OpenBSD Journal

OpenCon - Tutorial Day

Contributed by merdely on from the puffy-invades-venice dept.

OpenCON 2007 in Venice starts Saturday. But Friday provides attendees with a choice of two tutorials (out of four): Alessio Pennasilico's Introduction to OpenBSD or Peter N. M. Hansteen's PF Tutorial in the early part of the day and a Ports Tutorial by Bernd Ahlers or Felix Kronlage's talk on VPN Technologies in the later part of the day.

I was able to sit in on the tutorial on PF and the one on Ports. Darrin Chandler attended the VPN talk. Accounts from three of the tutorials follow. If you were able to attend Alessio's talk, please leave a comment.

The PF Tutorial started with a background of PF's history. Peter went through the basics of writing rules, making ftp work, not blocking icmp, securing wifi, hoststated, spamd, DMZs and carp. Not only was it a great introduction to PF for new users but covered more advanced topics for existing PF users. And the talk was a great companion for his upcoming book.

In the afternoon, I sat in on Bernd's Porting Tutorial. He spoke about basic porting philosophies and where our ports structure came from. He highlighted different the components of a port (directories and files) and then went through many of the parts of the Makefile. With audience participation, Bernd then led a demonstration of creating, building and packaging a new port. Since the demonstration included a very simple port, he covered more complex porting issues like reviewing the make configure output to fix errors and prevent unwanted dependencies and implementing FLAVORs and MULTI_PACKAGES.

Darrin attended VPN Technologies available on OpenBSD by Felix Kronlage:

Felix began with a high level overview of VPNs, and moved quickly into explanations of isakmpd and ipsecctl. It became very obvious that ipsecctl provides an extremely easy and functional interface. He then treated us to a working demonstration and walked us through the config files. For many common situations you can start from scratch and go to a working VPN in 5 minutes. I'd heard this before, but seeing it in action made me a believer.

Then Felix quickly showed how to make a "poor man's" VPN using OpenSSH. We didn't spend much time there, but once again the configuration was very simple, involving only creating a tunnel on each side and one ssh command.

Last came a good look at OpenVPN. For most situations the VPN solutions in the base install will be preferable, OpenVPN offers some solutions for corner cases such as VPN through an http proxy or handling Windows clients easily. It's a very flexible tool that can be adapted to a large variety of situations. I'd always avoided OpenVPN in the past, but I'll be keeping it in mind for those odd situations.

(Comments are closed)


Comments
  1. By Anonymous Coward (166.70.233.252) on

    Thank you for informing us about the new PF book. I was completely unaware of it.

    With resepect to VPN, I always choose to use OpenVPN. Correct me if I am wrong, but it is the best crossplatform Open Source VPN solution. Nowdays Windows clients in a production VPN deployment are rarely a corner case.

    At any rate, IMO, if OpenBSD's ipsec implementation would like to expand its "market share" one of these up and running in 5 minutes tutorials should find its way into FAQ or User's Guide as PF has long time ago.
    It's one thing to find it in a blog entry somewhere, but quite another read it on the official pages. (And I am not aware of a manual page that describes how all the pieces would fit together and get everything up and running smoothly.)

    Comments
    1. By Anonymous Coward (99.238.231.53) on

      > With resepect to VPN, I always choose to use OpenVPN. Correct me if I am wrong, but it is the best crossplatform Open Source VPN solution. Nowdays Windows clients in a production VPN deployment are rarely a corner case.

      You are wrong. Where's the openvpn for cisco IOS, or any of the dozens of other proprietary firewalls people have to interoperate with? They all do ipsec, none of them do openvpn. And windows has ipsec support out of the box. If you aren't setting up the people's laptops yourself, then use one of the open source GUI tools to configure windows ipsec, so the end users can have it just as easy as openvpn.

      Comments
      1. By Anonymous Coward (24.37.242.64) on

        > > With resepect to VPN, I always choose to use OpenVPN. Correct me if I am wrong, but it is the best crossplatform Open Source VPN solution. Nowdays Windows clients in a production VPN deployment are rarely a corner case.
        >
        > You are wrong. Where's the openvpn for cisco IOS, or any of the dozens of other proprietary firewalls people have to interoperate with? They all do ipsec, none of them do openvpn. And windows has ipsec support out of the box. If you aren't setting up the people's laptops yourself, then use one of the open source GUI tools to configure windows ipsec, so the end users can have it just as easy as openvpn.

        OpenVPN works by tunneling over SSL (OpenSSL).

        As for configuring OpenVPN on laptops, I know there's a way to create a custom-configured MSI 'package' or other that can be distributed and installed easily by the user without any real interaction.

        As for VPN 'to/from' the firewall appliances themselves, I'm curious as to why this is needed or why anyone would do such a thing?

        Comments
        1. By Anonymous Coward (219.90.160.206) on

          > As for VPN 'to/from' the firewall appliances themselves, I'm curious as to why this is needed or why anyone would do such a thing?

          Connecting multiple machines to a VPN?

      2. By Anonymous Coward (208.191.177.19) on

        Those "proprietary firewalls" may all do IPSec, but many of them have proprietary extensions that require matching proprietary clients. I don't know about IOS, but I can't get OpenBSD IPSec (or Linux's, either) to work with my company's Nortel Contivity setup (hopefully the vpnc project will get it working soon). It's not OpenBSD's fault, mind you, but I don't know that bigco commercial firewalls are that strong an argument for using OpenBSD IPSec over OpenVPN, as often neither will work.

        The comment about Windows IPSEC carries more weight, though. I don't think that is all that hard to set up any more.

  2. By Joshua Bromfield (203.185.246.193) on

    Great! Thanks for this.

    While I was on Peters website I also found his manuscript on pf very helpful:

    http://home.nuug.no/~peter/pf/

    Comments
    1. By Anonymous Coward (85.139.179.22) on

      > Great! Thanks for this.
      >
      > While I was on Peters website I also found his manuscript on pf very helpful:
      >
      > http://home.nuug.no/~peter/pf/

      anyone with the VPN Tutorial?

      Comments
      1. By Darrin Chandler (dwc) on http://www.stilyagin.com/darrin/

        > > Great! Thanks for this.
        > >
        > > While I was on Peters website I also found his manuscript on pf very helpful:
        > >
        > > http://home.nuug.no/~peter/pf/
        >
        > anyone with the VPN Tutorial?

        I believe Felix will post his slides some time in the future. Check http://www.openbsd.org/papers/ now and then to see what's new. :)

  3. By Anonymous Coward (204.80.187.5) on

    the shrew.net Windows/Mac/Linux VPN client is compatible with openbsd isakmpd and ipsecctl. it is much easier to setup than openvpn.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]