How to setup a vpn server on centos? I can't find the pptpd in any repo
Sorry to redirect, but have you considered OpenVPN? If you are only connecting Win/Mac/Linux/Unix VPN Clients, I find it easy, secure and robust.
As to PPTP, I’m afraid I cannot help (never needed it/never did it).
On Nov 2, 2010, at 7:39 PM, mattias wrote:
How to setup a vpn server on centos? I can't find the pptpd in any repo
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- ————————————————————————— Jeffrey A. Gipson (RHCE) BrainCloud Technologies T. (512) 827-8750 ————————————————————————— (via Mail.app)
Yes but there is no good webmin module for openvpn? To create a server And i only have dynamic ips from my isp
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jeffrey Gipson Sent: Wednesday, November 03, 2010 1:42 AM To: CentOS mailing list Subject: Re: [CentOS] Pptp vpn server
Sorry to redirect, but have you considered OpenVPN? If you are only connecting Win/Mac/Linux/Unix VPN Clients, I find it easy, secure and robust.
As to PPTP, I'm afraid I cannot help (never needed it/never did it).
On Nov 2, 2010, at 7:39 PM, mattias wrote:
How to setup a vpn server on centos? I can't find the pptpd in any repo
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- ------------------------- Jeffrey A. Gipson (RHCE) BrainCloud Technologies T. (512) 827-8750 ------------------------- (via Mail.app)
From: mattias mj@mjw.se
Yes but there is no good webmin module for openvpn? To create a server And i only have dynamic ips from my isp
I never used webmin (I prefer to edit conf files) but google says there are webmin modules for openvpn... And for the dynamic IP: http://openvpn.net/index.php/open-source/documentation/howto.html#dynamic While openvpn is based on SSL/TLS, there's also openswan (based on IPsec).
JD
Forgot to add that if you google for... hum... "centos pptp",
you will find several howtos...
JD
On Wed, 2010-11-03 at 07:34 -0700, cpolish@surewest.net wrote:
Mattias wrote:
Yes but there is no good webmin module for openvpn?
Not to pour water on your tool, but Google for "webmin exploit". This software appears regularly on security lists I read, but not in a good way.
+1 I'd never put webmin on any of my hosts. But fwbuilder is looking into supporting VPN configuration; that will be a huge step forward. http://www.fwbuilder.org/
On Wed, Nov 03, 2010 at 10:52:34AM -0400, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 07:34 -0700, cpolish@surewest.net wrote:
Mattias wrote:
Yes but there is no good webmin module for openvpn?
Not to pour water on your tool, but Google for "webmin exploit". This software appears regularly on security lists I read, but not in a good way.
+1 I'd never put webmin on any of my hosts. But fwbuilder is looking into supporting VPN configuration; that will be a huge step forward. http://www.fwbuilder.org/
FYI, for PPTP on Linux you want to look at poptop. I have no idea if it's manageable by Webmin or not.
Ray
On Wed, Nov 03, 2010, Ray Van Dolson wrote:
On Wed, Nov 03, 2010 at 10:52:34AM -0400, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 07:34 -0700, cpolish@surewest.net wrote:
Mattias wrote:
Yes but there is no good webmin module for openvpn?
Not to pour water on your tool, but Google for "webmin exploit". This software appears regularly on security lists I read, but not in a good way.
+1 I'd never put webmin on any of my hosts. But fwbuilder is looking into supporting VPN configuration; that will be a huge step forward. http://www.fwbuilder.org/
FYI, for PPTP on Linux you want to look at poptop. I have no idea if it's manageable by Webmin or not.
I have used poptop a bit, mostly because there is no OpenVPN client for that works with the iPad.
As for webmin, we do have clients using it, but only restricted to the internal LAN, and specified hosts on that LAN as I have found some rather evil bugs (e.g. removing /home when doing user maintenance after accepting /home as a user's home directory).
Bill
On Tue, 2010-11-02 at 19:42 -0500, Jeffrey Gipson wrote:
Sorry to redirect, but have you considered OpenVPN
+1.
But is the OpenVPN windows client any better than recently? Does it work correctly with WIndows 7 yet? Last time I tried the Win32 client was kludgy.
If you are only connecting Win/Mac/Linux/Unix VPN Clients, I find it easy, secure and robust. As to PPTP, I’m afraid I cannot help (never needed it/never did it). On Nov 2, 2010, at 7:39 PM, mattias wrote:
How to setup a vpn server on centos? I can't find the pptpd in any repo
On Wed, 3 Nov 2010, Adam Tauno Williams wrote:
On Tue, 2010-11-02 at 19:42 -0500, Jeffrey Gipson wrote:
Sorry to redirect, but have you considered OpenVPN
+1.
But is the OpenVPN windows client any better than recently? Does it work correctly with WIndows 7 yet? Last time I tried the Win32 client was kludgy.
OpenVPN 2.1.3 works decently with Windows 7, though you have to launch it using the "run as administrator" option.
2010/11/3 mattias mj@mjw.se:
How to setup a vpn server on centos? I can't find the pptpd in any repo
Hi Matias,
PopTop is possibly solution that you are looking for: http://poptop.sourceforge.net/ , but ssl-vpn like openvpn is much better solution (works correctly with any firewalls)
-- Eero
On Wed, 2010-11-03 at 13:04 +0200, Eero Volotinen wrote:
2010/11/3 mattias mj@mjw.se:
How to setup a vpn server on centos? I can't find the pptpd in any repo
PopTop is possibly solution that you are looking for: http://poptop.sourceforge.net/ , but ssl-vpn like openvpn is much better solution (works correctly with any firewalls)
PoPTP works very well. Also known as pptpd.
On Wed, 3 Nov 2010, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 13:04 +0200, Eero Volotinen wrote:
2010/11/3 mattias mj@mjw.se:
How to setup a vpn server on centos? I can't find the pptpd in any repo
PopTop is possibly solution that you are looking for: http://poptop.sourceforge.net/ , but ssl-vpn like openvpn is much better solution (works correctly with any firewalls)
PoPTP works very well. Also known as pptpd.
Although as has already pointed out, GRE and NAT issues make PPTP a somewhat odd choice given the alternatives.
jh
On Wed, 2010-11-03 at 12:49 +0000, John Hodrien wrote:
On Wed, 3 Nov 2010, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 13:04 +0200, Eero Volotinen wrote:
2010/11/3 mattias mj@mjw.se:
How to setup a vpn server on centos? I can't find the pptpd in any repo
PopTop is possibly solution that you are looking for: http://poptop.sourceforge.net/ , but ssl-vpn like openvpn is much better solution (works correctly with any firewalls)
PoPTP works very well. Also known as pptpd.
Although as has already pointed out, GRE and NAT issues make PPTP a somewhat odd choice given the alternatives.
I agree; but its issues verses the issues of the other alternatives.... seems almost a wash to me.
On 11/3/10 7:48 AM, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 12:49 +0000, John Hodrien wrote:
On Wed, 3 Nov 2010, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 13:04 +0200, Eero Volotinen wrote:
2010/11/3 mattiasmj@mjw.se:
How to setup a vpn server on centos? I can't find the pptpd in any repo
PopTop is possibly solution that you are looking for: http://poptop.sourceforge.net/ , but ssl-vpn like openvpn is much better solution (works correctly with any firewalls)
PoPTP works very well. Also known as pptpd.
Although as has already pointed out, GRE and NAT issues make PPTP a somewhat odd choice given the alternatives.
I agree; but its issues verses the issues of the other alternatives.... seems almost a wash to me.
Errr, what issues does openvpn have?
On Nov 3, 2010, at 9:07 AM, Les Mikesell lesmikesell@gmail.com wrote:
On 11/3/10 7:48 AM, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 12:49 +0000, John Hodrien wrote:
On Wed, 3 Nov 2010, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 13:04 +0200, Eero Volotinen wrote:
2010/11/3 mattiasmj@mjw.se:
How to setup a vpn server on centos? I can't find the pptpd in any repo
PopTop is possibly solution that you are looking for: http://poptop.sourceforge.net/ , but ssl-vpn like openvpn is much better solution (works correctly with any firewalls)
PoPTP works very well. Also known as pptpd.
Although as has already pointed out, GRE and NAT issues make PPTP a somewhat odd choice given the alternatives.
I agree; but its issues verses the issues of the other alternatives.... seems almost a wash to me.
Errr, what issues does openvpn have?
I'm no fan of any type of VPN as I think it's a way of extending your trusted LAN to an untrusted endpoint compromising internal trust levels, but if you are going to implement a VPN the type is of very little consequence (account/password is more likely to be compromised then traffic intercepted and decrypted) then the authenticating domain is. As always it's better to use internally generated certificates that are password protected then either passwords or certificates alone. Having said that these password protected certificates are a PITA to distribute to users and to support remotely.
I would suggest only providing VPN access to administrators and for users providing a combination of SSL gateway to web-mail and some type of terminal service that either authenticates with a separate domain or is only accessible after successfully authenticating to the SSL gateway.
You could have the gateway server use a separate database of users and passwords for those users allowed remote access, they authenticate with the gateway, then their IP address is added to a table of authorized clients to connect to the terminal services. As long as the gateway does HTTP TCP keepalive the IP is kept in the table, when the connection is dropped the IP is removed.
This would allow full control of what traffic traverses the gateway/firewall while still allowing users to access the services they need.
-Ross
Ross Walker wrote:
On Nov 3, 2010, at 9:07 AM, Les Mikesell lesmikesell@gmail.com wrote:
On 11/3/10 7:48 AM, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 12:49 +0000, John Hodrien wrote:
On Wed, 3 Nov 2010, Adam Tauno Williams wrote:
On Wed, 2010-11-03 at 13:04 +0200, Eero Volotinen wrote:
2010/11/3 mattiasmj@mjw.se: > How to setup a vpn server on centos? > I can't find the pptpd in any repo PopTop is possibly solution that you are looking for: http://poptop.sourceforge.net/ , but ssl-vpn like openvpn is much better solution (works correctly with any firewalls)
PoPTP works very well. Also known as pptpd.
Although as has already pointed out, GRE and NAT issues make PPTP a somewhat odd choice given the alternatives.
I agree; but its issues verses the issues of the other alternatives.... seems almost a wash to me.
Errr, what issues does openvpn have?
I'm no fan of any type of VPN as I think it's a way of extending your trusted LAN to an untrusted endpoint compromising internal trust levels, but if you are going to implement a VPN the type is of very little consequence (account/password is more likely to be compromised then
<snip>
I would suggest only providing VPN access to administrators and for users providing a combination of SSL gateway to web-mail and some type of terminal service that either authenticates with a separate domain or is only accessible after successfully authenticating to the SSL gateway.
<snip> Um, no. This might work for folks who *only* need access to their M$ Exchange via Outlook and Office, but for other work, including *anything* that isn't being done in their browser, they're SOL about working, say, from home.
It's even more secure it you just unplug it from the Internet....
mark
On Nov 3, 2010, at 10:15 AM, m.roth@5-cent.us wrote:
Ross Walker wrote:
<snip> > I would suggest only providing VPN access to administrators and for users > providing a combination of SSL gateway to web-mail and some type of > terminal service that either authenticates with a separate domain or is > only accessible after successfully authenticating to the SSL gateway. <snip> Um, no. This might work for folks who *only* need access to their M$ Exchange via Outlook and Office, but for other work, including *anything* that isn't being done in their browser, they're SOL about working, say, from home.
Exchange isn't the only web mail game in town, and terminal services doesn't have to be M$ RDP, NoMachine NX makes a great X-Windows terminal server supported across many desktop OSes (and does certificate authentication too!).
If you are using a content management system, you can also provide access to that through the gateway (and no I'm not necessarily talking Sharepoint here).
I just think VPNs' time has come and gone.
It's even more secure it you just unplug it from the Internet....
Goes without saying ;-)
-Ross
On 11/3/2010 6:01 PM, John R Pierce wrote:
On 11/03/10 3:46 PM, Ross Walker wrote:
I just think VPNs' time has come and gone.
VPN's have another use entirely, which is linking LAN segments over the internet to create a private WAN.
But perhaps a better alternative is to give up on the idea of private LANs and thinking of good/bad guys on opposite sides of firewalls and make every connection that needs it do its own encryption and authentication at the application level.
On Nov 3, 2010, at 7:25 PM, Les Mikesell lesmikesell@gmail.com wrote:
On 11/3/2010 6:01 PM, John R Pierce wrote:
On 11/03/10 3:46 PM, Ross Walker wrote:
I just think VPNs' time has come and gone.
VPN's have another use entirely, which is linking LAN segments over the internet to create a private WAN.
But perhaps a better alternative is to give up on the idea of private LANs and thinking of good/bad guys on opposite sides of firewalls and make every connection that needs it do its own encryption and authentication at the application level.
I think in corporate environments the scale makes it too impractical, but the idea is the basis of future cloud computing, when all endpoints are suspect and services are provided ala carte from multiple providers, so maybe when the corporate LAN disappears all together...
-Ross
On Nov 3, 2010, at 7:01 PM, John R Pierce pierce@hogranch.com wrote:
On 11/03/10 3:46 PM, Ross Walker wrote:
I just think VPNs' time has come and gone.
VPN's have another use entirely, which is linking LAN segments over the internet to create a private WAN.
Yes, of course, those will remain and I use those across routers and concentrators, but the personal VPNs aren't necessary.
-Ross
On 11/3/10 6:35 PM, Ross Walker wrote:
On 11/03/10 3:46 PM, Ross Walker wrote:
I just think VPNs' time has come and gone.
VPN's have another use entirely, which is linking LAN segments over the internet to create a private WAN.
Yes, of course, those will remain and I use those across routers and concentrators, but the personal VPNs aren't necessary.
It's usually much faster and cheaper to move the packets to where you are than to move you to where the server is.
On 4/11/10 10:35 AM, Ross Walker wrote:
On Nov 3, 2010, at 7:01 PM, John R Pierce pierce@hogranch.com wrote:
On 11/03/10 3:46 PM, Ross Walker wrote:
I just think VPNs' time has come and gone.
VPN's have another use entirely, which is linking LAN segments over the internet to create a private WAN.
Yes, of course, those will remain and I use those across routers and concentrators, but the personal VPNs aren't necessary.
I'm just guessing here, but you live in a country that doesn't (or isn't trying to introduce) mandatory censorship and/or data retention. Right?
Those of us in the antipodes have a whole different reason for wanting VPN connections to such insecure points as "shared hosting" or VPS systems.
Regards, Ben
On Nov 3, 2010, at 9:24 PM, Ben McGinnes ben@adversary.org wrote:
On 4/11/10 10:35 AM, Ross Walker wrote:
On Nov 3, 2010, at 7:01 PM, John R Pierce pierce@hogranch.com wrote:
On 11/03/10 3:46 PM, Ross Walker wrote:
I just think VPNs' time has come and gone.
VPN's have another use entirely, which is linking LAN segments over the internet to create a private WAN.
Yes, of course, those will remain and I use those across routers and concentrators, but the personal VPNs aren't necessary.
I'm just guessing here, but you live in a country that doesn't (or isn't trying to introduce) mandatory censorship and/or data retention. Right?
Those of us in the antipodes have a whole different reason for wanting VPN connections to such insecure points as "shared hosting" or VPS systems.
I don't have to encrypt from my government, but I am required to encrypt all communication channels by my government, so this is all done over SSL/TLS or using a protocol's native encryption.
When I say VPN I'm specifically talking about protocols that extend the internal routable network to the client PC.
If the client PC was set up in a split pipe setup it would be like running your corporate LAN with either no firewall or a consumer level firewall product with questionable administration.
You can filter within the VPN which protocols are passed but then at this point wouldn't it be better to do this at the firewall anyways?
-Ross
On 04/11/2010 13:31, Rob Kampen wrote:
I've been watching this thread and offer the following observation. some years ago when working in the corporate world - most internet connections were still via modem - I used to connect via VPN to the corporate network from remote offices. Even though I was connected via ethernet to the local office, the VPN connection once established, became my only route. i.e. the local network appeared to be disconnected and the laptop (or PC) could only see and connect to the corporate IP address ranges that had been established via the VPN software - this also used one time password keys. Thus security was complete other than the ability to get files from the corporate network onto the local PC - although difficult and cumbersome. Once the VPN was disconnected the local network was once again working. This was on Windoze clients to linux and other corporate servers. Wondering if this kind of setup is possible with any of the mentioned VPN products? Tks Rob
_
Rob,
This is called split-tunnel (or in the case that you talk about non-split tunnel) policy. Many IPsec clients can be configured by policy to avoid split-tunnelling. The Windows PPTP client is configured like this by defaults, but it is possible to unconfigure it as a user. Proprietary (e.g. Cisco VPN) allow configuration of the client split-tunnel (or not), by the VPN server. I don't know whether OpenVPN has this functionality, it ultimately depends on the client to do the split-tunneling, not the server (but the server could verify the client, and enforce split-tunneling).
Thanks
Giles
On 11/4/10 7:31 AM, Rob Kampen wrote:
Ross Walker wrote:
On Nov 3, 2010, at 9:24 PM, Ben McGinnesben@adversary.org wrote:
On 4/11/10 10:35 AM, Ross Walker wrote:
On Nov 3, 2010, at 7:01 PM, John R Piercepierce@hogranch.com wrote:
On 11/03/10 3:46 PM, Ross Walker wrote:
I just think VPNs' time has come and gone.
VPN's have another use entirely, which is linking LAN segments over the internet to create a private WAN.
Yes, of course, those will remain and I use those across routers and concentrators, but the personal VPNs aren't necessary.
I'm just guessing here, but you live in a country that doesn't (or isn't trying to introduce) mandatory censorship and/or data retention. Right?
Those of us in the antipodes have a whole different reason for wanting VPN connections to such insecure points as "shared hosting" or VPS systems.
I don't have to encrypt from my government, but I am required to encrypt all communication channels by my government, so this is all done over SSL/TLS or using a protocol's native encryption.
When I say VPN I'm specifically talking about protocols that extend the internal routable network to the client PC.
If the client PC was set up in a split pipe setup it would be like running your corporate LAN with either no firewall or a consumer level firewall product with questionable administration.
You can filter within the VPN which protocols are passed but then at this point wouldn't it be better to do this at the firewall anyways?
-Ross
I've been watching this thread and offer the following observation. some years ago when working in the corporate world - most internet connections were still via modem - I used to connect via VPN to the corporate network from remote offices. Even though I was connected via ethernet to the local office, the VPN connection once established, became my only route. i.e. the local network appeared to be disconnected and the laptop (or PC) could only see and connect to the corporate IP address ranges that had been established via the VPN software - this also used one time password keys. Thus security was complete other than the ability to get files from the corporate network onto the local PC - although difficult and cumbersome. Once the VPN was disconnected the local network was once again working. This was on Windoze clients to linux and other corporate servers. Wondering if this kind of setup is possible with any of the mentioned VPN products?
Openvpn can redirect your default gateway to send everything (except itself) through the remote, but it doesn't really enforce keeping it that way. That is, a knowledgeable user could add local routes back after starting it.
On 11/4/10 7:15 AM, Ross Walker wrote:
Those of us in the antipodes have a whole different reason for wanting VPN connections to such insecure points as "shared hosting" or VPS systems.
I don't have to encrypt from my government, but I am required to encrypt all communication channels by my government, so this is all done over SSL/TLS or using a protocol's native encryption.
When I say VPN I'm specifically talking about protocols that extend the internal routable network to the client PC.
If the client PC was set up in a split pipe setup it would be like running your corporate LAN with either no firewall or a consumer level firewall product with questionable administration.
Things really aren't that simple, though. The big risk is not so much that an outside source will be able to route directly through the connection because most remote endpoints would be behind NAT, have an OS level firewall, and not be configured for routing anyway. The more likely scenario is that the remote is corrupted by some sort of trojan/virus malware which can make its own outbound connectons or collect data to transmit later - and the problem is that this can occur at any time prior to the vpn connection. It also isn't limited to vpns - the same thing can happen when laptops are connected to the LAN or if you insert any removable media, execute email attachments, browser plugins, etc., etc. And browser plugins can even subvert what you are doing over ssl. You probably permit outbound https connections and there's not much you can do to monitor them.
You can filter within the VPN which protocols are passed but then at this point wouldn't it be better to do this at the firewall anyways?
How much can you filter once all your connections are using ssl? And of course you are still assuming that the bad guys are on the other side of your firewall when statistics show otherwise.
On Nov 4, 2010, at 9:13 AM, Les Mikesell lesmikesell@gmail.com wrote:
On 11/4/10 7:15 AM, Ross Walker wrote:
If the client PC was set up in a split pipe setup it would be like running your corporate LAN with either no firewall or a consumer level firewall product with questionable administration.
Things really aren't that simple, though. The big risk is not so much that an outside source will be able to route directly through the connection because most remote endpoints would be behind NAT, have an OS level firewall, and not be configured for routing anyway. The more likely scenario is that the remote is corrupted by some sort of trojan/virus malware which can make its own outbound connectons or collect data to transmit later - and the problem is that this can occur at any time prior to the vpn connection. It also isn't limited to vpns - the same thing can happen when laptops are connected to the LAN or if you insert any removable media, execute email attachments, browser plugins, etc., etc. And browser plugins can even subvert what you are doing over ssl. You probably permit outbound https connections and there's not much you can do to monitor them.
Yes the malware threat is another big reason VPNs give me pause.
You can filter within the VPN which protocols are passed but then at this point wouldn't it be better to do this at the firewall anyways?
How much can you filter once all your connections are using ssl? And of course you are still assuming that the bad guys are on the other side of your firewall when statistics show otherwise.
Well I'm only thinking perimeter at the moment, internal threats are a whole other can of worms and need to be handled differently.
As for the SSL part, you can monitor traffic over it in a couple of ways. For internal services being served out you can have the SSL connection terminate at the gateway and the gateway establish an internal SSL connection to the service. For internal clients connecting to external services I have used SSL inspectors, these basically initiate an SSL connection to the destination, take the certificate, generate a per-destination itself and pass that to the client, basically acting as a man in the middle, as long as the gateway/inspector is a trusted intermediate CA and the subject is preserved then the client doesn't have a problem with it.
-Ross
On 5/11/10 9:39 AM, Ross Walker wrote:
As for the SSL part, you can monitor traffic over it in a couple of ways. For internal services being served out you can have the SSL connection terminate at the gateway and the gateway establish an internal SSL connection to the service. For internal clients connecting to external services I have used SSL inspectors, these basically initiate an SSL connection to the destination, take the certificate, generate a per-destination itself and pass that to the client, basically acting as a man in the middle, as long as the gateway/inspector is a trusted intermediate CA and the subject is preserved then the client doesn't have a problem with it.
I believe this is one of the methods that was looked at to enable ISPs to filter/censor/log SSL connections should the government policies become legislation here. Except for all outbound connections. The rest of us call it a MitM (when used for outbound or between third parties, not in your example).
Regards, Ben
On 11/5/10 4:27 AM, Ben McGinnes wrote:
On 5/11/10 9:39 AM, Ross Walker wrote:
As for the SSL part, you can monitor traffic over it in a couple of ways. For internal services being served out you can have the SSL connection terminate at the gateway and the gateway establish an internal SSL connection to the service. For internal clients connecting to external services I have used SSL inspectors, these basically initiate an SSL connection to the destination, take the certificate, generate a per-destination itself and pass that to the client, basically acting as a man in the middle, as long as the gateway/inspector is a trusted intermediate CA and the subject is preserved then the client doesn't have a problem with it.
I believe this is one of the methods that was looked at to enable ISPs to filter/censor/log SSL connections should the government policies become legislation here. Except for all outbound connections. The rest of us call it a MitM (when used for outbound or between third parties, not in your example).
So if you really want privacy you need to run another layer of encryption end to end with an uncommon cipher?
-- Les Mikesell lesmikesell@gmail.com
On 5/11/10 11:29 PM, Les Mikesell wrote:
On 11/5/10 4:27 AM, Ben McGinnes wrote:
I believe this is one of the methods that was looked at to enable ISPs to filter/censor/log SSL connections should the government policies become legislation here. Except for all outbound connections. The rest of us call it a MitM (when used for outbound or between third parties, not in your example).
So if you really want privacy you need to run another layer of encryption end to end with an uncommon cipher?
In this kind of scenario, yes. The SSL/TLS filters aren't uncommon. Ironport have products that will do it, but they're usually sold to corporations that want to monitor *all* connections from their network.
The difference here as that the government were looking at instituting something similar nationally. Though it was mentioned in a testing report from 2008, this part appeared to be silently dropped by the time of the live pilot in 2009.
I'd have to take another look at the 2008 report, but I'm pretty sure that none of the software tested in 2007-2008 could filter SSH or VPNs. They could be blocked, though, depending on how much effort was expended.
Regards, Ben
On Nov 5, 2010, at 8:29 AM, Les Mikesell lesmikesell@gmail.com wrote:
So if you really want privacy you need to run another layer of encryption end to end with an uncommon cipher?
Yes, or only trust those CAs that you know you can trust. Use web browsers you can fully trust don't embed CA trusts and fully manage the CA trust database you can see.
If we could start the whole certificate thing over I think it would have been better to have a trust "registrar" rather then a bunch of semi-trusted authorities. Then any corporation can create their own CA and register that CA with a registrar with proof of identity, then manage their own certificates and CRLs.
It might not be too late to do so, you could even use DNS TXT objects to provide URLs to these CAs stored in a database for quick browser lookups.
Just need to get a browser like Firefox to back the idea and a procedure to verify the trust and have that stored in the browser's trust database along with better CRL checking.
-Ross
On 6/11/10 12:25 AM, Ross Walker wrote:
If we could start the whole certificate thing over I think it would have been better to have a trust "registrar" rather then a bunch of semi-trusted authorities. Then any corporation can create their own CA and register that CA with a registrar with proof of identity, then manage their own certificates and CRLs.
Now this is an excellent idea! It would be vastly superior to the current situation, though a serious challenge to the price-gouging of many CAs.
Regards, Ben
Ben McGinnes wrote:
On 6/11/10 12:25 AM, Ross Walker wrote:
If we could start the whole certificate thing over I think it would have been better to have a trust "registrar" rather then a bunch of semi-trusted authorities. Then any corporation can create their own CA and register that CA with a registrar with proof of identity, then manage their own certificates and CRLs.
Now this is an excellent idea! It would be vastly superior to the current situation, though a serious challenge to the price-gouging of many CAs.
I used to use godaddy for my certs but now use the startssl folk - much better value!!
Regards, Ben
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 6/11/10 6:09 AM, Rob Kampen wrote:
Ben McGinnes wrote:
Now this is an excellent idea! It would be vastly superior to the current situation, though a serious challenge to the price-gouging of many CAs.
I used to use godaddy for my certs but now use the startssl folk - much better value!!
Free is pretty good value ... unless you want/need wildcard certificates for your domain.
Regards, Ben
On Wed, 3 Nov 2010, Ross Walker wrote:
As always it's better to use internally generated certificates that are password protected then either passwords or certificates alone. Having said that these password protected certificates are a PITA to distribute to users and to support remotely.
The biggest headache with OpenVPN is PKI. The OpenVPN source ships with some scripts for doing certificate authority work, but eventually the administrator has to figure out PKI for all but the very smallest of deployments.
That said, OpenVPN deals very nicely with certificate revocations, making it easy to void a certificate if a key is lost, stolen, or a victim of the HR department.
I agree that distributing password-protected keys is a pain. In a savvy environment, you can show people how to encrypt their own keys using the openssl binary (even on Windows), but that certainly doesn't work everywhere. On the upside, all the client OpenVPN GUIs I've used (Windows, Tunnelblick for Mac, NetworkManager) handle encrypted keys quite nicely these days, prompting for the passphrase at connection time.
On 11/3/2010 9:04 AM, Ross Walker wrote:
Errr, what issues does openvpn have?
I'm no fan of any type of VPN as I think it's a way of extending your trusted LAN to an untrusted endpoint compromising internal trust levels, but if you are going to implement a VPN the type is of very little consequence (account/password is more likely to be compromised then traffic intercepted and decrypted) then the authenticating domain is. As always it's better to use internally generated certificates that are password protected then either passwords or certificates alone. Having said that these password protected certificates are a PITA to distribute to users and to support remotely.
I've mostly used openvpn for nailed-up connections with shared secret keys and separate processes per connection where the configs are trivial to write.
You could have the gateway server use a separate database of users and passwords for those users allowed remote access, they authenticate with the gateway, then their IP address is added to a table of authorized clients to connect to the terminal services. As long as the gateway does HTTP TCP keepalive the IP is kept in the table, when the connection is dropped the IP is removed.
If you are going to use a dedicated gateway you might look at clearOS which, I think, handles both openvpn and pptp with web setup and its own concept of user/certificate management out of the box.