Slashdot Mirror
Low Cost VPN Solutions?
whschwartz asks: "I'm looking for a low cost solution for allowing myself and a few others the ability to share a server at one of our locations. One thought was using SSH tunnels to establish secure connections, forwarding any ports needed by our apps. We'd want to be able to map network drives, control the server with something like PC Anywhere or VNC with the possibility of running apps that have remote data on the server. I use the Cisco VPN solution for work, but that's not in our price range and is probably overkill. Are there any other options I should be looking at other than using SSH port forwarding?"
You could use vtun (http://vtun.sourceforge.net/) to get the job done.
It has VPN functionality, although I don't think it has Windows support, if that's a requirement.
Bye!
Is it linux, windows or a bsd? Ah screw it, too many options to even think about posting a usable response.
Theres always http://openvpn.sourceforge.net/ which has clients and servers for windows, or you could always tunnel pppd over ssh, http://www.tldp.org/HOWTO/VPN-HOWTO/ for details
If the OS's involved are linux or you can insert a low cost box into the mix then Freeswan is a good choice.
I have had great sucess using it to connect a main office with a wharehouse across the highway. After setting it up I only had to touch the boxes to do upgrades. The only downside is the need for two servers, one for each end of the tunnel.
You could use a smoothwall router. Only cost is standard hardware.
Linksys sells a VPN router that uses the IPSec standard, for around $100. I've been using it for the last year or so and I love it. You can connect to it using the IPSec tunnel built into Windows, or connect under Linux using FreeS/Wan
I have done this for almost for years now.
I set it for my personal use and then when my company need a solution we did this to.
Here is a how to
I'm going to set everyone in my company up using it. We're small and everyone works either on customer sites or from home. This will allow us to more easily share resources. It works with Linux, Windows, etc.
I highly recommend it.
It seems you are trying to connect to a windows machine, and you are using windows clients. Since we can assume it's not Server 2000/2003 (otherwise why would you be asking...) the following link shows how to set up a VPN server on windows xp.
http://www.onecomputerguy.com/networking/xp_vpn_se rver.htm
Might not be the coolest way...but it's simple & low cost, using the hardware/software you have already.
Simplest way I've done it is to setup IPCop on both ends. You can use throw-away hardware (Pentium or greater) with little RAM and hard drive space and two network cards. VPN's are a breeze to setup.
The only issue will then be bandwidth, the faster the better. My main site uses cable and the remote site uses ADSL, and it's fast enough to be usable, but not as fast as a thin-client (Citrix) installation is. But we're talking trade-offs of cost for speed here, but since it's so cheap to do you can set it up and try it and see if it's the right solution for you.
Ruby on Rails Screencast
We use smoothwall (http://www.smoothwall.org) between two locations. You need two el junko pc's to do the job (one on each end), but then the VPN is nicely transparent to the computers, and no software needed to install on the clients. Easy to setup too, and lots of community support. If you want to pay money and get a contract, you can purchase the smoothwall corporate edition.
PPP tunnelled over SSH is simple, quick to set up, and works without a hitch. I've used it to connect 20+ locations, and it's just as good as having a dedicated frame link between the sites.
IPSEC (using openeswan or similar) work well, but are in my experience more complicated and harder to maintain than using the PPPoverSSH method.
Both of these are free.
I'm not sure it will satisfy *every* one of those requests out of the box, but it's linux-based, and can be modified.
The USR8200 firewall/vpn/nas is probably more intended for small business networks, but I run one at home and it to set up a VPN server, file server (with a firewire hd) and anonymous or permission-based FTP server. It supports port forwarding for inbound traffic, and as far as a firewall, it seems to have all the features found on $500 firewall-only products.
It was around $300 and while I could have done most of those things on a linux box, it took me about 25 minutes to set it all up. You can also bridge two of them together to create a "distributed" LAN, and it supports IPsec if you're into that.
I've had decent luck with PPP over SSH. It's not the fastest (although I haven't done any tuning of my PPP config), but all the components needed are pre-installed on most modern 'nix boxes.
See http://www.faqs.org/docs/Linux-mini/ppp-ssh.html
c.
Log in or piss off.
This may be helpful to someone:
We have extensive experience with the Netgear FVS328 and FVS318 routers with VPN. We have had many many problems with them.
Note that the FVS318 does NOT have secure login for remote maintenance. The password is sent in the clear.
Netgear apparently has no technical support representatives that work for the company. They apparently all work for contractors in India and the United States. We have found them to have very, very little information about these Netgear products.
Here are a few of our extensive notes about the problems:
We establish an IKE and VPN policy, and start a VPN. It works fine the first time, but, after we disconnect we cannot connect later, even though no changes have been made to the policies.
1) There is general agreement among Netgear technical support people that there is a problem.
Netgear technical support people have standard IKE and VPN policy setups they like to use, which they say are proven to work. The most common one, however, is slow and drops a lot of pings. More sophisticated IKE and VPN settings are faster, even though better encryption is used. We have no idea why this is so.
2) Turning the router power off and restarting sometimes cures the problem with not being able to re-establish a VPN. We have seen cases where the menu choice reboot did not cure a problem, but turning the power off and on did cure it.
3) Something hidden seems to time out after several hours. Sometimes VPN connection problems fix themselves after a day or so.
4) When establishing a VPN Auto Policy, the help says:
Remote VPN Endpoint Select the desired option (IP address or Domain Name) and enter the address of the remote VPN Gateway/Server or client you wish to connect to. Note: The remote VPN endpoint must have this VPN Gateway's address entered as it's "Remote VPN Endpoint".
However, we had a case where the address of one of the routers had changed from that given in the "Remote VPN Endpoint", but the VPN was re-established. The impression is given that specifying the address increases security. Apparently this is not so. Again, something seems to be keeping information for several hours, and then timing out.
5) We have seen a case where deleting all the policies and starting over cured a persistent problem with not being able to re-establish a VPN.
6) We have seen cases which seem to indicate browser dependence. For example, there may be Javascript that works perfectly only in Microsoft Internet Explorer, but sometimes fails in other browsers.
7) We have seen cases where choosing "Log Out" does not actually log out. Netgear technical support people say they've seen this also.
It seems to help if we exit from the browser completely. However, if the browser is Firefox (or Mozilla), and there are several Firefox windows open, exiting from Firefox means exiting from all the windows and tabs, which means that work opening those windows is lost. (Firefox and Mozilla do not have multiple instances; all windows come from the same instance.)
Logging out sometimes seems to leave something in the router which gets confused, and prevents re-establishing the VPN.
Version tested -- We have not tested the FVS328 firmware beta version. This report is about the FVS328 firmware Version 1.0 Release 09.
Are cheap, easy to setup and mantain, highly flexible and very cost-effective.
Depending on what you're planning to do, you can use any of the several VPN implementations out there, just to name a few:
* PoPToP, a PPTP server, compatible with the VPN client that Windows has always has,
* vpnd, really easy to set up, ideal gw to gw VPN solution, seems a little outdated but works great over slow links,
* OpenVPN, a highly portable, flexible and multiplatform VPN solution, which supports gw to gw and gw to host style VPNs,
* etc. There is also LinVPN, FreeS/WAN / Openswan, et al
Best regards.
Articulos para gente geek: Poleras, linux, libros y mas
You can use ssh with explicit port forwarding, but it sounds like you'd benefit from using it as a SOCKS proxy. OpenSSH can provide a SOCKS4 proxy with the -D switch and PuTTY can provide a SOCKS5 proxy. I've found that this works quite nicely for most purposes.
I'm not sure if you mean "Low Cost" as in "Free with a lot of my time installing/configuring" or "Low Cost" as in "Under $1000 plug-and-play," but our company recently bought a Symantec 200R VPN Server and firewall. You can get them for about $500 online. (Make sure you get the 200R, as the 100 and 200 don't have the actual VPN endpoint.)
Setup and installation was a breeze. I had it working out of the box in about an hour, including mucking around with the client they provide. I have a Debian Samba box as my Windows domain/WINS server, and it's been pretty smooth sailing.
I'd highly recommend it for a small shop. Yeah, I could have made something work with just the Debian box, but the amount of my time needed to make that happen would have added up to way more than $500 in lost productivity.
I'm looking for a solution as well. My situation is that I want to tunnel two LANs together. One of them is behind a firewall that I control and has a semi-static IP address. That is, the IP address is resolvable using a DNS lookup. However, the other LAN is behind a firewall I do NOT control (though I have all necessary consent, of course) and does NOT have a static IP address.
OpenVPN therefore does not seem to work for me, though perhaps I was reading the documentation incorrectly. It seems that it requires both endpoints have static IP addresses. Also, am I correct in saying that it requires UDP?
Oceania has always been at war with Eastasia.
OpenVPN seems to be the winner of the comments so far. However, I'd like to see other hardware VPN solutions, too.
From the Slashdot question: "Are there any other options I should be looking at other than using SSH port forwarding?"
It would be interesting to know more about experiences with SSH, too.
Did you see this from the OpenVPN first page? "Can OpenVPN tunnel over a TCP connection? Yes, starting with version 1.5."
I've had excellent results with the SnapGear (since bought by CyberGuard) appliance. You can have it up and running in fairly short order via the web interface. It runs on Linux and all the Linux configs are easily accessible in case you need more flexibility than the web interface offers.
There's one on eBay at the moment for $138 (sorry, I already bought his other ones to augment what I already had installed).
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
It's free, runs on Linux, has clients for Linux, Windows, and Mac, SSL based, secure and stable. Oh, and relatively easy to configure.
It does the job. I use it as a CD-based system + floppy on very old hardware with 64MB. Setting up the VPN was very easy and it was dead-easy to maintain/backup. I use it between three sites but I intend to use it at work as well.
Is there a version of OpenVPN that runs on the WRT54G? If there is, that sounds like an excellent option.
more here.
You are being MICROattacked, from various angles, in a SOFT manner.
Moderators: Please moderate this up. In this situation, a little redundancy is not a bad thing. In this discussion, we are trying to build a consensus.
I use the CyberGuard SG530 for my personal VPN needs. It's a box about the size of your average 8-port switch, it runs a version of embedded linux and come default with PoPToP for PPTP v2 and FreeSwan for IPSEC. It has a web based config and if fairly painless to set up.
I was searching specifically for a PPTP device simply because it is so easy to configure and use, especially for Windows-based clients.
If you have a spare computer you wanted to use for this, you may want to look at IPCop, but at about US$350 the sg530 is not a bad alternative.
It's opensource. Works pretty well and seems to be evolving pretty fast.
SSL Explorer provides an entry-level SSL VPN to individuals and small businesses. This practicable remote access solution includes SSL tunneling, web site proxying, Microsoft Windows file sharing and Java application deployment through a standard browser
http://3sp.com/
http://sourceforge.net/projects/sslexplorer/
Amazing! Thanks. Any advice about how to install OpenVPN on the WRT54G? Which package would you recommend? Do the OpenWrt packages have an adminstration console? I don't see any mention of that. It looks complicated, since I read that there is no Wi-Fi Protected Access (WPA) until installed.
Also, I note that OpenVPN will NOT work on Windows XP SP2 unless the pre-release version 2.0 is used. I suppose you don't care if you are using a WRT54G at both ends of the VPN. I'm not knowledgeable about this, but I guess that running VPN software on a WRT54G would be more secure than running it on a PC.
I note that Sveasoft provides firmware with PPTP VPN software, but there seems to be some question about whether PPTP is sufficiently secure.
Just guessing, but this seems to be a considerable job to configure. I wish there were a commercial release with the OpenVPN built in.
OpenWrt.
Linksys WRT54G Wireless-G Broadband Router.
Linksys WRT54GS Wireless-G Broadband Router with SpeedBooster.
WRT54GS has updated chipset.
WRT54GS Under $70.
Both Linksys products have GPL'd firmware.
There is intense interest in the WRT54G and WRT54GS. One company, Sveasoft, provides upgraded firmware.
Looks to me as though SSL Explorer is worth a look. It's impressive.
Actually, a Cisco VPN solution os not that expensive (it is more than free).
s px?EDC= 337727
Get a pix 501 10 user bundle from CDW for $399-
http://www.cdw.com/shop/products/default.a
Download the VPN client from Cisco (free) configure the box and you are reay to VPN.
The firmware is the latest. Maybe Netgear made some defective units. However, if so, units of different models made at different times and from different suppliers have the same problem.
My experience with Netgear technical support is that they are somewhat friendly, but almost useless. They haven't been given training in Netgear products, as far as I can tell. For example, second level technical support cannot interpret VPN logs. They just try things for an hour, then they say they can't do more. Eight of those, and that's their work day.
It's been a miserable, miserable experience, dealing with Netgear. Linksys seems to be the best, right now.
I think it possible that if someone set up a VPN and left it running, they would have no troubles.
However, I have found many, many small bugs in Netgear firmware, so I presume that there are more big ones to be found.
Theory of the origin of sloppy software: There is a type of management of programming in which the programmers are not trusted. The manager doesn't really understand what the programmers are doing, and just manages by hassling. It goes like this:
Can we ship it?
No.
Why not?
Because of [some technical reason the manager does not understand].
It looks like it works, lets ship it!
No, it is not finished.
Okay, you have until Thursday, then we ship it.
That's my theory how we get the Microsofts and Symantecs and Netgears of the world.
Primary reason why I like it as it uses UDP protocol for packet transmission.
That is REALLY effective in utilizing multiple connections to the same locations for redundancy, with varying weights, for example if you use something like Quagga for BGP routing management.
Works fabulously and the config is trivial.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
I've used PopTop in the past, and it works fine for the kind of scenario you're describing. It's free (as in speech and beer), has adequate - albeit not great - documentation, and is fairly easy to install and configure.
The biggest downside I'm aware of is that the MS-CHAPv2 protocol doesn't use the world's best encryption. Research MS-CHAP, see if it's secure enough for your needs; if so, I think PopTop would be a fine solution.
The next thing that comes to mind is something like FreeSWAN/OpenSWAN, which are IPSEC based, instead of PPTP, and which presumably offer better security.
// TODO: Insert Cool Sig
Netgear Low Cost Routers
That's my theory how we get the Microsofts and Symantecs and Netgears of the world.
Don't tell your theory to that manager you mentioned. He would just say something like "See?".
You see, it's hopeless...
I've used apache with webdav over https on several occasions for remote file sharing. Works great on 2000 & XP through webfolders without additional software. Users can just browse using windows explorer as if working with local files. OSX needs a special app (goliath). tuning apache to user webdav with XP is the hardest part (but there's an manual here and here.
Go look at my very first JE a while back and I point out that OpenVPN is cross platform (Windows, Linux, MacOS X, BSDs, etc...) and works fairly well. Be warned that you need to use the latest Beta with Windows XP as SP2 breaks the last stable version. I've been using it going from Linux to Linux and it works great. Full access to my network at home from anywhere. All you need to do is open on UDP port and this will actually tunnel TCP and UDP traffic, so even Voice over IP will work with this for a private IP phone setup. Check it out. It's worth the effort.
:1 on my machine here. With OpenVPN, that all goes away. You just connect to the remote machine by its own IP (or if you get DNS or hosts set up right by its name).
As a side note, I used to use SSH tunnels. That worked very well for me too, but it required a good deal of setup and mapping ports on the remote end to ports on the local end. It's great as far as cross-platform goes, and if you don't have things changing much on your network, it really works well, but it won't handle UDP traffic. Not to mention, when I used it with VNC, I had to map remote ports to local ports that were unused. So if I connected to 'mymachine:1' at home, I would connect to '127.0.0.1:21' at work since I couldn't stomp over
I'll also mention that I'm using OpenVPN in "routing" mode. I throw all traffic destined for my home network to the tun1 interface that openVPN brings up on my local machine. You can also use openVPN in bridged mode which is a bit more of a headache to set up since you need to know how to break your network up into ranges for each location. Bascially subnetting. But the advantage of bridged mode is that broadcasts will be carried over the tunnel. OpenVPN is about the closest you get in a free project to having a virtual ethernet cable going from one end of the connection to the other. In the end, I think this is what you want. Hope this helps.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Funny, and definitely heavily connected with the truth.
Someday I would like to see a well-run technology business. (Besides Google, maybe.)
NOTE: Anyone wanting a secure VPN should pay attention to number 4 above. FVS328s ignore the WAN addresses specified during configuration, apparently, or there is some other bug.
It cannot get cheaper than that :)
It is not exaktly a VPN programm, but it do that what you want do with a VPN:
- give access to the all the internal servers (SaMBa, Mail, WWW)
- has strong encryption
- has public key authenification
- is invisible (NO default ports)
- Linux and Windows Version.
Just work.
http://www.winton.org.uk/zebedee/
I'm using it in a few project with NO problems at all.
Article at this site explains some of the why.. PPTP (via poptop) has some advantages (mostly in terms of interoperability) but openvpn or frees/wan are probably your best choices..
"I'm looking for a low cost solution for allowing myself and a few others the ability to share a server at one of our locations. One thought was using SSH tunnels to establish secure connections,
OpenBSD, FreeBSD, Solaris (Intel) and most Linux distros offer IPSec VPN as part of the OS Most run well on older hardware and can be a router, gateway, NAT, IP tunnrling as well as a mail relay, IMAP server and of course come with repected firewalls. You can also run IDS software such as Snort, AprWatch and comes with a nice network sniffing tools.
I have been using Solaris this way for years now without issues, and a friends of mine use OpenBSD and Solaris. This allows us to securely share information over the Internet on a private IPSec and tunneled network.
With IPSec VPN the two networks near and far can be ordinary unencrypted networks. The Internet routing systems do all the work of crypto between the sites. IPSec will route all ports, Windows services and even a virus if one end gets infected. That is in part why I prefer xNIX solutions as you can use IPFilter or PF to block unwanted services.
There are some inexpensive appliance systems that have less features than above but then the appliance does not require the working knowledge of the network as the above options do. Some of these are getting quite reasonable in cost.
So your real problem is how, there are lots of ways. With google, search for IPSec and the OS of choice. May the force of privacy be with you!