Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[R0b0t1]

On Fri, Apr 6, 2018 at 12:58 PM, Mick  wrote:
> On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote:
>> On 04/05/2018 03:51 AM, gevisz wrote:
>> > Yes, the Host is running Windows.
>>
>> Seeing as how both the ""Host and the ""Client are running Windows, I
>> would think seriously about trying to leverage Windows' built in VPN
>> capabilities.
>>
>> The following things come to mind:
>>
>>   - (raw) IPSec - this might be somewhat challenging b/c reasons
>
> I think you mean IKEv2 + IPSec?
>
> IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the
> tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will all
> be encrypted when sent through through the IPSec encrypted tunnel.
>
>
>>   - L2TP+IPSec - probably less challenging b/c of wizards
>
> This is using L2TP for encapsulating the frames + IKEv1 for secure key
> exchange + IPsec for encryption of the L2TP tunnel.
>
>
>>   - PPTP - just don't unless you haveto
>
> Well said:
>
> https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security
>
> It is an obsolete method with poor security.  I would not use it under any
> circumstances, unless security is of no importance.
>
>
>> I'd encourage your friend to check out the VPN capabilities built into
>> Windows.  He may need to install / configure (R)RAS to enable the features.
>
> As I mentioned before, there is also IKEv2+IPSec, which allows the client to
> roam between networks without dropping the connection.
>
> Finally, there is SSTP encrypting PPP frames within TLS.  I don't know why one
> would use this instead of OpenVPN, except that it comes as part of the
> MSWindows package, while OpenVPN has to be installed separately.
>
>
>> In my experience, using native features that come from the software
>> vendor is often simpler to maintain long term.
>
> +1
>
> They are also easier to set up initially, because both MSWindows peers will
> use the same combo of encryption suites, ciphers, etc.

You mean the same horribly insecure ciphers? The built in options are
so weak that I am not aware of anyone seriously using them; most
setups tunnel Windows technologies like RDP (which may sometimes
insist on being set up with encryption) over Linux based technologies.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor]

On 04/06/2018 04:51 PM, Mick wrote:
Domestic grade routers which offer IKEv1, typically use PSK for 
authentication, not TLS certificates.  The PSK is what IKE uses in 
userspace to establish a secure connection with authentication between 
peers for the purpose of exchanging the IPSec keys to encrypt the 
tunnel with.


ACK  All of that makes sense.  Thank you for clarifying / confirming 
what I suspsected was the case.


I don't /remember/ IKE being involved in what I was doing.  But there's 
a chance that it was happening without me being aware of it.


If you check the 2nd sentence in the wiki page below, it confirms 
MSWindows L2TP/IPSec uses IKEv1 to exchange the IPSec keys:


https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#IPsec


I don't remember L2TP being involved either.  But that doesn't mean that 
it wasn't.


If memory serves (and it often does not) I was manually configuring 
IPSec policies via a GPEdit snapin.  It was extremly low level and 
obtuse to configure.


OpenSWAN was forked into LibreSWAN and FreeSWAN is now called StrongSWAN. 
Anyway, part of the IKEv2 standard is to offer support for mobile and 
multihomed users (MOBIKE).


Hum.  I've not payed attention to *SWAN as I've not needed to use it.  I 
also thought that IPSec was a LOT more complicated than other 
technologies.  Plus, I was dealing with more road warrior type things 
than site-to-site.  (It's my understanding that IPSec is (or was) not 
really friendly for mobile.)


Although IKE operates in userspace, the IPSec stack is in kernelspace 
and its performance superior to userspace VPN technologies.


My understanding is that IKE was just used to boot strap and maintain 
the in kernl IPSec.  Thus IKE could easily run in user space.


Apparently Wireguard is even more efficient than the IPSec's xfrm/netkey, 
but I have not tried it out yet.


I've not messed with Wireguard yet.  But it's on my list if I ever need 
/ want to mess with VPNs.




--
Grant. . . .
unix || die

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Mick]

On Friday, 6 April 2018 19:20:09 BST Grant Taylor wrote:
> On 04/06/2018 11:58 AM, Mick wrote:
> > I think you mean IKEv2 + IPSec?
> 
> I don't remember IKE involved the last time I had to manually
> set up an IPSec connection between two Windows systems (or Windows and a
> Netgear router).  I think it was /completely/ manual and PSK.

Domestic grade routers which offer IKEv1, typically use PSK for 
authentication, not TLS certificates.  The PSK is what IKE uses in userspace 
to establish a secure connection with authentication between peers for the 
purpose of exchanging the IPSec keys to encrypt the tunnel with.  If you check 
the 2nd sentence in the wiki page below, it confirms MSWindows L2TP/IPSec uses 
IKEv1 to exchange the IPSec keys:

https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#IPsec


> > IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the
> > tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will
> > all be encrypted when sent through through the IPSec encrypted tunnel.
> 
> I remember doing a little bit with IKE 10+ years ago back when it was
> OpenSWAN / FreeSWAN.

OpenSWAN was forked into LibreSWAN and FreeSWAN is now called StrongSWAN.  
Anyway, part of the IKEv2 standard is to offer support for mobile and 
multihomed users (MOBIKE).

Although IKE operates in userspace, the IPSec stack is in kernelspace and its 
performance superior to userspace VPN technologies.  Apparently Wireguard is 
even more efficient than the IPSec's xfrm/netkey, but I have not tried it out 
yet.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor]

On 04/06/2018 11:58 AM, Mick wrote:

I think you mean IKEv2 + IPSec?


I don't remember IKE involved the last time I had to manually 
set up an IPSec connection between two Windows systems (or Windows and a 
Netgear router).  I think it was /completely/ manual and PSK.


IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the 
tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will 
all be encrypted when sent through through the IPSec encrypted tunnel.


I remember doing a little bit with IKE 10+ years ago back when it was 
OpenSWAN / FreeSWAN.


This is using L2TP for encapsulating the frames + IKEv1 for secure key 
exchange + IPsec for encryption of the L2TP tunnel.


ACK


Well said:


*chuckle*


https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security

It is an obsolete method with poor security.  I would not use it under 
any circumstances, unless security is of no importance.


Agreed.

As I mentioned before, there is also IKEv2+IPSec, which allows the client 
to roam between networks without dropping the connection.


Intriguing.  I've never considered IPSec with a road warrior, much less 
an established connection with a changing IP address.  I would have been 
much more likely to look at OpenVPN or Wireguard or OpenSSH.


Finally, there is SSTP encrypting PPP frames within TLS.  I don't know 
why one would use this instead of OpenVPN, except that it comes as part 
of the MSWindows package, while OpenVPN has to be installed separately.


SSTP is a new one on me.


+1

They are also easier to set up initially, because both MSWindows peers 
will use the same combo of encryption suites, ciphers, etc.  Half of 
the pain of getting MSWindows to work with a Linux VPN gateway is often 
finding how to configure the cipher, hash and X509v3 extensions of a 
TLS certificate in a way that MSWindows will not barf;  e.g. IIRC, last 
time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would 
only accept AES128 keys and SHA1.  Anything more onerous would not be 
accepted by the MSoft TLS key manager.


Agreed.



--
Grant. . . .
unix || die

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-06 1:45 GMT+03:00 Bill Kenworthy :
> On 05/04/18 22:51, gevisz wrote:
>> 2018-04-05 16:14 GMT+03:00 Bill Kenworthy :
>>> On 05/04/18 18:28, gevisz wrote:
 2018-04-05 12:51 GMT+03:00 gevisz :
> 2018-04-05 1:02 GMT+03:00 Grant Taylor 
> :
> On 04/04/2018 02:18 PM, gevisz wrote:
>> Assuming that NAT is in play on OR and IR (worst case), then just about
>> /any/ form of VPN initiating from the outside will be fraught with uphill
>> battles.
> As far as I understand, the connection would be initiated from the Host.
 A small correction after a call to the friend: the VPN server should
 be installed on the Client and the VPN client should be installed on the 
 Host.

 Becaule of the same reason it is impossible to set up VPN server on the IR.

 Moreover, IR is too simple to use it for setting up any server other then 
 NAT
 and, may be, port-forwarding.

>>> Might need a third party vpn server in the cloud that both ends connect
>>> to as clients and route between?  A stunserver like VoIP uses will help
>>> there.
>>>
>>> Also try a proxytunnel/stunnel using port 443 and use that to bounce
>>> openvpn or a putty (ssh) port tunnel through the networks https proxy.
>>> Inefficient but gets ssh, web pages and small downloads through
>>> problematic networks nicely.  Double wrapping in ssl with end-to-end
>>> protection via openvpn takes care of privacy when MITM SSL proxies are
>>> used (yes they exist)   Note that openvpn can be used peer to peer
>>> though client to server is a bit more secure.
>> Thank you for the information.
>>
>>>  In my setup, the client is windows and the server is gentoo on a dynamic 
>>> IP.
>> It is strange because just today I have learned that VPN server should
>> be set on the host with static IP visible the in Internet. Otherwise a
>> VPN-client
>> has no way to connect to the VPN-server.
>>
> I am referring to putty as the windows client (my view of the process) -
> the vpn client is proxytunnel on windows connecting out to the server
> which is an external stunnel on gentoo from your point of view.  The
> secret is getting the two to talk to each other and thats where it gets
> interesting - a method I used in the past is internally have a script
> scraping a webpage (external) and when it gets a change it wants,
> initiate a connection (IP number change for a permanaent link on a
> dynamic IP, or other instruction - actually used a html comment on my
> home web server index page).  A more common method is to initiate a test
> connection every few minutes and close/go back to waiting if there is no
> connection.  Zebedee which I used for years as a port tunnel (very good
> and flexible) has a mode where it can initiate connections when there is
> no public visibility.  If both ends are behind a secure gateway/NAT -
> you need a third machine to coordinate the process.

It is too hard for me to understand, but I have got the idea of letting
some script to periodically read the content of a webpage and initiate
the connection if the content of the webpage say so.

I let my friend to read this.

> If its all too hard, can you drop a raspberry pi trojan on the network
> which gets away from the restrictions running windows?  At the end of
> the day, its up to you and the local admins as to how much funny
> business they will put up with but its just a technical problem in
> moving packets around.
>
> BillK'
>
>

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Mick]

On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote:
> On 04/05/2018 03:51 AM, gevisz wrote:
> > Yes, the Host is running Windows.
> 
> Seeing as how both the ""Host and the ""Client are running Windows, I
> would think seriously about trying to leverage Windows' built in VPN
> capabilities.
> 
> The following things come to mind:
> 
>   - (raw) IPSec - this might be somewhat challenging b/c reasons

I think you mean IKEv2 + IPSec?

IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the 
tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will all 
be encrypted when sent through through the IPSec encrypted tunnel.


>   - L2TP+IPSec - probably less challenging b/c of wizards

This is using L2TP for encapsulating the frames + IKEv1 for secure key 
exchange + IPsec for encryption of the L2TP tunnel.


>   - PPTP - just don't unless you haveto

Well said:

https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security

It is an obsolete method with poor security.  I would not use it under any 
circumstances, unless security is of no importance.


> I'd encourage your friend to check out the VPN capabilities built into
> Windows.  He may need to install / configure (R)RAS to enable the features.

As I mentioned before, there is also IKEv2+IPSec, which allows the client to 
roam between networks without dropping the connection.

Finally, there is SSTP encrypting PPP frames within TLS.  I don't know why one 
would use this instead of OpenVPN, except that it comes as part of the 
MSWindows package, while OpenVPN has to be installed separately.


> In my experience, using native features that come from the software
> vendor is often simpler to maintain long term.

+1

They are also easier to set up initially, because both MSWindows peers will 
use the same combo of encryption suites, ciphers, etc.  Half of the pain of 
getting MSWindows to work with a Linux VPN gateway is often finding how to 
configure the cipher, hash and X509v3 extensions of a TLS certificate in a way 
that MSWindows will not barf;  e.g. IIRC, last time I looked at a Windows 7 
IKEv2/IPSec VPN, the TLS certificates would only accept AES128 keys and SHA1.  
Anything more onerous would not be accepted by the MSoft TLS key manager.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-06 2:10 GMT+03:00 Grant Taylor :
> On 04/05/2018 03:51 AM, gevisz wrote:
>>
>> Yes, the Host is running Windows.
>
>
> Seeing as how both the ""Host and the ""Client are running Windows, I would
> think seriously about trying to leverage Windows' built in VPN capabilities.
>
> The following things come to mind:
>
>  - (raw) IPSec - this might be somewhat challenging b/c reasons
>  - L2TP+IPSec - probably less challenging b/c of wizards
>  - PPTP - just don't unless you haveto
>
> I'd encourage your friend to check out the VPN capabilities built into
> Windows.  He may need to install / configure (R)RAS to enable the features.

Thank you for your advice. He is currently trying to set up RAS with SSTP but
RAS client so far cannot log into the server, while a third party VPN just works
(until the remote computer hangs for so far unknown reason that even may not
be connected with the VPN server).

We will continue to experiment to find the reason.

> In my experience, using native features that come from the software vendor
> is often simpler to maintain long term.