0' and then in your open vpn config file where you might say
dev tap0
instead say
dev tun0
dev-type tap
Obviously you can use tun1 etc and create many of these(since 3.5 I believe)
Hope this helps
By
Anonymous Coward (65.110.240.244)
on
> can also use ssh tunneling, but that sounds like hell for a Windows box.
it's actually quite simple with putty. (use google... ) .... it's pretty easy to do, even with windows.
By
jack (24.215.169.90)
on
a while ago there was a mention of this product called airlok that
is based on obsd. well... if you check out their support website ,
they have got documentation that shows exactly how to get the
job done (ipsec configuration to connect to OpenBSD) on windows without
downloading any software. a lot of times when i need
linux configuration related documentation i surf to products
that are built on linux and it looks like doing that for openbsd
will work too.
i use a macos x powerbook and use that ipsecuritas thing
recommended on that airlok site and it works great with my
obsd box.
Comments
By
Anonymous Coward (128.59.21.5)
on
I couldn't get that one to work, but this one does. The winxp documentation is exactly what I was looking for.
http://www.air-lok.com/support
By
Sacha (145.222.169.66)
on
You could try TINC
By
A Non Moose Cow Herd (64.81.227.16)
on
I would say give IPSec a shot but I may be a bit biased. I just set up an IPSec VPN between OpenBSD 3.4 and WinXP for a client about a month ago using X.509 certs for authentication. I followed instructions from a few different websites. After solving a few silly problems on the Windows side everything is running smoothly.
Notable issues:
- setting the pf scrub rule to include 'max mss 1440' helped with Windows remote desktop...ping's worked (small packets) but RDP didn't.
-Windows XP is very particular about importing the CA and users certs.
I may do a write-up of my experiences later.
Comments
By
Anonymous Coward (67.70.164.207)
on
Please post if you do, do a write up. I for one would really like it.
By
Alan DeWitt (198.36.163.30)
on
Would you be so kind as to clarify something?
[...] setting the pf scrub rule to include 'max mss 1440' helped with Windows remote desktop...ping's worked (small packets) but RDP didn't
Do you mean to say that RDP works with this setting to scrub, or that it still does not work?
Thanks!
By Paul (208.38.59.91) spawn@maltliquor.ca on
By djm (61.95.66.134) djm@ on
IPsec is probably the most secure solution, though you generally have to pay for Windows clients (MS having lobotomised their inbuilt IPsec support in various ways). Most sane IPsec clients interop fine with isakmpd. I have personally tested the old PGPnet, Timestep/IRE and SSH.COM ones.
PoPTop is another solution (already mentioned), replete with all the issues that PPTP with MSCHAP is famous for. It looks like this project is just starting to wake from a long slumber, for a long time the stable version was very flakey on multipath links (it didn't deal with reordered packets).
Compared to these two choices, tunneling over SSH isn't so bad :) You can use OpenSSH on Cygwin or the most recent PuTTY. Both of these support "dynamic tunnelling" that automatically supports anything with SOCKS (see DynamicForward in "man ssh_config").
By Anon E. Muss (24.65.17.217) on http://www.cs.umd.edu/users/mvanopst/xp2obsd.pdf
By Bobby Johnson (67.166.26.180) bob@nospam-plexuscomp.com on
By Guldan (212.129.231.66) robert_nospam_@guldan.demon.nl on
Comments
By Guldan (62.216.13.38) on
By sthen (213.152.51.85) on
Latest betas have a connection multiplexer, making server setup of multiple clients very much easier. These are early betas but it's on the way. (for those who don't know OpenVPN, standard versions have each client connect to a separate copy of the program bound to it's own UDP port - this works well).
OpenVPN supports Win2k+ and unix-like OS with tun or tap devices available. Win9x is not supported. Since it's OpenSSL-based, assuming you choose suitable ciphers, you can use it with hardware crypto accelerators, which is helpful if you want to terminate a larger number of tunnels to a low-power machine (e.g. net4801 or some C3-with-Padlock EPIA).
Comments
By Heinz (207.248.43.254) heinz@bsdcoders.org on http://www.bsdcoders.org
regards
Comments
By Anonymous Coward (62.235.14.244) on
By Michael Sullenszino (66.239.244.41) nospam@sullenszino.org on
By Corbets (24.12.223.67) on http://www.lancemcgrath.com
Comments
By Anonymous Coward (80.139.96.193) on
By Corbets (24.12.223.67) undeadly@lancemcgrath.com on http://www.lancemcgrath.com
Comments
By Ryan Baldwin (213.48.13.39) ryan.baldwin@nexusalpha.com on
dev tap0
instead say
dev tun0
dev-type tap
Obviously you can use tun1 etc and create many of these(since 3.5 I believe)
Hope this helps
By Anonymous Coward (65.110.240.244) on
By jack (24.215.169.90) on
i use a macos x powerbook and use that ipsecuritas thing recommended on that airlok site and it works great with my obsd box.
Comments
By Anonymous Coward (128.59.21.5) on
By Sacha (145.222.169.66) on
By A Non Moose Cow Herd (64.81.227.16) on
References:
http://mirror.huxley.org.ar/ipsec/isakmpd.htm
http://vpn.ebootis.de/
the incredible ipsec,vpn,isakmpd and related manpages
Notable issues:
- setting the pf scrub rule to include 'max mss 1440' helped with Windows remote desktop...ping's worked (small packets) but RDP didn't.
-Windows XP is very particular about importing the CA and users certs.
I may do a write-up of my experiences later.
Comments
By Anonymous Coward (67.70.164.207) on
By Alan DeWitt (198.36.163.30) on
[...] setting the pf scrub rule to include 'max mss 1440' helped with Windows remote desktop...ping's worked (small packets) but RDP didn't
Do you mean to say that RDP works with this setting to scrub, or that it still does not work? Thanks!