Folks
I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be "inside" my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home.
I already have this working using M$'s PPTP using my home Centos 6 gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection.
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
1) As noted, it should be secure (anti NSA?) 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future, Windows 10) 3) Can be set up on the server with command line interfaces only (no GUI)
And, should not be a nightmare to set up.
Any thoughts?
David
SoftEther VPN
Once setup, it just works....
Regards,
Richard
--- Richard Zimmerman Systems / Network Administrator River Bend Hose Specialty, Inc. 1111 S Main Street South Bend, IN 46601-3337 (574) 233-1133 (574) 280-7284 Fax
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of david Sent: Monday, April 04, 2016 1:57 PM To: CentOS mailing list Subject: [CentOS] VPN suggestions centos 6, 7
Folks
I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be "inside" my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home.
I already have this working using M$'s PPTP using my home Centos 6 gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection.
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
1) As noted, it should be secure (anti NSA?) 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future, Windows 10) 3) Can be set up on the server with command line interfaces only (no GUI)
And, should not be a nightmare to set up.
Any thoughts?
David
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
And openvpn. Avoid ipsec as it's too complex and pptp is unsecure.
Eero 4.4.2016 9.55 ip. "Richard Zimmerman" rzimmerman@riverbendhose.com kirjoitti:
SoftEther VPN
Once setup, it just works....
Regards,
Richard
Richard Zimmerman Systems / Network Administrator River Bend Hose Specialty, Inc. 1111 S Main Street South Bend, IN 46601-3337 (574) 233-1133 (574) 280-7284 Fax
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of david Sent: Monday, April 04, 2016 1:57 PM To: CentOS mailing list Subject: [CentOS] VPN suggestions centos 6, 7
Folks
I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be "inside" my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home.
I already have this working using M$'s PPTP using my home Centos 6 gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection.
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
- As noted, it should be secure (anti NSA?)
- Works on Centos 6 and Centos 7 and Windows 7 (and for the future,
Windows 10) 3) Can be set up on the server with command line interfaces only (no GUI)
And, should not be a nightmare to set up.
Any thoughts?
David
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 4.4.2016 22.01, Eero Volotinen wrote:
And openvpn. Avoid ipsec as it's too complex and pptp is unsecure.
This made me google around a little, and I found some good info here. They, too, kind of recommend openvpn.
http://www.howtogeek.com/211329/which-is-the-best-vpn-protocol-pptp-vs.-open...
- Jussi
On 04/04/2016 12:11 PM, Jussi Hirvi wrote:
This made me google around a little, and I found some good info here. They, too, kind of recommend openvpn. http://www.howtogeek.com/211329/which-is-the-best-vpn-protocol-pptp-vs.-open...
This is not good information.
In brief:
"There are some concerns that the NSA could have weakened the standard, but no one knows for sure." Pure FUD. There is no reason to believe this as related to IPSec that does not apply to other protocols as well. There is, therefore, no reason to write that other than bias.
"Either way, this is a slower solution than OpenVPN. ... It’s a two-step process." OpenVPN tunnels traffic through a user space process, just like l2tp/ipsec does, and in my experience offers no better performance. If throughput is your main concern, use IPsec without l2tp.
"because it can be configured to use AES encryption, is arguably more trustworthy than L2TP/IPsec." IPSec can also use AES as a cipher and provide PFS, for that matter.
SoftEther VPN all-in-one solution and cross platform.
On Monday, April 4, 2016, Gordon Messmer gordon.messmer@gmail.com wrote:
On 04/04/2016 12:11 PM, Jussi Hirvi wrote:
This made me google around a little, and I found some good info here. They, too, kind of recommend openvpn.
http://www.howtogeek.com/211329/which-is-the-best-vpn-protocol-pptp-vs.-open...
This is not good information.
In brief:
"There are some concerns that the NSA could have weakened the standard, but no one knows for sure." Pure FUD. There is no reason to believe this as related to IPSec that does not apply to other protocols as well. There is, therefore, no reason to write that other than bias.
"Either way, this is a slower solution than OpenVPN. ... It’s a two-step process." OpenVPN tunnels traffic through a user space process, just like l2tp/ipsec does, and in my experience offers no better performance. If throughput is your main concern, use IPsec without l2tp.
"because it can be configured to use AES encryption, is arguably more trustworthy than L2TP/IPsec." IPSec can also use AES as a cipher and provide PFS, for that matter.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
My partner has been using Openvpn extensively. It looks very reasonable and has been quite trustworthy.
It is configured via commandline. The server seems to work on Windows, too ("Vista and later"). There are good tutorials for CentOs, for example
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-...
- Jussi
On 4.4.2016 20.57, david wrote: (...)
- As noted, it should be secure (anti NSA?)
- Works on Centos 6 and Centos 7 and Windows 7 (and for the future,
Windows 10) 3) Can be set up on the server with command line interfaces only (no GUI)
On Mon, 4 Apr 2016, david wrote:
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
- As noted, it should be secure (anti NSA?)
- Works on Centos 6 and Centos 7 and Windows 7 (and for the future, Windows 10)
- Can be set up on the server with command line interfaces only (no GUI)
OpenVPN can be all that. I say "can be" because you'll want to research how best to configure it. Done poorly, it won't be as secure as you want. Thankfully, there are a lot of blog posts and list threads to consult; it won't take more than a couple hours of reading to work out the base configuration.
And, should not be a nightmare to set up.
This might be a problem. :-)
OpenVPN is designed to scale pretty well, but scaling it requires a decent knowledge of SSL infrastructure: creating, distributing, and revoking certificates. The Easy-RSA utility can ease the process, but using it securely takes time and reading.
A very small OpenVPN setup can be done with shared static key, but that approach has its own disadvantages (no PFS, all keys in plain text, no distribution mechanism).
In short, OpenVPN is an excellent toolset that can be made very secure -- and will manage much of the complexity for you -- but it requires a non-trivial amount of effort to configure correctly.
To paraphrase The Princess Bride: Security is pain. Anyone who says differently is selling something.
On 04/04/2016 10:57 AM, david wrote:
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
I recommend l2tp/ipsec. It's supported out of the box on a wide variety of client platforms, which means significantly less work to set up the clients.
OpenVPN is a popular choice, and it's fine for most people. It's more work to set up than l2tp/ipsec, typically. We used it for quite a while at my previous employer, though ultimately dropped it because the Windows GUI requires admin rights to run, and we didn't want to continue giving admin rights to the users we supported.
IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on.
-- Eero
2016-04-04 23:18 GMT+03:00 Gordon Messmer gordon.messmer@gmail.com:
On 04/04/2016 10:57 AM, david wrote:
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
I recommend l2tp/ipsec. It's supported out of the box on a wide variety of client platforms, which means significantly less work to set up the clients.
OpenVPN is a popular choice, and it's fine for most people. It's more work to set up than l2tp/ipsec, typically. We used it for quite a while at my previous employer, though ultimately dropped it because the Windows GUI requires admin rights to run, and we didn't want to continue giving admin rights to the users we supported.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
OpenVPN is the best opensource VPN for me it can connect to any connection such as airport, hotel, restaurant, resorts, malls it never let me down. And configuration is easy on those who have idea on what they want to achieve.
On Tuesday, 5 April 2016, Eero Volotinen eero.volotinen@iki.fi wrote:
IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on.
-- Eero
2016-04-04 23:18 GMT+03:00 Gordon Messmer <gordon.messmer@gmail.com javascript:;>:
On 04/04/2016 10:57 AM, david wrote:
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from
anyone
who wishes to comment about which to use, with the following
requirements:
I recommend l2tp/ipsec. It's supported out of the box on a wide variety of client platforms, which means significantly less work to set up the clients.
OpenVPN is a popular choice, and it's fine for most people. It's more work to set up than l2tp/ipsec, typically. We used it for quite a while
at
my previous employer, though ultimately dropped it because the Windows
GUI
requires admin rights to run, and we didn't want to continue giving admin rights to the users we supported.
CentOS mailing list CentOS@centos.org javascript:; https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org javascript:; https://lists.centos.org/mailman/listinfo/centos
Am 05.04.2016 um 12:46 schrieb Francis Mendoza francis@mytechrepublic.com:
OpenVPN is the best opensource VPN for me it can connect to any connection such as airport, hotel, restaurant, resorts, malls it never let me down. And configuration is easy on those who have idea on what they want to achieve.
"easy" is qualitative - PKI is the core of an OpenVPN infrastructure and not trivial anyway. As some one stated before privacy/security is complex everything else is a product.
IMHO: IPSec-VPN is a bit more complex then a SSL-VPN like OpenVPN.
I even sometimes use an SSL-VPN connection over an IPSec-VPN.
-- LF
How is IPSec "not recommended solution nowdays"?
I tend to use IPSec for site-to-site connections i.e. the ones that run 24/7 and only require two experienced people to set up (the admins at both endpoints). For host-to-site setups I prefer OpenVPN since explaining to endusers how to set up an ipsec connection is neigh impossible whereas with OpenVPN I can simply tell them to install the software and then unzip an archive into a directory and they are done.
Regards, Dennis
On 05.04.2016 09:07, Eero Volotinen wrote:
IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on.
-- Eero
2016-04-04 23:18 GMT+03:00 Gordon Messmer gordon.messmer@gmail.com:
On 04/04/2016 10:57 AM, david wrote:
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
I recommend l2tp/ipsec. It's supported out of the box on a wide variety of client platforms, which means significantly less work to set up the clients.
OpenVPN is a popular choice, and it's fine for most people. It's more work to set up than l2tp/ipsec, typically. We used it for quite a while at my previous employer, though ultimately dropped it because the Windows GUI requires admin rights to run, and we didn't want to continue giving admin rights to the users we supported.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Well. IPSec might work with site-to-site connections, but usually roadwarrior mode users experience (a lot of) problems.
They might be related to hotels that only allow https, http and dns protocols or broken nat implementations and so on.
-- Eero
2016-04-05 18:52 GMT+03:00 Dennis Jacobfeuerborn dennisml@conversis.de:
How is IPSec "not recommended solution nowdays"?
I tend to use IPSec for site-to-site connections i.e. the ones that run 24/7 and only require two experienced people to set up (the admins at both endpoints). For host-to-site setups I prefer OpenVPN since explaining to endusers how to set up an ipsec connection is neigh impossible whereas with OpenVPN I can simply tell them to install the software and then unzip an archive into a directory and they are done.
Regards, Dennis
On 05.04.2016 09:07, Eero Volotinen wrote:
IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on.
-- Eero
2016-04-04 23:18 GMT+03:00 Gordon Messmer gordon.messmer@gmail.com:
On 04/04/2016 10:57 AM, david wrote:
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from
anyone
who wishes to comment about which to use, with the following
requirements:
I recommend l2tp/ipsec. It's supported out of the box on a wide variety of client platforms, which means significantly less work to set up the clients.
OpenVPN is a popular choice, and it's fine for most people. It's more work to set up than l2tp/ipsec, typically. We used it for quite a
while at
my previous employer, though ultimately dropped it because the Windows
GUI
requires admin rights to run, and we didn't want to continue giving
admin
rights to the users we supported.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 04/05/2016 08:52 AM, Dennis Jacobfeuerborn wrote:
For host-to-site setups I prefer OpenVPN since explaining to endusers how to set up an ipsec connection is neigh impossible
So, send them a powershell script:
Add-VpnConnection -Name "My VPN" -ServerAddress "vpn.example.com" -AuthenticationMethod PAP -TunnelType L2TP -L2tpPsk "whyareyouusingapsk?" -AllUserConnection -Force -RememberCredential -PassThru -SplitTunneling
On 04/05/2016 12:07 AM, Eero Volotinen wrote:
IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on.
IPSec is typically encapsulated on UDP port 4500, due to the ubiquity of NAT. OpenVPN doesn't really have an advantage, there.
Yes, openvpn works on any single udp or tcp port.
On many hotels only http, https and dns allowed. So you just can't use ipsec, but openvpn works as it's usually configured to listen https port.
-- Eero
2016-04-05 19:30 GMT+03:00 Gordon Messmer gordon.messmer@gmail.com:
On 04/05/2016 12:07 AM, Eero Volotinen wrote:
IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on.
IPSec is typically encapsulated on UDP port 4500, due to the ubiquity of NAT. OpenVPN doesn't really have an advantage, there.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 04/05/2016 12:30 PM, Gordon Messmer wrote:
IPSec is typically encapsulated on UDP port 4500, due to the ubiquity of NAT. OpenVPN doesn't really have an advantage, there.
IPSec and OpenVPN (and the others) each have their use cases. I have had experience with IPSec (via SmoothWall's SmoothTunnel implementation), Cisco's VPN implementation, and the commercial OpenVPN Access Server, and I have found OpenVPN AS the easiest to support for the road warrior use case, including and especially wifi and 3G/4G connected ios and android devices. OpenVPN AS will listen on TCP port 443, and virtually no one blocks TCP/443 (although you do lose some tunnel functionality with TCP encapsulation).
I did have numerous issues with the road warrior cases with the IPSec solution, many of which were firewall/captive portal issues and not issues with the otherwise excellent SmoothTunnel. I will admit that I have not tried an IPsec solution in a while, but I haven't had the need to do so, either.
OpenVPN AS takes all the hard parts out of the server-side config, and it works well on CentOS 7 (which is the platform on which I am running the server). For point-to-point remote offices, I deploy small routers running DD-WRT, which has a reasonable OpenVPN client that works well once you get it working initially. It isn't necessarily the easiest to get working, though.
Am 04.04.2016 um 19:57 schrieb david:
Folks
I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be "inside" my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home.
I already have this working using M$'s PPTP using my home Centos 6 gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection.
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
- As noted, it should be secure (anti NSA?)
- Works on Centos 6 and Centos 7 and Windows 7 (and for the future,
Windows 10) 3) Can be set up on the server with command line interfaces only (no GUI)
And, should not be a nightmare to set up.
Any thoughts?
David
Alexander
Have a look at Openconnect Server (ocserv), it's a free implementation of Cisco AnyConnect.
It's the easiest VPN I ever had to setup and it's compatible with most Cisco AnyConnect clients and of course OpenConnect clients (such as NetworkManager-openconnect).
http://www.infradead.org/ocserv/
hth
-- Sent from the Delta quadrant using Borg technology!
Nux! www.nux.ro
----- Original Message -----
From: "david" david@daku.org To: "CentOS mailing list" centos@centos.org Sent: Monday, 4 April, 2016 18:57:12 Subject: [CentOS] VPN suggestions centos 6, 7
Folks
I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be "inside" my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home.
I already have this working using M$'s PPTP using my home Centos 6 gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection.
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
- As noted, it should be secure (anti NSA?)
- Works on Centos 6 and Centos 7 and Windows 7 (and for the future,
Windows 10) 3) Can be set up on the server with command line interfaces only (no GUI)
And, should not be a nightmare to set up.
Any thoughts?
David
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Alexander Dalloz -
david -
Dennis Jacobfeuerborn -
Eero Volotinen -
Francis Mendoza -
Gordon Messmer -
Jussi Hirvi -
Lamar Owen -
Leon Fauster -
Nux! -
Paul Heinlein -
Richard Zimmerman -
Waleed Harbi