Free SSL VPN Solutions?

poison1701 asks: "I am in the process of evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far the only free SSL VPN product I have come across is SSL Explorer Community Edition which looks like a very good product, but the free version lacks some of the features that I want (like the full IPSec client). What other SSL VPN solutions are out there? "

Openvpn

[brokenin2]

Openvpn... Free, full of features.. Open source.. reliable.. Most everything you'll want, even including a windows client and server (never used under windows though).

Re:Openvpn

[GloomE]

Yah
I'm using it with both Linux and Windows.
Tunnels and point-to-point.

I used to use IPSec, a lot of hassle, takes too long to bring the tunnel back up if it goes down, would go down and not come back up without manual intervention.

OpenVPN however has been perfectly reliable for the 6 weeks I've been using it so far.
The Windows GUI version from http://openvpn.se/ seems to work simply enough for many Windows users.

Re:Openvpn

[imemyself]

I couldn't agree more. I love OpenVPN, especially the fact that its so versatile. It can go through NAT without any problems, and it can be tunneled over SSH, or sent through an HTTP proxy. It can do username/password authentication, or use certificates, or both. It can have per-client configurations for assigning IP addresses. Its freaking awesome. It makes me wonder why the hell anyone would mess with PPTP or IPSec stuff, especially since NAT is almost everywhere these days.

What do you want.

[DA-MAN]

It looks like you don't understand the terminology properly, and it will be hard to make suggestions.

SSL/TLS is a Transport Layer. It does not mean web based. That said, here are your options for types of vpn's that typical end users usually connect to:

1) Full IP Access: Traditional VPN System. May put you on diff VLAN, but gives you an internal IP (or split tunnel) with access to internal resources directly. This will include OpenVPN, Hamachi, Typical IPSec VPN's, etc.
2) Web based VPN: Usually encapsulated over https (ssl), this creates a pretty frontend for typical tasks. IE File browser for Samba/Win2000/2003 Servers, VNC w/ Redirection, etc
3) Remote Machine Access: This includes NX, Remote Desktop, ssh and vnc. These give you direct access to a specific machine, which has access to other machines internally.

It seems like when you say SSL, you mean web based. And when you say IPSec, you mean Full IP Access. If this is correct, then you'll need to use two open source products.

I'd highly recommend using SSL Explorer for web based access, and OpenVPN for IP based access. If you don't mind paying, some of the low end Netscreens from Juniper will do both beautifully.

Either way, please familiarize yourself with the technologies before you go talking to vendors, unless you're looking to get ripped off.

Re:What do you want.

[DA-MAN]

I didn't see where he said web. SSL doesn't mean web based.

He pointed to SSL Explorer, which is a Web Based VPN. But, as a web based vpn, it doesn't give you a full internal ip. My belief was that that by pointing to a web based vpn, called SSL Explorer, he thought SSL based VPN meant Web Based VPN.

You're right, he never said Web Based directly, but his use of the technology, the stuff he pointed to as examples, etc. lead me to believe that we need to get the terminology down before going forward.

Juniper

[TheCabal]

Juniper Neoteris. Rock solid SSL VPN. Doesn't cost all that much, has robust features and granular access control. Comes with an ActiveX or Java client so you're not limiting yourself to just Windows users being able to use it.

Dear Slashdot

"I am tasked with evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far I am lost. Please do my job for me as I am not sure what this google thing is everyone keeps mentioning. k thx bye"

OpenVPN -- what it is, and isn't.

[Slartibartfast]

First, let me just say that OpenVPN is the coolest VPN solution, ever. There's a GUI for Windows users, it can tunnel through ANYTHING (NTLM authentication through a proxy server? No problem!), it's incredibly flexible, it has features out the wazoo, it has good documentation and -- get THIS -- the logs actually contain stuff that helps you fix problems. "Certificate file /etc/openvpn/keys/foo.crt not found." Stuff like that. However, apparently (since OpenVPN -also- uses UDP by default, thus eliminating TCP-over-TCP cascading issues), there's more to OpenVPN than meets my eye; on a BBS I'm a member of (telnet://whip.isca.uiowa.edu), one of the more network-savvy folks had some commentary:

OpenVPN is the only "SSL VPN" that uses UDP, yes. They invented a protocol that
uses SSL over UDP for authentication, and until they did, SSL had never been
implemented over UDP. There's now an IETF Internet Draft for DTLS, which is
another SSL over UDP protocol specification, but no one else uses it yet,
AFAIK, and it's still just an Internet Draft, not an RFC yet. The others
implemented their SSL VPNs over TCP for two reasons:

1) There wasn't a standard SSL over UDP specification to implement.
2) SSL over UDP doesn't look like HTTPS, which is half the appeal of these
      products, because looking like HTTPS is often what gets them through
      a firewall on their end when a conventional VPN client can't get through.

Note that OpenVPN doesn't transport its data stream over SSL. They use IPSec
ESP over UDP for that, the same as standard IPSec NAT-T does. They just use
SSL over UDP for session authentication and management--in other words, as
an IKE replacement, as far as I can tell. In that respect, there's really
not much to differentiate it from IPSec NAT-T.

Re: Mac too

[palmucci]

Works great on Macs too. See http://www.tunnelblick.net/ for a mac gui.