Open VPNs On Unix That Support Windows Clients?

Adam Schumacher writes:"At work, I've been investigating the possibility of migrating our proxy/ftp/VPN server from NT4 to Linux. Proxying and FTP are obviously no problem, but I am at a bit of a loss as to what to recommend as our VPN server. We need transparent and secure tunneling of our network traffic across the Internet to Windows 95/98/NT/2000 workstations. I know that there are commercial vendors offering VPN solutions that interoperate beautifully between Windows and Linux, but these carry a hefty pricetag, upwards of several thousand dollars. I would much rather go with an Open Source solution. What experience have you had with setting up a VPN between a Linux server and Windows clients? Can you recommend any particular products I should investigate further? In the event that we do have to go with a commercial solution, would you recommend one product over another? Why? Bear in mind that this machine will control access to our entire internal network, so I need a product that has been proven to be robust and secure. Immature code need not apply."

Use ssh

Hey, ssh has port redirection over a tunnel to another box with ssh on it. We had it setup here, with a NT 4 server on one end and a few 95 clients on the other. The Windows people didn't even know they were going over anything but a LAN, because we managed to get samba to flow seamlessly over ssh. Drop me a note if you want more info. mattj@invisik.com

Hrm

I use a VPN system called Carnivore, by FBI Privacy Solutions, Inc. The FBI techs (called agents) are extremely helpful, and do all the installation and monitoring for you, no added charge.

Freeswan needs much help

[anewsome]

I have used Freeswan extensively, as recent as 4 months ago and it was not even close to being ready for primetime. It was plagued by many. many problems as their very busy mailing list will attest to. I made the mistake of putting it into a production environment without even testing it's reliability.

Once the VPN systems were in production with Freeswan, they were plagued by kernel panics, flaky startup and shutdown and many other problems.

Also, back then, there was a major problem with Windows clients connecting using DHCP addresses (all?!!), in that the way Freeswan is configured, it expects a static IP address at the other end of the tunnel.

These guys who are posting that Freeswan is any sort of panacea, or even a workable solution, either haven't used it for real or are using a dramatically different product than the one I used 4 months ago.

You can read my many cries for help on the mailing list archives I'm sure. Whatever your case, I wouldn't recommend Freeswan unless they have fixed the kernel panics, flaky startup and shutdown,and the dependency on fixed IP addresses.

I submitted this earlier as a reply, I hope the dupe engine doesn't flag me as bad.

My two cents. --Aaron Newsome

FreeS/WAN

[Ranger+Rick]

Try FreeS/WAN. It is an IPSec package that handles VPNs and other firewalling-type stuff, and it's compatible with most other IPSec packages (meaning you can hook up with Checkpoint VPN-1 and such).

:wq!

PoPToP for cheap Windows support; IPsec otherwise

[cduffy]

The quick answer:

First of all, if you want a VPN with Windows clients and don't want to spend any money, use PoPToP. However, be aware: PoPToP doesn't work correctly with many broken versions of Windows, and the PPTP protocol has some serious shortcomings.

IPsec, while still not being particularly secure, is a somewhat better protocol. However, you'll need to purchase a commercial Windows client to use it (even with Windows 2000, which supports IPsec, you'll need a commercial client such as that from Network Associates to work without L2TP; I haven't heard of anyone making succesful use of l2tpd in this context). Via FreeS/WAN, a free, high quality client/server solution for linux is available, as well.

In any event, you'll want to use ipsec for your linux clients. Use it for your Windows clients also, if you can afford the commercial software.

Re:WTF??

[tzanger]

1) Kernel patches (yay). There seem to be problems getting these patches to work with some distros (read: Red Hat) that have slightly-customized kernels

Only if you're dealing with some bonehead distribution that customizes the kernel instead of using kernel modules and a userland (or at least non-invasive) process to do whatever the hell it is they think is so important they should modify the kernel in the first place.

2) Windows only supports some real lame encryption out-of-the-box. To get 128 bit, you have to go through some real hoops to get the software from Microsoft, only to find it doesn't work.

Got some proof? I downloaded an easily-found file from MS' site, installed it and while I have not verified that it is indeed spitting out 128-bit encryption (anyone know a good way to actually test the wire?) pptpd/pppd won't talk to the client if I force 128-bit encryption on the server side and use weak encryption on the client.

3) Firewall/IPMasq causes even more fun, depending on which side of the firemasq the PPTP server is on.

Come on. This is getting silly. In my case I put the pptpd server on the firewall. I figure a VPN is an integral part of a firewall. Then I set aside a block of IPs and set up your masquerade rules to match. The hardest part of my whole firewall was making sure that my input chain didn't kill packets I didn't want gone. The forward chain is only three lines long.

4) Browsing windows shares over a VPN link is akin to black magic and seldom works.

I haven't had too much trouble. You mention that you're on the PoPToP list. Check out the Samba lists as well and read up on Samba and WINS. The key is a WINS server which is accessible to everyone (internal and VPN).

The rabbit I'm gonna have to pull out of my hat involves setting up a VPN'd subnet (using FreeS/WAN, pptpd is useless here) and making a couple servers on the inside of each end appear in the subnet as well, without munging things up too badly and without having each server step too much into the VPN. I may just set up coda and Samba on the firewalls and "fake" that they're the servers in question. It'll make security tighter in the end, I think.

PoPToP

[tzanger]

Moretonbay, the company who gave us so much work on uCLinux has PoPToP, a Linux PPTP server.

I have set it up personally and included the MPPE and stateless patches which give excellent performance and 128-bit encryption.

You mentioned that immature code need not apply. I can't say how mature this code is but I have not had any problem with the encryption nor the actual VPN going down or otherwise futzing up.

PoPToP uses pppd + openssl with a custom daemon to set up Windows VPN connections. You can force MSCHAPV2 (V1 has problems with security, what else is new? :-), enforce 128-bit encryption, use PAP or CHAP, whatever you please. Since it is pppd which is authenticating, you can use PAM or whatever authentication methods you can use with pppd. Another important feature is that you can configure pptpd to assin IPs or have pppd do it for you. Configuring for MPPE and stateless compression was a bit of a pain but in reality it involved scanning the already big mailing list and applying the correct version of the patches.

Overall I am very pleased with PoPToP, even if my typing slows to 10WPM when I have to type the name. :-)

Some suggestions

[jd]

1) IPSEC is transparent, and there are versions for Windows and Linux. It's also about as secure as you can get.

2) Then, there's always SKIP. An invention of SUN, but still worth investigating. SKIP has higher throughput than IPSEC, and faster recovery in the event of a system failure anywhere down the chain. Again, it's available for Windows and Linux.

3) Thirdly, there's SSH, SCP, et al. This is OK, but it's main drawback as a -transparent- VPN is that it's not very transparent. It's at the application level, rather than the stack level, which means that it's going to be more visible to the average user.

4) Last, but by no means least, your favourite hound of hell and mine, Kerberos! It's possible to set Kerberos as both an authentication AND an encryption mechanism. The main drawback with this option is that applications would need to be aware of Kerberos before they could benefit.

All in all, I'd say IPSEC or SUN SKIP are your two best options, as they don't require any user intervention or special code in the application.

Securing PPTP

[Effugas]

I've got a system I've been sitting on for a while that gives you the network isolation of Windows PPTP with the trustable crypto of SSH. I haven't done much development work on it in quite some time; anyone out there who'd like to hack on this and get it up to 1.0, toss me a note.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

"Little Caesars? You do pizza?"

Open Source or Free Beer?

[flanker]

...but these carry a hefty pricetag, upwards of several thousand dollars. I would much rather go with an Open Source solution.

I think what you mean to say here is "I want someone to make me this thing for free." This is a great example of why RMS doesn't like the term Open Source. For 90% of the schmucks out there it translates to Free Beer, rather than the Free Speech he is speaking of. You want VPN software? Go write it and GPL it.

Re:Open Source or Free Beer?

[mr]

>You want VPN software? Go write it and GPL it.

Why should I?

Sun has already done this. It is called SKIP.

And it is under a BSD-esque license.

Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software or derivatives of the Software, and to
permit persons to whom the Software or its derivatives is furnished
to do so, subject to the following conditions:

http://skip.incog.com/src-form.html is the link in my old code version.
http://www.mirr or.ac.uk/sites/ftp.zedz.com/pub/crypto/programs/sk ip/ is the link to the code in case you don't have this laying about.

The code works between Unix boxen and between unix and windows. And, it has been rumored to work with IPsec, but given I do not have a windows box doing ipsec, I can neither confirm nor deny it.

So:
1) Sun DOES release code.
2) The world does not revolve about the GPL.

Re:Translation

[sammy+baby]

I'm actually pretty shocked that you managed to score a rating of 4: Insightful off this one, but what the hell, I'll bite.

Hi, I'd like to move a server from NT4 to Linux. I'd like to stress that it is a server that is extremely vital to my company's business. It is so vital in fact that I'm prepared to spend no money on it at all. I want someone to give me high-powered, reliable software upon which I can bet my job, for free.

Is that not reasonable? I use OpenSSH, Snort, and nmap all the time at my place of business for security. For other purposes, I use Red Hat, Debian, Apache, Perl, PHP, MySQL, and PostgresSQL. All "high-powered, reliable software," as you put it. All free.

Why must Open-Source necessarily equal free?

This may come as a shock to you, but I'm not in the habit of spending money on Open Source software unless I absolutely have to. Oh, I've certainly purchased the occasional RH distro CD because I wanted to install it at home, but at work, where I'm fortunate to have a decent net connection, I do net installs like crazy.

It's true that you can spend money on OSS. However, most people associate OSS with no charge, and not without reason.

Why does Open-Source necessarily equal best?

The orignal poster stated that he would rather go with an Open Source solution rather than ones that "carry a hefty pricetag, upwards of several thousand dollars." I think that this is an important consideration for him. Since you didn't suggest any commercial solutions (or, in fact, OSS ones), I'll pose the converse question to you: what is your familiarity with VPN software, and what commercial solution would you say was the best?

If it were my job on the line here, I'd find the best solution, not necessarily the one that meets my agenda.

I thought that the original post articulated his reasons for pursuing an Open Source package pretty nicely. On the flip side, your post seems to reflect a prejudice that only businessess with money to burn should have access to decent software. If you're of the opinion that Open Source software has no role in mission critical applications, fine, but just out of curiosity, why the hell would you read /.?

WTF??

[FascDot+Killed+My+Pr]

(I have an answer to the question at the end of my rant)

Is there an open Slashdot terminal in some public place? Because these "Ask Slashdots" are starting to seem more like "Ask A Random Question Without Searching First". This is getting REALLY lame.

Now, then. Go to Yahoo (yes, even Yahoo can find this, albeit through Google). Type "linux vpn". Find a link. Follow it.

For those that aren't interested in enough to click, this is PoPToP, a Linux implementation of the server-side of MS PPTP. A secure implementation. Why PPTP? Because you want Windows clients and the only thing they do out of the box is PPTP. BTW, PoPToP is GPL'd....
--

Re:WTF??

[x0]

To further your argument that 'Ask /.' is a good jumping off point for starting a discussion, I find that it is sometimes a good place for me to learn about things I am not currently involved with, but that are interesting nevertheless.

Sure, a search engine is generally where I start to find out about different solutions I might be looking to implement, but it is nice to hear discussion about various things as a 'Gee, that's cool!' discussion also.

Re:WTF??

[Mark+F.+Komarinski]

IMO PoPToP has some serious issues. Unfortunately, most are outside the scope of what the PoPToP developers can work with:

1) Kernel patches (yay). There seem to be problems getting these patches to work with some distros (read: Red Hat) that have slightly-customized kernels
2) Windows only supports some real lame encryption out-of-the-box. To get 128 bit, you have to go through some real hoops to get the software from Microsoft, only to find it doesn't work.
3) Firewall/IPMasq causes even more fun, depending on which side of the firemasq the PPTP server is on.
4) Browsing windows shares over a VPN link is akin to black magic and seldom works.

These are the most common issues I've seen (and I'm a lurker on the PoPToP list). To their credit, the gang that make this software have integrated it into a hardware box (look for the NetTel) that does both PPTP and Firewall functionality. It's pretty inexpensive at $399US, and I'm pondering just buying that instead of hacking around on my own.

Re:WTF??

[TangentMan123]

This is an search engine. The bonus is you get answers specific to your question without having to plow through 1,240 hits (AltaVista "linux vpn") of which some are probably porn. Let's see Ask Jeeves do that. Personally, I have an interest in this question as well as many other questions posted on /. The point is, it (should) never hurts to ask...

Been There

[debrain]

We had a similar situation where we had to decided on a particular system to implement VPN as well as all the firewall and DMZ (demilitarized zone) rulesets.

We finally decided on OpenBSD although we considered Linux, Tru64, Solaris, NetBSD, FreeBSD, Irix, NT and Windows 2000. By considered, I mean we thought about it. But we finally decided on OpenBSD because throughout all the security bulletins that we've seen, this was the one that touted the best security, and was notably lacking in security bulletins.

We have been extremely satisfied with OpenBSD, and use it as a real bastion firewall, and as a transparent bridge to our production servers. It has an incredible amount of power, and is very versatile. Combined with Snort, Nessus, Nmap, IPF, and Perl (or any scripting language), it makes an wonderful IDS (Intrusion Detection System). I have yet to see a commercial system rival the power of this open source system in terms of complexity and diversity.

VPND

[bgarcia]

I've been using vpnd for over a year now, and it has been extremely reliable and should be very secure (can you say "576-bit blowfish encryption?).

It is meant more to connect two subnets, rather than a single device to a network. Also, it does not run on windows. However, you can do what I do, and resurrect an old 486 to act as a gateway/firewall/vpnd server at home, and hook your windows box to it.

It is setup to re-establish broken connections. Even though I often lose connectivity between work and home, as long as the downtime is less than a tcp timeout, all of my tcp connections over the encrypted channel will actually remain up! Very nice.

Translation

[Fideaux!]

Hi, I'd like to move a server from NT4 to Linux. I'd like to stress that it is a server that is extremely vital to my company's business.

It is so vital in fact that I'm prepared to spend no money on it at all. I want someone to give me high-powered, reliable software upon which I can bet my job, for free.

Why must Open-Source necessarily equal free?
Why does Open-Source necessarily equal best?
If it were my job on the line here, I'd find the best solution, not necessarily the one that meets my agenda.

Re:Translation

[Hard_Code]

"Why must Open-Source necessarily equal free? Why does Open-Source necessarily equal best?"

Because that's what Open-Source advocates advocate. That's as opposed to Free Software which claims only to be Free, and only ethically best. I think the claim is valid that Open-Source is subtley distorting the spirit of Free-Software. It results in people asking questions like these. It's my impression anyway that Open-Source tries to sell itself as a panacea.

Re:FreeS/WAN compatible with various packages

[billstewart]

The FreeS/WAN project www.freeswan.org is the Free Linux implementation, developed outside the US to avoid export restriction problems. They've done a lot of work on compatibility with a large number of other packages, including Nortel Contivity and PGPnet. Typical compatibility situations are that IPSEC/IKE have zillions of different options for keying, and any two products will have some subset that work, usually manual keying. The other typical issue is that for policy reasons, FreeS/WAN only does 3DES, and some commercial products only do single-DES. (John Gilmore, who funds FreeS/WAN, spent a lot of money and time developing the DES cracker to convince people that single DES is dead...)

Nortel has a policy of Freeswan compatibility, so you should be able to use their server or client to talk to a FreeSWAN linux box. Nortel's client software runs on Win95, Win98, and NT, and is free if you buy the Nortel hardware (formerly Bay, formerly New Oak.) I don't know if it's free if you don't buy a box from them. So far I've used the Nortel client only with Nortel servers, but it works quite well and has multiple options for keying, including SecureID.

IPsec

[Ledge+Kindred]

Your best bet is probably to get IPsec running on a Linux server farm and find IPsec clients for WinXX. At least that way, you'll be using a standard protocol, unlike most (read: all) proprietary VPN softwares out there. You'd then be able to support any OS that had an IPsec stack (which includes a lot of them nowadays).

Barring that, we've had good luck with VSgate by infoexpress in huge (and I mean huge) enterprise environments. Bonus: they directly support Linux not only as a server platform but client as well.

You could also look for PoPToP, which is a reverse-engineered hack of Microsoft's "Point-to-Point Tunnelling Protocol" to make a Linux box able to be a server for it, but take a look at some past issues of Schneier's Cryptogram (don't know the specific one, sorry) for some scathing commentary on the brokenness of PPTP.

-=-=-=-=-

Re:There's a difference

[TheCarp]

> Please remember that Open Source != Free
> Software.

That depends who you are talking to.

When people originally started talking about OpenSource, the idea (as I understand it was) "Lets take the 'Free Software' concept and repackage it under a new name, because the word 'free' scares suits".

The basic idea being Open Source *IS* free software in the same way that Zantac is Ranitidine (same chemical, different name).

So when we talk about "OpenSource" we talk about how you have source code and all sorts of other things. When we talk about "Free Software" we call all those things 'side effects' and talk about freedom as the main concern.

That doesn't mean there is a difference, just a different focus. In original intent though, the "focus" is the only difference, and when not trying to sell suits on the idea, the two terms can be used interchangably.

It has come to pass that you can seem to tell a persons beliefs on the subject by which term they use. FSF types will ALWAYS talk about "Free Software" and disparage the term "OpenSource". Those who just care that the code exists and think that having source code is better for the technical reasons, will call it "OpenSource".

The entire criticizm of the term is the focus change. People like RMS argue that the focus shift is bad. The whole point of free software is freedom and focusing on the other benefits instead is diminishing the value of the work by removing the political association of it.

At the end of the day though...the two are the same in every way but terminology and connotation.

-Steve

www.freeswan.org ???

[denjin]

Check out this place...it would be installed on a linux server. It probably is going to work best with the Windows 2000 VPN clients and even then I could be wrong :) Chris

There's a difference

[jeroenb]

I know that there are commercial vendors offering VPN solutions that interoperate beautifully between Windows and Linux, but these carry a hefty pricetag, upwards of several thousand dollars. I would much rather go with an Open Source solution.

Please remember that Open Source != Free Software. Open Source does not specifically require the software to be free, an example of this is Solaris. Free Software (in the FSF sense of the term) however, requires the software to be free, open source and a bunch of other things (concerning distribution, etc.)

Sorry for bitching, but I think that at least the people at /. (and those submitting to /.) should have the terms straight.

Re:There's a difference

[11223]

Solaris, while the source is available, isn't Open Source. Open Source requires that

1. That the source to the program be redistributable.
2. That any compiled binaries from the source be redistributable.

Therefore, it's free, too.

Router's\Firewall with VPN built in

[Kondoor]

Have you considered getting 2 routers with VPN built in? being a small company here we use a cheap easy to setup product that is a firewall\router all in one. The current model we are using is the WebRamp 700s. Were small and it works well for us. http://www.webramp.com

PoPToP for Linux

[Ron+Harwood]

PoPToP is an open source implementation of PPTP under Linux. I've used it. It's solid. It rocks.

SafeNet

[buffalo_chip]

There are unfortunately no Open Source Windows VPN clients. A good alternative however is SafeNet's client. Though not open source, you can get a pack of 10 licenses for about $80, last I checked. Cisco rebrands and sells this very product but charges about 10 times as much for it. SafeNet's VPN client works with FreeS/WAN which can be loaded on Windows 95/98/NT and possibly 2k. DO NOT use Windows 2000's built in IPSec, is has a major bug in that when told to operate in 3DES mode is suddenly drops to single DES without so much as telling you. When inter-operating with FreeS/WAN the connection barfs, I consider this a great feature of FreeS/WAN :-). FreeS/WAN no longer supports single DES as it is too easily brute force cracked. If there is enough interest in this sort of thing, I could see the company I work for producing an Open Source windows VPN client. www.protectix.com