Free SSL VPN Solutions?

poison1701 asks: "I am in the process of evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far the only free SSL VPN product I have come across is SSL Explorer Community Edition which looks like a very good product, but the free version lacks some of the features that I want (like the full IPSec client). What other SSL VPN solutions are out there? "

Openvpn

[brokenin2]

Openvpn... Free, full of features.. Open source.. reliable.. Most everything you'll want, even including a windows client and server (never used under windows though).

Re:Openvpn

[fc104]

I second that. I have used it under linux and windows and it has been extremely reliable. The openvpn configuration files work seamlessly between both platforms.

Re:Openvpn

[GloomE]

Yah
I'm using it with both Linux and Windows.
Tunnels and point-to-point.

I used to use IPSec, a lot of hassle, takes too long to bring the tunnel back up if it goes down, would go down and not come back up without manual intervention.

OpenVPN however has been perfectly reliable for the 6 weeks I've been using it so far.
The Windows GUI version from http://openvpn.se/ seems to work simply enough for many Windows users.

Re:Openvpn

[imemyself]

I couldn't agree more. I love OpenVPN, especially the fact that its so versatile. It can go through NAT without any problems, and it can be tunneled over SSH, or sent through an HTTP proxy. It can do username/password authentication, or use certificates, or both. It can have per-client configurations for assigning IP addresses. Its freaking awesome. It makes me wonder why the hell anyone would mess with PPTP or IPSec stuff, especially since NAT is almost everywhere these days.

Re:Openvpn

[chrismsummers]

The only problem with OpenVPN for this case is that the poster specifically says they would like to be able to use IPSec, which OpenVPN clearly states it does not. Quote from the OpenVPN's front page: "There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with IPSec, L2TP, or PPTP. The IPSec protocol is designed to be implemented as a modification to the IP stack in kernel space, and therefore each operating system requires its own independent implementation of IPSec. By contrast, OpenVPN's user-space implementation allows portability across operating systems and processor architectures, firewall and NAT-friendly operation, dynamic address support, and multiple protocol support including protocol bridging."

What do you want.

[DA-MAN]

It looks like you don't understand the terminology properly, and it will be hard to make suggestions.

SSL/TLS is a Transport Layer. It does not mean web based. That said, here are your options for types of vpn's that typical end users usually connect to:

1) Full IP Access: Traditional VPN System. May put you on diff VLAN, but gives you an internal IP (or split tunnel) with access to internal resources directly. This will include OpenVPN, Hamachi, Typical IPSec VPN's, etc.
2) Web based VPN: Usually encapsulated over https (ssl), this creates a pretty frontend for typical tasks. IE File browser for Samba/Win2000/2003 Servers, VNC w/ Redirection, etc
3) Remote Machine Access: This includes NX, Remote Desktop, ssh and vnc. These give you direct access to a specific machine, which has access to other machines internally.

It seems like when you say SSL, you mean web based. And when you say IPSec, you mean Full IP Access. If this is correct, then you'll need to use two open source products.

I'd highly recommend using SSL Explorer for web based access, and OpenVPN for IP based access. If you don't mind paying, some of the low end Netscreens from Juniper will do both beautifully.

Either way, please familiarize yourself with the technologies before you go talking to vendors, unless you're looking to get ripped off.

OpenVPN

[_pi-away]

It sounds like what you want is OpenVPN. I am assuming you do not want one of those crappy web based solutions that ruined the "SSL VPN" for a while in late 90s/early 2000s. OpenVPN is very solid, fairly easy to configure, and the windows client is very good.

If you have a little scripting skill, you can even make deploying it a total breeze assuming you have a secure https site that your employees can access.

1) Setup OpenVPN server (works on windows, but I recommend OpenBSD for security reasons).
2) Create a secure website where the employees can log in.
3) Create (or find, someone else has probably made one) a cgi to dynamically create SSL certs based off their username, and ask them for a password (not the same as their LDAP password).
4) SSL cert is added to the openvpn install bundle and a link to the bundle is presented to the user for download
5) They follow simple install procedure, (probably reboot), and then they should be good to go.

Not something you can do in five minutes, but once you get it done it should be easy street.

Re:Open SSL?

[schwaang]

I'm a bit confused, too, about why IPSec is a requirement if you are looking to use an SSL VPN?

My thought exactly. Isn't one of SSL's advantages in not *needing* the infrastructure that IPSec requires (support in your kernel, router, etc.)?

Juniper

[TheCabal]

Juniper Neoteris. Rock solid SSL VPN. Doesn't cost all that much, has robust features and granular access control. Comes with an ActiveX or Java client so you're not limiting yourself to just Windows users being able to use it.

Re:Juniper

[curiosity]

We use Neoteris boxes, but have recently switched a number of our VPN apps to our FortiGate firewalls. The Neoteris are much more mature and have a lot of nice functionality like single sign-on, but the cost and licensing is FAR better on the FortiGate. You can buy an FG-60 for peanuts, and there are no per-user license fees for the SSL VPN function. Has an ActiveX client for full access, or can proxy for web, ftp, telnet, etc.

Built in AV scanning, IDS, etc is nice too.

If you're supporting an enterprise thing with these VPNs, I personally would pick an appliance made for that kind of thing instead of having to maintain software solutions. The lower end boxes are relatively cheap and will probably save you time and potentially improve secutity as well if you're not careful to properly implement your software solution.

Well, free limits it ...

If you are a small company, listen to Security Now! early episodes http://grc.com/securitynow that cover VPNs. They spent about 6 episodes on VPNs.

If you don't need free and have a few thousand users to support, combining RSA/SecurID, ACE, and Nortel products like Shastas or Contivity Extranet Switches are excellent. If you don't need the flexibility of a Shasta, the CES line is under $20k to support 2k users. http://www.nortel.com/solutions/smb/business_solut ions/comparisons/contivity_1000.html
http://products.nortel.com/go/product_assoc.jsp?se gId=0&parId=0&prod_id=19940&locale=en-US&rend_id=F B You can use SecurID tokens from a different vendor that don't expire after 3 years and are fully compatible with SecurID one-time passwords. Highly recommended.

If you are really looking for free and a small scale solution - OpenVPN - highly recommended.

Be certain to explain to company management that VPNs don't make you secure. Security needs to be layered from mandatory stong passwords, to active antivirus scanners, to software firewalls, to NAT routing and proxies. Lots of other things - turn off javascript unless needed (be selective).

Good luck!

OpenVPN -- what it is, and isn't.

[Slartibartfast]

First, let me just say that OpenVPN is the coolest VPN solution, ever. There's a GUI for Windows users, it can tunnel through ANYTHING (NTLM authentication through a proxy server? No problem!), it's incredibly flexible, it has features out the wazoo, it has good documentation and -- get THIS -- the logs actually contain stuff that helps you fix problems. "Certificate file /etc/openvpn/keys/foo.crt not found." Stuff like that. However, apparently (since OpenVPN -also- uses UDP by default, thus eliminating TCP-over-TCP cascading issues), there's more to OpenVPN than meets my eye; on a BBS I'm a member of (telnet://whip.isca.uiowa.edu), one of the more network-savvy folks had some commentary:

OpenVPN is the only "SSL VPN" that uses UDP, yes. They invented a protocol that
uses SSL over UDP for authentication, and until they did, SSL had never been
implemented over UDP. There's now an IETF Internet Draft for DTLS, which is
another SSL over UDP protocol specification, but no one else uses it yet,
AFAIK, and it's still just an Internet Draft, not an RFC yet. The others
implemented their SSL VPNs over TCP for two reasons:

1) There wasn't a standard SSL over UDP specification to implement.
2) SSL over UDP doesn't look like HTTPS, which is half the appeal of these
      products, because looking like HTTPS is often what gets them through
      a firewall on their end when a conventional VPN client can't get through.

Note that OpenVPN doesn't transport its data stream over SSL. They use IPSec
ESP over UDP for that, the same as standard IPSec NAT-T does. They just use
SSL over UDP for session authentication and management--in other words, as
an IKE replacement, as far as I can tell. In that respect, there's really
not much to differentiate it from IPSec NAT-T.

This gets any UDP link

[leonbrooks]

Some routers simply don't route anything but TCP (and sometimes not even that) correctly. Putting up a VPN will teach you which ones. I have one situation where the "calling" router does not recieve UDP correctly, but the (same-brand) server router does.

I've switched OpenVPN to TCP and she's a all work, but I could switch just one side of the link to TCP and she's all still work.

If you only want to forward one or a few TCP ports, you can use ssh (-L and -R options). Do take care to have the thing be paranoid about disconnects; having it drop out too often is better than having it stuck for half a day. However, it's magnificent for an instant "VPN".

Re: Mac too

[palmucci]

Works great on Macs too. See http://www.tunnelblick.net/ for a mac gui.