Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
On Fri, Apr 6, 2018 at 12:58 PM, Mickwrote: > On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote: >> On 04/05/2018 03:51 AM, gevisz wrote: >> > Yes, the Host is running Windows. >> >> Seeing as how both the ""Host and the ""Client are running Windows, I >> would think seriously about trying to leverage Windows' built in VPN >> capabilities. >> >> The following things come to mind: >> >> - (raw) IPSec - this might be somewhat challenging b/c reasons > > I think you mean IKEv2 + IPSec? > > IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the > tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will all > be encrypted when sent through through the IPSec encrypted tunnel. > > >> - L2TP+IPSec - probably less challenging b/c of wizards > > This is using L2TP for encapsulating the frames + IKEv1 for secure key > exchange + IPsec for encryption of the L2TP tunnel. > > >> - PPTP - just don't unless you haveto > > Well said: > > https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security > > It is an obsolete method with poor security. I would not use it under any > circumstances, unless security is of no importance. > > >> I'd encourage your friend to check out the VPN capabilities built into >> Windows. He may need to install / configure (R)RAS to enable the features. > > As I mentioned before, there is also IKEv2+IPSec, which allows the client to > roam between networks without dropping the connection. > > Finally, there is SSTP encrypting PPP frames within TLS. I don't know why one > would use this instead of OpenVPN, except that it comes as part of the > MSWindows package, while OpenVPN has to be installed separately. > > >> In my experience, using native features that come from the software >> vendor is often simpler to maintain long term. > > +1 > > They are also easier to set up initially, because both MSWindows peers will > use the same combo of encryption suites, ciphers, etc. You mean the same horribly insecure ciphers? The built in options are so weak that I am not aware of anyone seriously using them; most setups tunnel Windows technologies like RDP (which may sometimes insist on being set up with encryption) over Linux based technologies.
Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
On 04/06/2018 04:51 PM, Mick wrote: Domestic grade routers which offer IKEv1, typically use PSK for authentication, not TLS certificates. The PSK is what IKE uses in userspace to establish a secure connection with authentication between peers for the purpose of exchanging the IPSec keys to encrypt the tunnel with. ACK All of that makes sense. Thank you for clarifying / confirming what I suspsected was the case. I don't /remember/ IKE being involved in what I was doing. But there's a chance that it was happening without me being aware of it. If you check the 2nd sentence in the wiki page below, it confirms MSWindows L2TP/IPSec uses IKEv1 to exchange the IPSec keys: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#IPsec I don't remember L2TP being involved either. But that doesn't mean that it wasn't. If memory serves (and it often does not) I was manually configuring IPSec policies via a GPEdit snapin. It was extremly low level and obtuse to configure. OpenSWAN was forked into LibreSWAN and FreeSWAN is now called StrongSWAN. Anyway, part of the IKEv2 standard is to offer support for mobile and multihomed users (MOBIKE). Hum. I've not payed attention to *SWAN as I've not needed to use it. I also thought that IPSec was a LOT more complicated than other technologies. Plus, I was dealing with more road warrior type things than site-to-site. (It's my understanding that IPSec is (or was) not really friendly for mobile.) Although IKE operates in userspace, the IPSec stack is in kernelspace and its performance superior to userspace VPN technologies. My understanding is that IKE was just used to boot strap and maintain the in kernl IPSec. Thus IKE could easily run in user space. Apparently Wireguard is even more efficient than the IPSec's xfrm/netkey, but I have not tried it out yet. I've not messed with Wireguard yet. But it's on my list if I ever need / want to mess with VPNs. -- Grant. . . . unix || die
Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
On Friday, 6 April 2018 19:20:09 BST Grant Taylor wrote: > On 04/06/2018 11:58 AM, Mick wrote: > > I think you mean IKEv2 + IPSec? > > I don't remember IKE involved the last time I had to manually > set up an IPSec connection between two Windows systems (or Windows and a > Netgear router). I think it was /completely/ manual and PSK. Domestic grade routers which offer IKEv1, typically use PSK for authentication, not TLS certificates. The PSK is what IKE uses in userspace to establish a secure connection with authentication between peers for the purpose of exchanging the IPSec keys to encrypt the tunnel with. If you check the 2nd sentence in the wiki page below, it confirms MSWindows L2TP/IPSec uses IKEv1 to exchange the IPSec keys: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#IPsec > > IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the > > tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will > > all be encrypted when sent through through the IPSec encrypted tunnel. > > I remember doing a little bit with IKE 10+ years ago back when it was > OpenSWAN / FreeSWAN. OpenSWAN was forked into LibreSWAN and FreeSWAN is now called StrongSWAN. Anyway, part of the IKEv2 standard is to offer support for mobile and multihomed users (MOBIKE). Although IKE operates in userspace, the IPSec stack is in kernelspace and its performance superior to userspace VPN technologies. Apparently Wireguard is even more efficient than the IPSec's xfrm/netkey, but I have not tried it out yet. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
On 04/06/2018 11:58 AM, Mick wrote: I think you mean IKEv2 + IPSec? I don't remember IKE involved the last time I had to manually set up an IPSec connection between two Windows systems (or Windows and a Netgear router). I think it was /completely/ manual and PSK. IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will all be encrypted when sent through through the IPSec encrypted tunnel. I remember doing a little bit with IKE 10+ years ago back when it was OpenSWAN / FreeSWAN. This is using L2TP for encapsulating the frames + IKEv1 for secure key exchange + IPsec for encryption of the L2TP tunnel. ACK Well said: *chuckle* https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security It is an obsolete method with poor security. I would not use it under any circumstances, unless security is of no importance. Agreed. As I mentioned before, there is also IKEv2+IPSec, which allows the client to roam between networks without dropping the connection. Intriguing. I've never considered IPSec with a road warrior, much less an established connection with a changing IP address. I would have been much more likely to look at OpenVPN or Wireguard or OpenSSH. Finally, there is SSTP encrypting PPP frames within TLS. I don't know why one would use this instead of OpenVPN, except that it comes as part of the MSWindows package, while OpenVPN has to be installed separately. SSTP is a new one on me. +1 They are also easier to set up initially, because both MSWindows peers will use the same combo of encryption suites, ciphers, etc. Half of the pain of getting MSWindows to work with a Linux VPN gateway is often finding how to configure the cipher, hash and X509v3 extensions of a TLS certificate in a way that MSWindows will not barf; e.g. IIRC, last time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would only accept AES128 keys and SHA1. Anything more onerous would not be accepted by the MSoft TLS key manager. Agreed. -- Grant. . . . unix || die
Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
2018-04-06 1:45 GMT+03:00 Bill Kenworthy: > On 05/04/18 22:51, gevisz wrote: >> 2018-04-05 16:14 GMT+03:00 Bill Kenworthy : >>> On 05/04/18 18:28, gevisz wrote: 2018-04-05 12:51 GMT+03:00 gevisz : > 2018-04-05 1:02 GMT+03:00 Grant Taylor > : > On 04/04/2018 02:18 PM, gevisz wrote: >> Assuming that NAT is in play on OR and IR (worst case), then just about >> /any/ form of VPN initiating from the outside will be fraught with uphill >> battles. > As far as I understand, the connection would be initiated from the Host. A small correction after a call to the friend: the VPN server should be installed on the Client and the VPN client should be installed on the Host. Becaule of the same reason it is impossible to set up VPN server on the IR. Moreover, IR is too simple to use it for setting up any server other then NAT and, may be, port-forwarding. >>> Might need a third party vpn server in the cloud that both ends connect >>> to as clients and route between? A stunserver like VoIP uses will help >>> there. >>> >>> Also try a proxytunnel/stunnel using port 443 and use that to bounce >>> openvpn or a putty (ssh) port tunnel through the networks https proxy. >>> Inefficient but gets ssh, web pages and small downloads through >>> problematic networks nicely. Double wrapping in ssl with end-to-end >>> protection via openvpn takes care of privacy when MITM SSL proxies are >>> used (yes they exist) Note that openvpn can be used peer to peer >>> though client to server is a bit more secure. >> Thank you for the information. >> >>> In my setup, the client is windows and the server is gentoo on a dynamic >>> IP. >> It is strange because just today I have learned that VPN server should >> be set on the host with static IP visible the in Internet. Otherwise a >> VPN-client >> has no way to connect to the VPN-server. >> > I am referring to putty as the windows client (my view of the process) - > the vpn client is proxytunnel on windows connecting out to the server > which is an external stunnel on gentoo from your point of view. The > secret is getting the two to talk to each other and thats where it gets > interesting - a method I used in the past is internally have a script > scraping a webpage (external) and when it gets a change it wants, > initiate a connection (IP number change for a permanaent link on a > dynamic IP, or other instruction - actually used a html comment on my > home web server index page). A more common method is to initiate a test > connection every few minutes and close/go back to waiting if there is no > connection. Zebedee which I used for years as a port tunnel (very good > and flexible) has a mode where it can initiate connections when there is > no public visibility. If both ends are behind a secure gateway/NAT - > you need a third machine to coordinate the process. It is too hard for me to understand, but I have got the idea of letting some script to periodically read the content of a webpage and initiate the connection if the content of the webpage say so. I let my friend to read this. > If its all too hard, can you drop a raspberry pi trojan on the network > which gets away from the restrictions running windows? At the end of > the day, its up to you and the local admins as to how much funny > business they will put up with but its just a technical problem in > moving packets around. > > BillK' > >
Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote: > On 04/05/2018 03:51 AM, gevisz wrote: > > Yes, the Host is running Windows. > > Seeing as how both the ""Host and the ""Client are running Windows, I > would think seriously about trying to leverage Windows' built in VPN > capabilities. > > The following things come to mind: > > - (raw) IPSec - this might be somewhat challenging b/c reasons I think you mean IKEv2 + IPSec? IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will all be encrypted when sent through through the IPSec encrypted tunnel. > - L2TP+IPSec - probably less challenging b/c of wizards This is using L2TP for encapsulating the frames + IKEv1 for secure key exchange + IPsec for encryption of the L2TP tunnel. > - PPTP - just don't unless you haveto Well said: https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security It is an obsolete method with poor security. I would not use it under any circumstances, unless security is of no importance. > I'd encourage your friend to check out the VPN capabilities built into > Windows. He may need to install / configure (R)RAS to enable the features. As I mentioned before, there is also IKEv2+IPSec, which allows the client to roam between networks without dropping the connection. Finally, there is SSTP encrypting PPP frames within TLS. I don't know why one would use this instead of OpenVPN, except that it comes as part of the MSWindows package, while OpenVPN has to be installed separately. > In my experience, using native features that come from the software > vendor is often simpler to maintain long term. +1 They are also easier to set up initially, because both MSWindows peers will use the same combo of encryption suites, ciphers, etc. Half of the pain of getting MSWindows to work with a Linux VPN gateway is often finding how to configure the cipher, hash and X509v3 extensions of a TLS certificate in a way that MSWindows will not barf; e.g. IIRC, last time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would only accept AES128 keys and SHA1. Anything more onerous would not be accepted by the MSoft TLS key manager. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
2018-04-06 2:10 GMT+03:00 Grant Taylor: > On 04/05/2018 03:51 AM, gevisz wrote: >> >> Yes, the Host is running Windows. > > > Seeing as how both the ""Host and the ""Client are running Windows, I would > think seriously about trying to leverage Windows' built in VPN capabilities. > > The following things come to mind: > > - (raw) IPSec - this might be somewhat challenging b/c reasons > - L2TP+IPSec - probably less challenging b/c of wizards > - PPTP - just don't unless you haveto > > I'd encourage your friend to check out the VPN capabilities built into > Windows. He may need to install / configure (R)RAS to enable the features. Thank you for your advice. He is currently trying to set up RAS with SSTP but RAS client so far cannot log into the server, while a third party VPN just works (until the remote computer hangs for so far unknown reason that even may not be connected with the VPN server). We will continue to experiment to find the reason. > In my experience, using native features that come from the software vendor > is often simpler to maintain long term.