Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch Government Officially Trusts OpenVPN-NL

Posted by timothy on from the goot-to-goeh dept.

First time accepted submitter joost.bijl writes "Yesterday the Dutch government took a step to further improve the adoption of Open Source in its ranks. It has officialy approved a modified version of the open source VPN software OpenVPN for use on the governmental level 'Departementaal Vertrouwelijk' (Restricted). The release is called OpenVPN-NL and is fully open-source and available for use. The software has undergone a security evaluation by the Dutch government's national communications security agency (NLNCSA). The major change is the removal of OpenSSL as the cryptographic core of OpenVPN-NL. Instead, the Dutch government opted to include the smaller, better readable and documented open source library PolarSSL to provide the cryptographic and SSL/TLS functionality. The Dutch IT Security company Fox-IT worked together with both OpenVPN and PolarSSL communities and modified the stock software to support the government evaluation process. In total 8000 lines of code and 4000 lines of documentation were checked in to the OpenVPN trunk."

12 of 53 comments (clear)

  1. Awesome by MightyMartian · · Score: 5, Interesting

    This is very good news. OpenVPN is probably the easiest secure VPN software I've ever worked with. I've been running it as the link for our multi-site network for over two years now, and it's also the VPN software our road warriors are using. Simple to configure, and damnit but it just works. After years of trying to get all these weird implementations of IPSec to co-operate with each other, OpenVPN is just a marvel, fast and lightweight.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re:Awesome by Capt.DrumkenBum · · Score: 5, Interesting

      OpenVPN rocks!
      I have a client site that needs to access some data in my local office. This client site network is locked down so tight that almost nothing goes through. Somehow OpenVPN manages to maintain several connections between here and there. Add to that the fact that they are fully cross platform and you just can't beat them.

      --
      If I were God, wouldn't I protect my churches from acts of me?
    2. Re:Awesome by habalux · · Score: 5, Informative

      OpenVPN 2.3 does support IPv6 in tun mode, even point-to-multipoint. It still needs an IPv4 pool though but you can just ignore it and go IPv6 only.

      http://www.greenie.net/ipv6/openvpn.html

    3. Re:Awesome by MightyMartian · · Score: 4, Informative

      Yes, that is a pain. I thought they were supposed to be setting up the Windows service so that a non-admin client could control the VPN via the service to write the routing table, which seems to be the big stumbling block for OpenVPN under the UAC.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    4. Re:Awesome by mcvos · · Score: 4, Insightful

      It's great to see my government do something sensible related to IT. Most of the time they really truly suck at it (like almost every other government, I suspect). Surely you remember the Diginotar debacle? We've got tons more like that.

    5. Re:Awesome by Anonymous Coward · · Score: 4, Interesting

      This is mainly going to be used to allow remote access to restricted infrastructure.
      The comments in Holland are that this is allowing unsecured & unchecked workstations (home pc's & laptops) that might be infected with general or specifically designed malways; & then via the vpn gaining access to restricted documents & information.

      The last word is not yet spoken about this.

      Dutch megan00b

  2. Re:Why should we trust openssl? by El_Muerte_TDS · · Score: 4, Informative

    OpenSSL only goes up to TLS1.0, which contains some vulnerabilities. (Note sure if these issue affect OpenVPN). PolarSSL (which is created by a Dutch company, which might be the reason that was chosen) supports up to TLS1.1.
    Why they didn't go for the more feature complete and mature GnuTLS would be an interesting question.

    http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations

  3. Re:Why should we trust openssl? by Rich · · Score: 5, Interesting

    That's true, though openssl has had the ability to add empty fragments to avoid the chosen plain text attack I suspect you're referring to for many years. What's strange is that the chosen solution (polarSSL) doesn't seem to have support for OCSP which is the main way to quickly revoke bad keys - particularly important in the light of the recent diginotar breach.

  4. I have an OpenVPN link that's been up ten years! by SwedishChef · · Score: 5, Insightful

    When VPN routers were hard to find I set up several OpenVPN links. Over the years most of those networks migrated to other VPN solutions but this one never changed and it always worked. Meanwhile I had to dick with the other solutions all the damn time. When the client with that old OpenVPN link wanted another link I took a good hard look at it. I never had to reconfigure it. I never had to reboot it. It was installed on two HP desktop mini-towers that the client gave to me. And I realized just how good that product was. So I used OpenVPN for the two new links, too. But I upgraded to version 2 and used Centos. That one has been up for two months and everyone is pleased as punch. I'm about to take the old one out of service and install a newer machine running version 2. I'm sure they'll last another ten years.

    Holland has made a wise decision to support OpenVPN!

    --
    No one ever had to evacuate a city because the solar panels broke!
  5. Re:Why should we trust openssl? by Genda · · Score: 5, Funny

    Yeah, those silly Dutch just don't have a clue... By the way, is the United States still using Windows to control their nuclear power plants???

  6. Re:Why should we trust openssl? by jhaar · · Score: 5, Informative

    you don't know what you're talking about. Openvpn was never affected by the "renegotiation bug" as it doesn't use SSL for that component. As it runs over UDP and TCP, it had to come up with its own way of doing that - hence no problem.

    That in combination with HMAC authentication makes it basically immune from that issue anyway...

  7. Re:diff by testie_nl · · Score: 5, Informative

    Here the guy claiming to be the maintainer :) Just to make some thing clear.. I used to work at Fox-IT for a long time. Fox-IT did a number of code additions to improve interoperability with OpenVPN and donated that code to the PolarSSL code base.