Re: Tunneling in NetBSD
On 22.11.2020 15:41, Rhialto wrote: On Mon 16 Nov 2020 at 07:07:15 -0700, Andy Ruhl wrote: Just a general question to this thread: How do clients use OpenVPN? Do you have to install it, and is it widely available? My basic research suggests that most clients will have to install it. And is there a way to make it so that only some programs use the VPN? Say, a single process, or a single user. Or perhaps a single instance of qemu, if that's more convenient to arrange. There are many, like rdomains in OpenBSD which is basically PolicyBasedRouting in Linux over ip(8) command or similar can be achieved with authpf in pf firewall, but don't know which of those is available in NetBSD. For VPN there is for sure way better (only in current as of now): https://man.netbsd.org/wg.4 -Olaf.
Re: Tunneling in NetBSD
Rhialto writes: > On Mon 16 Nov 2020 at 07:07:15 -0700, Andy Ruhl wrote: >> How do clients use OpenVPN? Do you have to install it, and is it >> widely available? My basic research suggests that most clients will >> have to install it. > > And is there a way to make it so that only some programs use the VPN? > Say, a single process, or a single user. Or perhaps a single instance of > qemu, if that's more convenient to arrange. I'm not aware of any such facility. Basically, it's not really about VPN per se, but per-uid and per-pid routing. I think one could add feature to the routing table to ahve uid/pid in routes and pass those tags into packets from sockets, but it would require a bit of code. Android seems to have this; you can definitely put some programs into a VPN and some not. At least when the VPN is Orbot. signature.asc Description: PGP signature
Re: Tunneling in NetBSD
On Mon 16 Nov 2020 at 07:07:15 -0700, Andy Ruhl wrote: > Just a general question to this thread: > > How do clients use OpenVPN? Do you have to install it, and is it > widely available? My basic research suggests that most clients will > have to install it. And is there a way to make it so that only some programs use the VPN? Say, a single process, or a single user. Or perhaps a single instance of qemu, if that's more convenient to arrange. -Olaf. -- Olaf 'Rhialto' Seibert -- rhialto at falu dot nl ___ Anyone who is capable of getting themselves made President should on \X/ no account be allowed to do the job. --Douglas Adams, "THGTTG" signature.asc Description: PGP signature
Re: Tunneling in NetBSD
On Thu, Nov 19, 2020 at 02:18:26PM +1030, Brett Lymn wrote: > On Thu, Nov 19, 2020 at 07:08:38AM +1030, Brett Lymn wrote: > > > > I will dig up the document I wrote about the setup. My fuzzy memory is > > that there > > were no hacks required. > > Little wonder my memory was fuzzy - I did this 13 years ago. I found > the documentation. I did use a radius server as the backend auth along > with a self-signed certificate for hybrid rsa-xauth. > > Unfortunately, the document I have not not generic and contains some > confidential details but I am happy to provide sanitised snippets to > help out. > > Below is the racoon.conf, if you need to see the radiusd.conf I have > that too but it is fairly long. > > This is the racoon.conf, there were 3 classes of users, the data entry > people, admin staff and developers. The radius server was used to map > the user to the appropriate class depending on group membership: thanks, I think this will help. We already have radius servers, so I should be able to deal with this part. racoon is the problem for me, I didn't find much documentation about it ... -- Manuel Bouyer NetBSD: 26 ans d'experience feront toujours la difference --
Re: Tunneling in NetBSD
On Thu, Nov 19, 2020 at 07:08:38AM +1030, Brett Lymn wrote:
>
> I will dig up the document I wrote about the setup. My fuzzy memory is that
> there
> were no hacks required.
Little wonder my memory was fuzzy - I did this 13 years ago. I found
the documentation. I did use a radius server as the backend auth along
with a self-signed certificate for hybrid rsa-xauth.
Unfortunately, the document I have not not generic and contains some
confidential details but I am happy to provide sanitised snippets to
help out.
Below is the racoon.conf, if you need to see the radiusd.conf I have
that too but it is fairly long.
This is the racoon.conf, there were 3 classes of users, the data entry
people, admin staff and developers. The radius server was used to map
the user to the appropriate class depending on group membership:
path certificate "/etc/openssl/certs";
listen {
adminsock "/var/racoon/racoon.sock";
isakmp 192.168.1.253 [500];
isakmp_natt 192.168.1.253 [4500];
}
timer {
counter 30;
phase1 60 seconds;
phase2 40 seconds;
natt_keepalive 20 seconds;
}
remote anonymous {
exchange_mode aggressive;
certificate_type x509 "vpngw.crt" "vpngw.key";
my_identifier asn1dn;
proposal_check claim;
generate_policy on; # automatically generate IPsec policies
dpd_delay 20; # DPD poll every 20 seconds
dpd_maxfail 50; # Wait a long time to consider things
dead
nat_traversal force; # always use NATT
ike_frag on; # use IKE fragmentation
passive on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method hybrid_rsa_server;
dh_group 2;
}
}
mode_cfg {
pool_size 25;# size of the VPN IP pool: 253
addresses
auth_source radius; # login validated against RADIUS
conf_source radius; # IPv4 address obtained by RADIUS
accounting radius;# RADIUS accounting
dns4 192.168.2.254; # IPv4 DNS server
wins4 192.168.2.254; # IPv4 WINS server
default_domain "corporate.local";
split_network include 192.168.0.0/24,192.168.1.0/24,192.168.2.0/24;
banner "/etc/racoon/motd"; # Banner message for clients
pfs_group 2;
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
--
Brett Lymn
--
Sent from my NetBSD device.
"We are were wolves",
"You mean werewolves?",
"No we were wolves, now we are something else entirely",
"Oh"
Re: Tunneling in NetBSD
On Wed, Nov 18, 2020 at 10:33:29AM +0100, Manuel Bouyer wrote: > > This is interesting, I need something similar. > Could you share more details on how you did this ? > I though I had to hack raacon for this ... > I will dig up the document I wrote about the setup. My fuzzy memory is that there were no hacks required. I used a radius server for the username/password validation and to also manage the address range allocation based on the users group. A firewall was used to control access based on the subnet the client was in. I cant recall any hacks, eveything was in the base NetBSD or pkgsrc. -- Brett Lymn -- Sent from my NetBSD device. "We are were wolves", "You mean werewolves?", "No we were wolves, now we are something else entirely", "Oh"
Re: Tunneling in NetBSD
On Wed, Nov 18, 2020 at 07:28:51AM +1030, Brett Lymn wrote: > [...] > > Years ago I used NetBSD to configure a vpn end point for a clint, I used > hybrid > xauth which was a combination of a certificate as well as username/password > that > allowed two classes of access to the network, one being restricted to certain > services and another admin role that had broader access. This is interesting, I need something similar. Could you share more details on how you did this ? I though I had to hack raacon for this ... -- Manuel Bouyer NetBSD: 26 ans d'experience feront toujours la difference --
Re: Tunneling in NetBSD
On Tue, Nov 17, 2020 at 10:16:34PM +0100, Bodie wrote: > > Or something way easier? https://www.wireguard.com/ Assuming you are running current... -- Brett Lymn -- Sent from my NetBSD device. "We are were wolves", "You mean werewolves?", "No we were wolves, now we are something else entirely", "Oh"
Re: Tunneling in NetBSD
On 17.11.2020 21:58, Brett Lymn wrote: On Mon, Nov 16, 2020 at 03:50:21PM +0200, Andreas Gustafsson wrote: Greg Troxel wrote: > My suggestion is openvpn. [...] > You do need to set up certificates Not if you use the static key encryption mode. Whilst this is correct the OP did mention android which could mean a mobile device on the internet. In this case, certificate based identity is the simplest and most secure way of identifying the end points. Years ago I used NetBSD to configure a vpn end point for a clint, I used hybrid xauth which was a combination of a certificate as well as username/password that allowed two classes of access to the network, one being restricted to certain services and another admin role that had broader access. The clients were mostly windows pcs. Certainly, start with preshared keys to get the basic vpn config working even if you plan something more complex, debugging a psk setup is comparatively easy. Once psk is working switch the auth to what is desired to debug that. Or something way easier? https://www.wireguard.com/
Re: Tunneling in NetBSD
On Mon, Nov 16, 2020 at 03:50:21PM +0200, Andreas Gustafsson wrote: > Greg Troxel wrote: > > My suggestion is openvpn. > [...] > > You do need to set up certificates > > Not if you use the static key encryption mode. Whilst this is correct the OP did mention android which could mean a mobile device on the internet. In this case, certificate based identity is the simplest and most secure way of identifying the end points. Years ago I used NetBSD to configure a vpn end point for a clint, I used hybrid xauth which was a combination of a certificate as well as username/password that allowed two classes of access to the network, one being restricted to certain services and another admin role that had broader access. The clients were mostly windows pcs. Certainly, start with preshared keys to get the basic vpn config working even if you plan something more complex, debugging a psk setup is comparatively easy. Once psk is working switch the auth to what is desired to debug that. -- Brett Lymn -- Sent from my NetBSD device. "We are were wolves", "You mean werewolves?", "No we were wolves, now we are something else entirely", "Oh"
Re: Tunneling in NetBSD
On Mon, Nov 16, 2020 at 7:29 AM Greg Troxel wrote: > There is another big issue lurking, which is how VPN approaches interact > with firefwall traversal. There are a lot of firewalls that block a lot > of things out there. Yes, very much true. I like a layer 4 methods on clients for this reason. They seem to survive NAT. Andy
Re: Tunneling in NetBSD
Andy Ruhl writes: > How do clients use OpenVPN? Do you have to install it, and is it > widely available? My basic research suggests that most clients will > have to install it. You are right that most clients need to install something. I installed OpenVPN on Android, available from f-droid (which therefore implies it's actually Free Software) and TunnelBlick on mac (which is more or less the official client). > What about built in VPN clients? Isn't L2TP pretty much standard? Perhaps; if someone has a setup and can post about it that would be interesting. There is another big issue lurking, which is how VPN approaches interact with firefwall traversal. There are a lot of firewalls that block a lot of things out there. I've run into some that block xmpp, including a hospital guest network that was intended, and I suspect that's only because there was a narrow list of allowed ports. Probably I just used tor at the time to get around it. I don't remember all the details, but there are SSL VPNs, VPNs that send datagrams as IPsec, and VPNs that send UDP datagrams. Depending on what you want to do this matters. signature.asc Description: PGP signature
Re: Tunneling in NetBSD
Of course, all clients have to install the VPN client of their choice, as well as well as any certificate or complementary authentication SW/HW tools (e.g. smartcard, OTP tokens). In my experience, small companies often use OpenVPN and large ones (e.g. banks) prefer proprietary solutions such as FortiNet. The VPN client is generally deployed/updated automatically when the laptop is connected to the enterprise network, like any other application. Before COVID, only a few selected people were allowed to connect to the enterprise network through a VPN, but this privilege has now been extended to a much wider population. :) On 16/11/2020 15:07, Andy Ruhl wrote: Just a general question to this thread: How do clients use OpenVPN? Do you have to install it, and is it widely available? My basic research suggests that most clients will have to install it. What about built in VPN clients? Isn't L2TP pretty much standard? Thanks. Andy
Re: Tunneling in NetBSD
Just a general question to this thread: How do clients use OpenVPN? Do you have to install it, and is it widely available? My basic research suggests that most clients will have to install it. What about built in VPN clients? Isn't L2TP pretty much standard? Thanks. Andy
Re: Tunneling in NetBSD
Greg Troxel wrote: > My suggestion is openvpn. [...] > You do need to set up certificates Not if you use the static key encryption mode. -- Andreas Gustafsson, g...@gson.org
Re: Tunneling in NetBSD
"Francisco Valladolid H." writes: > I need setup a NetBSD for tunneling (VPN) to my clients, notebooks (windows > or MacBook) maybe cellphone (android). > I’m thinking using L2TP(maybe more standard) or OpenVPN. > > Maybe, ikev2 can be a good choice. Is NetBSD ready for ikev2 (aka > racoon2) ? I used to use IPsec in transport mode with racoon (IKEv1). I do not have the impression the IKEv2 world is easy to deal with these days. My suggestion is openvpn. I have set that up for android and mac clients to use to access the internet from a different address than the one they have, and also avoiding all the crazy firewalls you run into, and it works fine. You do need to set up certificates, and openvpn wants its own, not to use letsencrypt, so if you don't already understand that, it's going to be somewhat tricky. But I did not run into any issues that seem related to NetBSD, so the upstream help should suffice. On android, there is OpenVPN in f-droid, and tunnelblick seems to be the way on macOS. signature.asc Description: PGP signature
Re: Tunneling in NetBSD
I had a basic setup, a ARM board. ¿Is OpenVPN suitable for this? Thank you. On Mon 16 Nov 2020 at 6:29 Brad Spencer wrote: > "Francisco Valladolid H." writes: > > > [1:text/plain Hide] > > > > Hi friends. > > > > I need setup a NetBSD for tunneling (VPN) to my clients, notebooks > (windows > > or MacBook) maybe cellphone (android). > > I’m thinking using L2TP(maybe more standard) or OpenVPN. > > > > Maybe, ikev2 can be a good choice. Is NetBSD ready for ikev2 (aka > racoon2) > > ? > > > > Some suggestions for me. > > > > Thank you for reading. > > > Hello... > > I do ikev1 (normal IPsec) and OpenVPN. Around the NetBSD 7.x time > frame, racoon stopped working with MacOS and Shrewsoft VPN on > MS-WINDOWs. I never tried ikev2, but did look into it a while back. I > was very much unconvinced that it would operate. More recently, I have > moved pretty much completely to OpenVPN. It is not hard to set up and > operates pretty much as expected with MS-WINDOWs, Android and NetBSD > itself. Very recently on -current, I have used wg(4) as a client, but > have not tried it in server mode. I hear that L2TP may function, I did > toy with PPTP for a while... > > Honestly, your best bet is probably OpenVPN. > > > > -- > Brad Spencer - b...@anduin.eldar.org - KC8VKS - http://anduin.eldar.org > -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.
Tunneling in NetBSD
Hi friends. I need setup a NetBSD for tunneling (VPN) to my clients, notebooks (windows or MacBook) maybe cellphone (android). I’m thinking using L2TP(maybe more standard) or OpenVPN. Maybe, ikev2 can be a good choice. Is NetBSD ready for ikev2 (aka racoon2) ? Some suggestions for me. Thank you for reading. -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.
