Slashdot Mirror
Free SSL VPN Solutions?
poison1701 asks: "I am in the process of evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far the only free SSL VPN product I have come across is SSL Explorer Community Edition which looks like a very good product, but the free version lacks some of the features that I want (like the full IPSec client). What other SSL VPN solutions are out there? "
Openvpn... Free, full of features.. Open source.. reliable.. Most everything you'll want, even including a windows client and server (never used under windows though).
If you're in a regulated environment, odds are that you're making enough money that spending a little money on some professional consulting time (or perhaps the software itself) for this problem is a far better solution than Asking Slashdot(tm).
Having said that, there are plenty of roll-your-own SSL VPN solutions out there - many of which are open source. I'd recommend starting with Google.
openvpn.org. We've been using it for both linux and windows clients. The windows client has a nifty little systray app. There is not much configuration needed, and it can work with passwords or keys. If you haven't dealt with PKI already and want to use certs that will be a learning curve with any vpn that uses certs.
It has been very stable for us, we run the server on an OpenBSD box. The documentation is pretty good, and you can make your own windows installer with your configurations preloaded. One minor pain is that to allow a non-admin user to turn the vpn connection on and off you need to edit the acl for the service.
The question is lame. Personally, it sounds like someone trying to get traffic driven to their site than a genuine Ask Slashdot.
I'm a bit confused, too, about why IPSec is a requirement if you are looking to use an SSL VPN?
In the meantime, just check out openssl.org.
http://openvpn.net/
Gee, if only there were a way to search previous articles. Oh, wait! There is!
0 7206
7 16227
6 17208
http://ask.slashdot.org/article.pl?sid=06/04/25/0
http://ask.slashdot.org/article.pl?sid=06/04/13/1
http://ask.slashdot.org/article.pl?sid=05/01/03/1
http://openvpn.net/
http://sourceforge.net/projects/sslexplorer
*sigh*
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
It looks like you don't understand the terminology properly, and it will be hard to make suggestions.
SSL/TLS is a Transport Layer. It does not mean web based. That said, here are your options for types of vpn's that typical end users usually connect to:
1) Full IP Access: Traditional VPN System. May put you on diff VLAN, but gives you an internal IP (or split tunnel) with access to internal resources directly. This will include OpenVPN, Hamachi, Typical IPSec VPN's, etc.
2) Web based VPN: Usually encapsulated over https (ssl), this creates a pretty frontend for typical tasks. IE File browser for Samba/Win2000/2003 Servers, VNC w/ Redirection, etc
3) Remote Machine Access: This includes NX, Remote Desktop, ssh and vnc. These give you direct access to a specific machine, which has access to other machines internally.
It seems like when you say SSL, you mean web based. And when you say IPSec, you mean Full IP Access. If this is correct, then you'll need to use two open source products.
I'd highly recommend using SSL Explorer for web based access, and OpenVPN for IP based access. If you don't mind paying, some of the low end Netscreens from Juniper will do both beautifully.
Either way, please familiarize yourself with the technologies before you go talking to vendors, unless you're looking to get ripped off.
Can I get an eye poke?
Dog House Forum
But Windows 2K+, Linux, and most Unicies have full IPSec built in that will do 3DES encrypted VPN with SSL Cert authentication. Might want to check out what you have already. I know from experience it can be a b*tch to get cross-platform working correctly, but it certainly can be done.
FreeBSD: The Power to Serve!
It sounds like what you want is OpenVPN. I am assuming you do not want one of those crappy web based solutions that ruined the "SSL VPN" for a while in late 90s/early 2000s. OpenVPN is very solid, fairly easy to configure, and the windows client is very good.
If you have a little scripting skill, you can even make deploying it a total breeze assuming you have a secure https site that your employees can access.
1) Setup OpenVPN server (works on windows, but I recommend OpenBSD for security reasons).
2) Create a secure website where the employees can log in.
3) Create (or find, someone else has probably made one) a cgi to dynamically create SSL certs based off their username, and ask them for a password (not the same as their LDAP password).
4) SSL cert is added to the openvpn install bundle and a link to the bundle is presented to the user for download
5) They follow simple install procedure, (probably reboot), and then they should be good to go.
Not something you can do in five minutes, but once you get it done it should be easy street.
"The crows seemed to be calling his name, thought Caw."
Hello there. We have an SSL-Explorer Enterprise Edition box. The product is pretty good, and to be honest it's really, really cheap - we compared it to other vendors and I'd say it's at least 10 times cheaper for a basic deployment.
Juniper Neoteris. Rock solid SSL VPN. Doesn't cost all that much, has robust features and granular access control. Comes with an ActiveX or Java client so you're not limiting yourself to just Windows users being able to use it.
First we had this yesterday as news: http://slashdot.org/article.pl?sid=06/09/25/121124 2
That was an obvious advertisement in the form of a "research" of "the best torrent site". The best, according to that "research" was the one no one has ever heard of, and that requires you to pay for most of torrent links.
Now this.
The obviousness that this is some kind of hidden SSLExplorer commercial is blinding.
Whats up editors?
SSL certificates can be used to authenticate IPSec. That does not make it an "SSL VPN". IPSec uses ESP, not SSL. OpenVPN encapsulates packets in SSL encrypted packets as opposed to ESP. There are a couple of advantages for this, but it will take a bit of research to determine weather this product is appropriate for you. SSL VPN can also be a web application as a poster above said. Cisco have an SSL VPN that is like that. This solution is not as secure from certain vulnerabilities and can not provide you with full network access. Your company should have a security policy that needs to be followed, or you may be bound by Government directives such as meeting Common Criteria. Frankly, unless you are a very small organisation, you had better not take responsability for implementing this, no offense.
If you are a small company, listen to Security Now! early episodes http://grc.com/securitynow that cover VPNs. They spent about 6 episodes on VPNs.
t ions/comparisons/contivity_1000.htmle gId=0&parId=0&prod_id=19940&locale=en-US&rend_id=F B You can use SecurID tokens from a different vendor that don't expire after 3 years and are fully compatible with SecurID one-time passwords. Highly recommended.
If you don't need free and have a few thousand users to support, combining RSA/SecurID, ACE, and Nortel products like Shastas or Contivity Extranet Switches are excellent. If you don't need the flexibility of a Shasta, the CES line is under $20k to support 2k users. http://www.nortel.com/solutions/smb/business_solu
http://products.nortel.com/go/product_assoc.jsp?s
If you are really looking for free and a small scale solution - OpenVPN - highly recommended.
Be certain to explain to company management that VPNs don't make you secure. Security needs to be layered from mandatory stong passwords, to active antivirus scanners, to software firewalls, to NAT routing and proxies. Lots of other things - turn off javascript unless needed (be selective).
Good luck!
IPCOP, either with the built-in ipsec vpn or with the open vpn add-on. I use the built in ipsec vpn with certificates. The open VPN add-on is easier to configure/use but works trough SSl (thats not even bad as SSL has been proven to be secure all this years).If you play your cards rigth you can end up with a gateway that provides:
- stateful firewall
- ipsec(built-in)/SSL (open vpn add-on) unlimited VPNs
- proxy/url filtering (add-ons)
- IDS
- all kind of traffic monitoring/bloking modules (add-ons)
So you can solve your need plus get some nice extras.
The best test environment is production. - Me
chrome://browser/content/browser.xul
I'm not sure if it's what you want, but VNC can tunnel through ssh. The combination works for me, anyway.
"I am tasked with evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far I am lost. Please do my job for me as I am not sure what this google thing is everyone keeps mentioning. k thx bye"
Now, maybe I'm a bit jaded. But seeing this kind of drivel on /. rather irritates me. The poster could have asked "What Open Source SSL VPN solutions are available?" but instead he asked for a "free" as in cash solution. Excuse me for being one of the millions of people world wide who feed their families by working hard to provide a professional solution to you.
If you want to go open source, that's fine, go open source. But don't sit here and beg for handouts while insulting those of us who make it our life's work to create software. You want free, I want to pay my mortgage.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Redundant: Repeated or duplicated unnecessarily.
Seeing as how this was the 2nd post in the thread, it's kinda hard for it to be duplicating something when his point is entirely different than the first post.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
I know from experience it can be a b*tch to get cross-platform working correctly
I know from experience that IPSec can be a bitch to get working correctly *at* *all*!
There are so many things wrong with it I don't know where to begin...
Under Linux the log entries are virtually encrypted; its extremely difficult to work out what they mean and whats wrong.
Then theres the protocols; if you need to run several IPSec VPNs through ADSL modems things will get tough. IPSec doesn't just use the normal TCP/UDP protocols oh no, it has *special* protocols...
Modern 'consumer grade' ADSL modems can't cope with this when you run multiple IPSec VPNs through them. Some modems will perform really badly while others will constantly crash doing a hardware reset and redial every few minutes.
If you are running on really old ADSL modems like the venerable Nokia M1122 you are fine but I never found an ADSL modem available off the shelf that could cope with 3 IPSec VPNs at a time.
In the free world the media isn't government run; the government is media run.
I'm not sure if it's what you want, but VNC can tunnel through ssh. The combination works for me, anyway.
For that matter, anything that can be locked down to a specific port or range of ports (i.e., VNC works because you can nail it down to something like 5901-5910, depending on the number of displays, but FTP won't because of its tendancy to use random high-numbered ports) will work through ssh. So http, smb/cifs, nfs, etc all seem to work. Requires a bit more work for some exotic protocols, though -- you may need to watch both ends of the connection with ethereal or [insert your favorite packet sniffer here]. Free and requires very little setup. If you need more than a couple of connections, though, it gets to be a bit unwieldy -- that's when you need to opt for one of the 'real' VPN solutions like OpenVPN.
My blog
First, let me just say that OpenVPN is the coolest VPN solution, ever. There's a GUI for Windows users, it can tunnel through ANYTHING (NTLM authentication through a proxy server? No problem!), it's incredibly flexible, it has features out the wazoo, it has good documentation and -- get THIS -- the logs actually contain stuff that helps you fix problems. "Certificate file /etc/openvpn/keys/foo.crt not found." Stuff like that. However, apparently (since OpenVPN -also- uses UDP by default, thus eliminating TCP-over-TCP cascading issues), there's more to OpenVPN than meets my eye; on a BBS I'm a member of (telnet://whip.isca.uiowa.edu), one of the more network-savvy folks had some commentary:
OpenVPN is the only "SSL VPN" that uses UDP, yes. They invented a protocol that
uses SSL over UDP for authentication, and until they did, SSL had never been
implemented over UDP. There's now an IETF Internet Draft for DTLS, which is
another SSL over UDP protocol specification, but no one else uses it yet,
AFAIK, and it's still just an Internet Draft, not an RFC yet. The others
implemented their SSL VPNs over TCP for two reasons:
1) There wasn't a standard SSL over UDP specification to implement.
2) SSL over UDP doesn't look like HTTPS, which is half the appeal of these
products, because looking like HTTPS is often what gets them through
a firewall on their end when a conventional VPN client can't get through.
Note that OpenVPN doesn't transport its data stream over SSL. They use IPSec
ESP over UDP for that, the same as standard IPSec NAT-T does. They just use
SSL over UDP for session authentication and management--in other words, as
an IKE replacement, as far as I can tell. In that respect, there's really
not much to differentiate it from IPSec NAT-T.
How's it going?
I have been testing ssl explorer on windows and linux and the community edition works quite well. http://3sp.com/showSslExplorerCommunity.do?referre r=sslexplorer/
> Modern 'consumer grade' ADSL modems can't cope with this when you run multiple IPSec VPNs through them. Some modems will perform really badly while others will constantly crash doing a hardware reset and redial every few minutes.
> If you are running on really old ADSL modems like the venerable Nokia M1122 you are fine but I never found an ADSL modem available off the shelf that could cope with 3 IPSec VPNs at a time.
Huh? I've never seen this. Do you have some link with information about this?
The ADSL modem shouldn't care what upper layer protocols all the packets are, it is not doing any real IP processing. Your router is another matter.. If you're doing IPSec with NAT, and multiple connections to the same VPN gateway, your router could get confused (i.e. it can't tell which user each packet is supposed to go to). But, many/most recent IPSec clients have encapsulation workarounds for NAT which solve this problem.
SSL isn't necessarily related to the web or HTTP. Other protocol can be (and are) tunneled over SSL. See also: SSL.
It is not new. And it is useful. I advise you to read up a little bit on the matter.
Huh? I've never seen this. Do you have some link with information about this?
Nope just extensive experience as at about a year and a half ago.
In all the modems I tested performance was pretty adequate, mostly indistinguishable until 2 or 3 IPSec vpns came up.
The best of them -- USR -- would slow down very badly.
The worst of them -- D-link if I recall -- would repeatedly reboot when 2 VPNs had a lot of traffic or if 3 VPNs came up at once. Modem go down, modem come up. Really annoying.
Sorry I can't give you any more info than this as I don't have the reports any more...
In the free world the media isn't government run; the government is media run.
Some routers simply don't route anything but TCP (and sometimes not even that) correctly. Putting up a VPN will teach you which ones. I have one situation where the "calling" router does not recieve UDP correctly, but the (same-brand) server router does.
I've switched OpenVPN to TCP and she's a all work, but I could switch just one side of the link to TCP and she's all still work.
If you only want to forward one or a few TCP ports, you can use ssh (-L and -R options). Do take care to have the thing be paranoid about disconnects; having it drop out too often is better than having it stuck for half a day. However, it's magnificent for an instant "VPN".
Got time? Spend some of it coding or testing
OK. This isn't free. But, for a business, it is pretty close.
s sl312_ssl_vpn_gateway_review/
http://www.tomsnetworking.com/2006/09/26/netgear_
This is a small hardware box available for under $400 that looks like it may do what you want.
I do admit that there are free software options available, but those require a server somewhere, and probably a bit of trial-and-error and time to get it running. This hardware box, on the other hand, looks like it would be set up in less than an hour.
Just an option...
"-1 Troll" is the apparently the same as "-1 I disagree with you."
I have been using OpenVPN for three years with no problems at the small business I work for. I set up the two owners with access, along with myself. We can all access the work LAN from our home PCs or our laptops. We map network drives, access the intranet, check IMAP email, use VNC, and do just about anything else we would do at the office. I also set OpenVPN up for a friend's small business. He is a road warrior and uses OpenVPN from the road with no problem to use Quickbooks, print to the office, check office email, etc.
OpenVPN has a bit of a learning curve if you aren't familiar with security products or Linux. It took me about a day to get it working the way I wanted back in 2003, but OpenVPN and it's documentation have improved since then. I can't imagine wasting time or money on any other VPN solution.
OpenVPN is a godsend. I use it in a variety of contexts - to link my home network with my work network (with appropriate firewalling, of course), for remote access to my home network or work networks from anywhere on the internet, and as a secure replacement for WEP/WPA on my wifi access point. I have used it on both Windows and Linux. It's rock solid stable, fast, easy to set up, and works beautifully. Even on Windows it seems to have no trouble. The Windows GUI is nice, too - just a tiny little management app in the system tray; no annoying minimized DOS windows on the taskbar. Double-click to connect and you're good to go.
Like many others, I highly reccomend using OpenVPN. It has clients for Linux, *BSD, OS X, and Windows. It's highly configurable and can do just about whatever you want. It also works over proxy servers.
Another thing you could try is using SSH. It's possible to use it as a VPN, but you have to use something like PPTP with it. I'm not sure about Windows support, though. If you use corkscrew, an SSH VPN could also work over a proxy.
Clusty and Scroogle are your friends. (fuck google's data retention policy)
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
Works great on Macs too. See http://www.tunnelblick.net/ for a mac gui.
Install openbsd, and setting up IPsec involves generating certs for users like you do with an SSL VPN, and creating a single line config file for ipsecctl. Very simple and easy, and supports NAT traversal and road warriors just fine, and requires no manual intervention of any kind. Because it uses an open standard unlike SSL VPNs which each impliment things differently, you get interoperability, and can connect to the head office of the company that buys you out a couple years down the road.
I see nothing in the post that indicates he's looking for free "as in beer"! All he said was "free". Does he have to capitalize it before you're willing to read a request for freedom in there? I mean, I don't know if he meant free-as-in-speech or -as-in-beer, but I certainly don't see anything that would justify leaping the conclusion that he meant -as-in-beer.
As for "those of us who make it our life's work"...get over it! I started writing sort routines in assembler in the late seventies, but I'm not bothered by the fact that the C standard now has quicksort and C++ has even more sorting options. Life goes on, and you find new challenges. Personally, I'm happy to be working on higher level stuff these days!
I've been interested in the free-beer approach myself - SSL VPNs look a lot like something that an Apache module or some Quid configuration documents could handle the easy 50-80% of the market space, which is browsing intranet websites, getting/putting files from a file server, and getting web access to Outlook or better email. Doing the job well may be a bit harder than that, in which case there's room for commercialware.
There's always room for paid support, especially for free-beer solutions, where you may need more support than the man pages and an online user forum can give you.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Then theres the protocols; if you need to run several IPSec VPNs through ADSL modems things will get tough. IPSec doesn't just use the normal TCP/UDP protocols oh no, it has *special* protocols...
I must admit I have had no trouble with IPSEC through ADSL modems. IPSEC through NAT used to be a big problem, in particular if you wanted several tunnels through the same NAT device. These days everything supports NAT-T, and that's just UDP on port 4500.
Finally! A year of moderation! Ready for 2019?
I use OpenVPN all the time, both on windows and linux platforms (openvpn on openwrt rawks!)
The OpenVPN windows client creates a tun/tap device, which looks like just another network device under windows.
If you had a site to site openvpn-based vpn up and running, connecting two subnets, you could easily use windows' IPSEC implementation between two microsoft boxes, across the VPN - they would never know it was there.
I *think* you could do the same thing, even if the openvpn package is running directly one or both of the windows machines - by setting the IPSEC stuff up for the tun/tap device.
Styrofoam IS biodegradable, you're just impatient!
CLientless SSL-based VPNs are really convenient - some of them are genuinely clientless, and some of them have Java-glue web pages that fire up a lightweight client in the browser (unfortunately, sometimes that's IE-dependent), and as long as they do most of what you need to do most of the time, it's really nice for a sysadmin to be able to support lots of users without having to install software on their PCs, especially for an extranet or customer environment where you want more protection than just SSL web pages.
Some SSL-based VPNs also provide lots of fine-grained user permission management, so User Group A can access the Project A files, Group B can access group B's files, Engineers can see all the Secret Plans, Sales Reps can get the literature, and nobody can touch the HR files except through the limited front-end interface.
There are some other reasons people have wanted SSL VPNs in the past - they avoid some of the issues with NAT and firewalls, but most IPSEC clients have UDP-based NAT traversal that they'll use if they need it, and if firewalls are a problem (because you're working at a customer location or something), then you need to work out something with the customer's security admins, and that's even less likely to require an SSL VPN that also includes an IPSEC VPN client.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks