Re: OpenBSD <> Commercial VPNs

[Predrag Punosevac]

"Jack J. Woehr"  wrote:

> Predrag Punosevac wrote:
> > The only time I ever had problems connecting to third party commercial
> > VPN from OpenBSD was connecting to
> Have you connected to a Fortinet SSL VPN? How did you do it?

Sorry no experience with Fortinet but check out this thread 

http://marc.info/?l=openbsd-misc&m=142836076807337&w=2

I have a bad feeling that you are dealing with similar vendor. 

Predrag

> 
> -- 
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl 
> Sagan

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Predrag Punosevac wrote:

The only time I ever had problems connecting to third party commercial
VPN from OpenBSD was connecting to

Have you connected to a Fortinet SSL VPN? How did you do it?

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Predrag Punosevac]

Gregor Best wrote:
>
>On Sun, Oct 11, 2015 at 12:08:00PM -0700, Danny Nguyen wrote:
>> Has anyone successfully created a VPN with OpenBSD v5.7 or 5.8?
>> [...]
>
>Yes. As of right now, I have
>
>   $ ps aux | grep openvpn | wc -l
>   8
>   $ ipsecctl -sa | wc -l
>   8
>
>and a tinc tunnel. Tinc is not in ports, but there's a WIP port I sent
>to ports@ a year or two ago.
>
>It really depends on what you mean by "a vpn" because there's a lot of
>technologies to do that. In my experience, openvpn is the easiest choice
>if you want everything to work automagically on almost every platform
>there is. Tinc is nice if you don't want a central node as a single
>point of failure and IPsec is awesome on OpenBSD because it's extremely
>easy to set up and in base.
>
>> There are very few options on the market for that unfortunately.
>> [...]
>
>See above. There's also PPTP and what not.

PPTP just works on OpenBSD via npppd. I don't run it in production as it
is insecure and obsolete. However I do run L2PT/IPSec server using npppd
and IPSec from the base. I also run several OpenVPN servers on OpenBSD
and clients work without glitch. I regularly connect to Cisco's
AnyConnect SSL VPN to one of our off site locations using
net/openconnect from ports (thanks Stuart!).

The only time I ever had problems connecting to third party commercial
VPN from OpenBSD was connecting to Palo Alto 2020 crapware. OP should do
the homework first before insulting developers.

Predrag

>
>-- 
>   Gregor

Re: OpenBSD <> Commercial VPNs

[Danny Nguyen]

Thank you for the constructive feedback. Working on getting through
absolute Openbsd by michael lucas. Hopefully, I'll be able to ask
meaningful questions in the near future.

On Sun, Oct 11, 2015 at 6:36 PM, Theo de Raadt 
wrote:

> > What are the different kinds of VPNs?
>
> https://www.google.ca/search?q=diferent+types+of+vpn
>
> Sorry Danny, not going to read the rest of the blah blah blah from
> someone who can't take the first step.
>
> You barely know what a VPN is, you only started running openbsd, and
> you are talking about SEL4.  You look like a troll.
>
>
>
>


-- 
danny nguyen
linkedIn 

Re: OpenBSD <> Commercial VPNs

[Theo de Raadt]

> What are the different kinds of VPNs?

https://www.google.ca/search?q=diferent+types+of+vpn

Sorry Danny, not going to read the rest of the blah blah blah from
someone who can't take the first step.

You barely know what a VPN is, you only started running openbsd, and
you are talking about SEL4.  You look like a troll.

Re: OpenBSD <> Commercial VPNs

[Danny Nguyen]

What are the different kinds of VPNs?

I have no idea what computers do so I'm the dumbest guy in this city and
definitely this mailing list. VPN stands for virtual private network but
when I think about what that is I think of a VPN as essentially a local
network that allows incoming connections but has certain protocols ( not
sure which) that allows it to be more secure than ssh maybe? I'd like
to be able
to monitor traffic and users with logging functionality and passwords so
when I'm developing an application I can't ensure with a reasonable level
of certainty that my infrastructure and software is somewhat protected from
malicious or curious authors.

I'm not implying OpenBSD is weak. I've arrived to this community because
the group is so obsessive about security (aslr, randomness, checksums,
etc). I ruled out everyone else including Linux/Ubuntu, Google cloud,
Amazon, and even co-location because of how these businesses operate and
how they treat users data. I've even looked into freeBSD but it has come up
short in its vision for my purposes with privacy and security.

I barely know what a VPN is and I have only installed openbsd and started
on port forwarding but smart people have mentioned that I should look into
a VPN. I want my whole data center infrastructure to be run
off Openbsd because it's what I think is the most responsible operating
system to date ( even considering SEL4 by General dynamics that is only a
kernel at this point).

On Sun, Oct 11, 2015 at 12:14 PM, Theo de Raadt 
wrote:

> > Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8?
>
> Yes, people do it all the time.
>
> Please -- what KIND of VPN are you asking about.
>
> Is conversational precision that difficult?  There are more than two
> handfuls of technologies that create something which is considered "a VPN".
>
> As a result, this conversation about VPN's is super low quality;
> there is no point implying OpenBSD is weak at doing these things,
> it is the inexact people walking around acting lost...
>
>


-- 
danny nguyen
linkedIn 

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Dimitris Papastamos wrote:


Dimitris Papastamos wrote:

On Sun, Oct 11, 2015 at 01:06:58PM -0600, Jack J. Woehr wrote:
I am not sure what's wrong. I guess you see traffic leaving your external 
interface but not getting any replies?




I've got it, thanks! I forgot to do the sysctls necessary to let the packets 
thru:

sysctl net.inet.esp.enable=0
sysctl net.inet.esp.udpencap=0

Thanks for your help, and to everyone who tried to help this confused soul :)

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Gregor Best]

On Sun, Oct 11, 2015 at 12:08:00PM -0700, Danny Nguyen wrote:
> Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8?
> [...]

Yes. As of right now, I have

$ ps aux | grep openvpn | wc -l
8
$ ipsecctl -sa | wc -l
8

and a tinc tunnel. Tinc is not in ports, but there's a WIP port I sent
to ports@ a year or two ago.

It really depends on what you mean by "a vpn" because there's a lot of
technologies to do that. In my experience, openvpn is the easiest choice
if you want everything to work automagically on almost every platform
there is. Tinc is nice if you don't want a central node as a single
point of failure and IPsec is awesome on OpenBSD because it's extremely
easy to set up and in base.

> There are very few options on the market for that unfortunately.
> [...]

See above. There's also PPTP and what not.

-- 
Gregor

Re: OpenBSD <> Commercial VPNs

[Theo de Raadt]

> Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8?

Yes, people do it all the time.

Please -- what KIND of VPN are you asking about.

Is conversational precision that difficult?  There are more than two
handfuls of technologies that create something which is considered "a VPN".

As a result, this conversation about VPN's is super low quality;
there is no point implying OpenBSD is weak at doing these things,
it is the inexact people walking around acting lost...

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Dimitris Papastamos wrote:

I use vpnc regularly on -current without any special configuration and it
works fine with my network.

My config is as follows:

IPSec gateway vpn.example.net
IPSec ID FOO
IPSec obfuscated secret BAR
Xauth username BAZ
DPD idle timeout (our side) 0


Yeah, that's mine too. Seems to work. But no traffic goes through.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Danny Nguyen]

Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8? That is the
next step in my architecture to create a "more" secure environment. There
are very few options on the market for that unfortunately.

On Sun, Oct 11, 2015 at 11:47 AM, Jack J. Woehr  wrote:

> Jiri B wrote:
>
>> c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as
>> Pulse Connect Secure is supported by openconnect which is in ports.
>>
>
> I found vpnc in ports/net and that almost works.
>
> It connects and shows it is adding the correct routes that I would expect.
>
> And then no traffic comes through. 'route show' looks correct but nothing
> seems to be going back and forth.
>
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan
>
>


-- 
danny nguyen
linkedIn 

Re: OpenBSD <> Commercial VPNs

[Dimitris Papastamos]

On Sun, Oct 11, 2015 at 12:47:42PM -0600, Jack J. Woehr wrote:
> Jiri B wrote:
> >c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as
> >Pulse Connect Secure is supported by openconnect which is in ports.
> 
> I found vpnc in ports/net and that almost works.
> 
> It connects and shows it is adding the correct routes that I would expect.
> 
> And then no traffic comes through. 'route show' looks correct but nothing 
> seems to be going back and forth.

I use vpnc regularly on -current without any special configuration and it
works fine with my network.

My config is as follows:

IPSec gateway vpn.example.net
IPSec ID FOO
IPSec obfuscated secret BAR
Xauth username BAZ
DPD idle timeout (our side) 0

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Jiri B wrote:
c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as Pulse Connect Secure is supported by 
openconnect which is in ports.


I found vpnc in ports/net and that almost works.

It connects and shows it is adding the correct routes that I would expect.

And then no traffic comes through. 'route show' looks correct but nothing seems 
to be going back and forth.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Pedro Tender]

In the fortinet firmware (yes, firmware...)  downloads iirc.
On Oct 11, 2015 3:55 PM, "Jack J. Woehr"  wrote:

> Pedro Tender wrote:
>
>>
>> They also have a Linux client.
>>
>>
>>
> I've looked for it, any tips where it might be found?
>
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Pedro Tender wrote:


They also have a Linux client.




I've looked for it, any tips where it might be found?


--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Jiri B]

On Sat, Oct 10, 2015 at 03:35:02PM -0700, Joel Wir�?mu Pauling wrote:
> You could try using Linux Binary emulation layer to connect using the cisco
> vpnc client. For the old proprietary Cisco IPSec implementation:
> 
> http://www.openbsd.org/papers/slack2k11-on_compat_linux.pdf
> 
> I've recently been using softether for my personal VPN's it's on Github I
> haven't tried to compile it for openBSD - but it's not going to help
> connect to random vendor Firewalls.
> 
> I am unsure if Fortinet have a linux client, I imagine they must.
> 
> OpenVPN works just fine under openbsd.

compat_linux works on i386 only and Cisco's AnyConnect SSL VPN and
Juniper SSL VPN which is now known as Pulse Connect Secure is supported
by openconnect which is in ports.

j.

Re: OpenBSD <> Commercial VPNs

[Pedro Tender]

They also have a Linux client.
On Oct 11, 2015 12:59 AM, "Jack J. Woehr"  wrote:

> Joel Wirāmu Pauling wrote:
> > I am unsure if Fortinet have a linux client, I imagine they must.
>
> I think just Windows and Mac, thanks.
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl
> Sagan

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Jack J. Woehr wrote:


I'm sort of stuck at the moment on these macros where "rt" is an instance of 
struct rtentry :

#define route_dest(route) \


I meant "route" is an instance of struct rtentry.


--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Jack J. Woehr wrote:

Steve Shockley wrote:


A quick search found https://github.com/adrienverge/openfortivpn, but I haven't 
tested it.


It's clearly the right product. However. I've been trying to build it for an hour now. It requires Much Work for 
OpenBSD, it's somewhat wed to the Linux stack.




I'm sort of stuck at the moment on these macros where "rt" is an instance of 
struct rtentry :

#define route_dest(route) \
(((struct sockaddr_in *) &(route)->rt_dst)->sin_addr)
#define route_mask(route) \
(((struct sockaddr_in *) &(route)->rt_genmask)->sin_addr)
#define route_gtw(route) \
(((struct sockaddr_in *) &(route)->rt_gateway)->sin_addr)
#define route_iface(route) \
((route)->rt_dev)

If anyone can help me translate this to OpenBSD ... :)

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Joel Wirāmu Pauling wrote:
> I am unsure if Fortinet have a linux client, I imagine they must.

I think just Windows and Mac, thanks.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl
Sagan

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Steve Shockley wrote:


A quick search found https://github.com/adrienverge/openfortivpn, but I haven't 
tested it.


Thank you for the pointer. I didn't find that. What was your search string?

It's clearly the right product. However. I've been trying to build it for an hour now. It requires Much Work for 
OpenBSD, it's somewhat wed to the Linux stack.


--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Steve Shockley]

On 10/10/2015 1:21 PM, Jack J. Woehr wrote:

I looked at OpenVPN which conceptually resembles Fortinet but doesn't
seem to have any way to connect to Fortinet SSL VPN.


A quick search found https://github.com/adrienverge/openfortivpn, but I 
haven't tested it.  That looks like it replaces the Fortinet VPN client. 
 Otherwise you could do ipsec, but I think that requires the firewall 
admin to configure something specifically for your connection.

Re: OpenBSD <> Commercial VPNs

[Joel Wirāmu Pauling]

You could try using Linux Binary emulation layer to connect using the cisco
vpnc client. For the old proprietary Cisco IPSec implementation:

http://www.openbsd.org/papers/slack2k11-on_compat_linux.pdf

I've recently been using softether for my personal VPN's it's on Github I
haven't tried to compile it for openBSD - but it's not going to help
connect to random vendor Firewalls.

I am unsure if Fortinet have a linux client, I imagine they must.

OpenVPN works just fine under openbsd.

-Joel


On 10 October 2015 at 15:04, Jack J. Woehr  wrote:

> Janne Johansson wrote:
>
>> Try ipsec, I hear some of the commercial offerings almost manage that too.
>>
> I just can't figure out how to connect to VPN's I don't have any control
> of.
>
> I've found articles where the user had admin control of the Cisco or
> Fortinet device.
>
> I just need to log into nets I don't administer. I'm forced off OpenBSD in
> the workplace when I the connection is thru a VPN.
>
> I don't understand the minutiae of VPN's enough to figure this out and I
> find no useful examples on the web.
>
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Janne Johansson wrote:

Try ipsec, I hear some of the commercial offerings almost manage that too.

I just can't figure out how to connect to VPN's I don't have any control of.

I've found articles where the user had admin control of the Cisco or Fortinet 
device.

I just need to log into nets I don't administer. I'm forced off OpenBSD in the workplace when I the connection is thru a 
VPN.


I don't understand the minutiae of VPN's enough to figure this out and I find 
no useful examples on the web.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

[Janne Johansson]

Try ipsec, I hear some of the commercial offerings almost manage that too.


2015-10-10 19:21 GMT+02:00 Jack J. Woehr :

> Googled and not found much on connecting OpenBSD to proprietary VPN
> offerings.
>
> I looked at OpenVPN which conceptually resembles Fortinet but doesn't seem
> to have any way to connect to Fortinet SSL VPN.
>
> Any pointers or tips?
>
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan
>
>


-- 
May the most significant bit of your life be positive.

OpenBSD <> Commercial VPNs

[Jack J. Woehr]

Googled and not found much on connecting OpenBSD to proprietary VPN offerings.

I looked at OpenVPN which conceptually resembles Fortinet but doesn't seem to 
have any way to connect to Fortinet SSL VPN.

Any pointers or tips?


--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan