Open VPNs On Unix That Support Windows Clients?

Adam Schumacher writes:"At work, I've been investigating the possibility of migrating our proxy/ftp/VPN server from NT4 to Linux. Proxying and FTP are obviously no problem, but I am at a bit of a loss as to what to recommend as our VPN server. We need transparent and secure tunneling of our network traffic across the Internet to Windows 95/98/NT/2000 workstations. I know that there are commercial vendors offering VPN solutions that interoperate beautifully between Windows and Linux, but these carry a hefty pricetag, upwards of several thousand dollars. I would much rather go with an Open Source solution. What experience have you had with setting up a VPN between a Linux server and Windows clients? Can you recommend any particular products I should investigate further? In the event that we do have to go with a commercial solution, would you recommend one product over another? Why? Bear in mind that this machine will control access to our entire internal network, so I need a product that has been proven to be robust and secure. Immature code need not apply."

Hrm

I use a VPN system called Carnivore, by FBI Privacy Solutions, Inc. The FBI techs (called agents) are extremely helpful, and do all the installation and monitoring for you, no added charge.

PoPToP

[tzanger]

Moretonbay, the company who gave us so much work on uCLinux has PoPToP, a Linux PPTP server.

I have set it up personally and included the MPPE and stateless patches which give excellent performance and 128-bit encryption.

You mentioned that immature code need not apply. I can't say how mature this code is but I have not had any problem with the encryption nor the actual VPN going down or otherwise futzing up.

PoPToP uses pppd + openssl with a custom daemon to set up Windows VPN connections. You can force MSCHAPV2 (V1 has problems with security, what else is new? :-), enforce 128-bit encryption, use PAP or CHAP, whatever you please. Since it is pppd which is authenticating, you can use PAM or whatever authentication methods you can use with pppd. Another important feature is that you can configure pptpd to assin IPs or have pppd do it for you. Configuring for MPPE and stateless compression was a bit of a pain but in reality it involved scanning the already big mailing list and applying the correct version of the patches.

Overall I am very pleased with PoPToP, even if my typing slows to 10WPM when I have to type the name. :-)

Re:Translation

[sammy+baby]

I'm actually pretty shocked that you managed to score a rating of 4: Insightful off this one, but what the hell, I'll bite.

Hi, I'd like to move a server from NT4 to Linux. I'd like to stress that it is a server that is extremely vital to my company's business. It is so vital in fact that I'm prepared to spend no money on it at all. I want someone to give me high-powered, reliable software upon which I can bet my job, for free.

Is that not reasonable? I use OpenSSH, Snort, and nmap all the time at my place of business for security. For other purposes, I use Red Hat, Debian, Apache, Perl, PHP, MySQL, and PostgresSQL. All "high-powered, reliable software," as you put it. All free.

Why must Open-Source necessarily equal free?

This may come as a shock to you, but I'm not in the habit of spending money on Open Source software unless I absolutely have to. Oh, I've certainly purchased the occasional RH distro CD because I wanted to install it at home, but at work, where I'm fortunate to have a decent net connection, I do net installs like crazy.

It's true that you can spend money on OSS. However, most people associate OSS with no charge, and not without reason.

Why does Open-Source necessarily equal best?

The orignal poster stated that he would rather go with an Open Source solution rather than ones that "carry a hefty pricetag, upwards of several thousand dollars." I think that this is an important consideration for him. Since you didn't suggest any commercial solutions (or, in fact, OSS ones), I'll pose the converse question to you: what is your familiarity with VPN software, and what commercial solution would you say was the best?

If it were my job on the line here, I'd find the best solution, not necessarily the one that meets my agenda.

I thought that the original post articulated his reasons for pursuing an Open Source package pretty nicely. On the flip side, your post seems to reflect a prejudice that only businessess with money to burn should have access to decent software. If you're of the opinion that Open Source software has no role in mission critical applications, fine, but just out of curiosity, why the hell would you read /.?

WTF??

[FascDot+Killed+My+Pr]

(I have an answer to the question at the end of my rant)

Is there an open Slashdot terminal in some public place? Because these "Ask Slashdots" are starting to seem more like "Ask A Random Question Without Searching First". This is getting REALLY lame.

Now, then. Go to Yahoo (yes, even Yahoo can find this, albeit through Google). Type "linux vpn". Find a link. Follow it.

For those that aren't interested in enough to click, this is PoPToP, a Linux implementation of the server-side of MS PPTP. A secure implementation. Why PPTP? Because you want Windows clients and the only thing they do out of the box is PPTP. BTW, PoPToP is GPL'd....
--

VPND

[bgarcia]

I've been using vpnd for over a year now, and it has been extremely reliable and should be very secure (can you say "576-bit blowfish encryption?).

It is meant more to connect two subnets, rather than a single device to a network. Also, it does not run on windows. However, you can do what I do, and resurrect an old 486 to act as a gateway/firewall/vpnd server at home, and hook your windows box to it.

It is setup to re-establish broken connections. Even though I often lose connectivity between work and home, as long as the downtime is less than a tcp timeout, all of my tcp connections over the encrypted channel will actually remain up! Very nice.