VPN Suggestions CentOS 6, 7
Folks
I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be “inside” my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home.
I already have this working using M$’s PPTP using my home CentOS 6
gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection.
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan
(and probably others I haven’t noted). I’d be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:
1) As noted, it should be secure (anti NSA?)
2) Works on CentOS 6 and CentOS 7 and Windows 7 (and for the future, Windows 10)
3) Can be set up on the server with command line interfaces only (no GUI)
And, should not be a nightmare to set up.
Any thoughts?
David
24 thoughts on - VPN Suggestions CentOS 6, 7
SoftEther VPN
Once setup, it just works….
Regards,
Richard
–
And openvpn. Avoid ipsec as it’s too complex and pptp is unsecure.
Eero
4.4.2016 9.55 ip. “Richard Zimmerman”
kirjoitti:
My partner has been using Openvpn extensively. It looks very reasonable and has been quite trustworthy.
It is configured via commandline. The server seems to work on Windows, too (“Vista and later”). There are good tutorials for CentOS, for example
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-CentOS-7
– Jussi
(…)
This made me google around a little, and I found some good info here. They, too, kind of recommend openvpn.
http://www.howtogeek.com/211329/which-is-the-best-vpn-protocol-pptp-vs.-openvpn-vs.-l2tpipsec-vs.-sstp/
– Jussi
OpenVPN can be all that. I say “can be” because you’ll want to research how best to configure it. Done poorly, it won’t be as secure as you want. Thankfully, there are a lot of blog posts and list threads to consult; it won’t take more than a couple hours of reading to work out the base configuration.
This might be a problem. :-)
OpenVPN is designed to scale pretty well, but scaling it requires a decent knowledge of SSL infrastructure: creating, distributing, and revoking certificates. The Easy-RSA utility can ease the process, but using it securely takes time and reading.
A very small OpenVPN setup can be done with shared static key, but that approach has its own disadvantages (no PFS, all keys in plain text, no distribution mechanism).
In short, OpenVPN is an excellent toolset that can be made very secure
— and will manage much of the complexity for you — but it requires a non-trivial amount of effort to configure correctly.
To paraphrase The Princess Bride: Security is pain. Anyone who says differently is selling something.
I recommend l2tp/ipsec. It’s supported out of the box on a wide variety of client platforms, which means significantly less work to set up the clients.
OpenVPN is a popular choice, and it’s fine for most people. It’s more work to set up than l2tp/ipsec, typically. We used it for quite a while at my previous employer, though ultimately dropped it because the Windows GUI requires admin rights to run, and we didn’t want to continue giving admin rights to the users we supported.
Am 04.04.2016 um 19:57 schrieb david:
https://www.tinc-vpn.org/
Alexander
This is not good information.
In brief:
“There are some concerns that the NSA could have weakened the standard, but no one knows for sure.”
Pure FUD. There is no reason to believe this as related to IPSec that does not apply to other protocols as well. There is, therefore, no reason to write that other than bias.
“Either way, this is a slower solution than OpenVPN. … It
SoftEther VPN all-in-one solution and cross platform.
—
————————–
Cheers!
Dodi
IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on.
OpenVPN is the best opensource VPN for me it can connect to any connection such as airport, hotel, restaurant, resorts, malls it never let me down. And configuration is easy on those who have idea on what they want to achieve.
Am 05.04.2016 um 12:46 schrieb Francis Mendoza:
“easy” is qualitative – PKI is the core of an OpenVPN infrastructure and not trivial anyway. As some one stated before privacy/security is complex everything else is a product.
IMHO: IPSec-VPN is a bit more complex then a SSL-VPN like OpenVPN.
I even sometimes use an SSL-VPN connection over an IPSec-VPN.
How is IPSec “not recommended solution nowdays”?
I tend to use IPSec for site-to-site connections i.e. the ones that run
24/7 and only require two experienced people to set up (the admins at both endpoints). For host-to-site setups I prefer OpenVPN since explaining to endusers how to set up an ipsec connection is neigh impossible whereas with OpenVPN I can simply tell them to install the software and then unzip an archive into a directory and they are done.
Regards,
Dennis
Well. IPSec might work with site-to-site connections, but usually roadwarrior mode users experience (a lot of) problems.
They might be related to hotels that only allow https, http and dns protocols or broken nat implementations and so on.
IPSec is typically encapsulated on UDP port 4500, due to the ubiquity of NAT. OpenVPN doesn’t really have an advantage, there.
So, send them a powershell script:
Add-VpnConnection -Name “My VPN” -ServerAddress “vpn.example.com”
-AuthenticationMethod PAP -TunnelType L2TP -L2tpPsk
“whyareyouusingapsk?” -AllUserConnection -Force -RememberCredential
-PassThru -SplitTunneling
Yes, openvpn works on any single udp or tcp port.
On many hotels only http, https and dns allowed. So you just can’t use ipsec, but openvpn works as it’s usually configured to listen https port.
IPSec and OpenVPN (and the others) each have their use cases. I have had experience with IPSec (via SmoothWall’s SmoothTunnel implementation), Cisco’s VPN implementation, and the commercial OpenVPN
Access Server, and I have found OpenVPN AS the easiest to support for the road warrior use case, including and especially wifi and 3G/4G
connected ios and android devices. OpenVPN AS will listen on TCP port
443, and virtually no one blocks TCP/443 (although you do lose some tunnel functionality with TCP encapsulation).
I did have numerous issues with the road warrior cases with the IPSec solution, many of which were firewall/captive portal issues and not issues with the otherwise excellent SmoothTunnel. I will admit that I
have not tried an IPsec solution in a while, but I haven’t had the need to do so, either.
OpenVPN AS takes all the hard parts out of the server-side config, and it works well on CentOS 7 (which is the platform on which I am running the server). For point-to-point remote offices, I deploy small routers running DD-WRT, which has a reasonable OpenVPN client that works well once you get it working initially. It isn’t necessarily the easiest to get working, though.
Have a look at Openconnect Server (ocserv), it’s a free implementation of Cisco AnyConnect.
It’s the easiest VPN I ever had to setup and it’s compatible with most Cisco AnyConnect clients and of course OpenConnect clients (such as NetworkManager-openconnect).
http://www.infradead.org/ocserv/
hth
————————–
Here’s how I managed that in my openssl.cnf file. Lots of bits ellided for clarity’s sake:
### start ###
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = server_cert
[ server_cert ]
basicConstraints
At 09:09 AM 4/18/2016, you wrote:
Paul Two things… First, the diagnostic I got referenced the server’s CA
certificate. And that confuses me.
Second, when I look server’s purpose, using the openssl x509 -purpose command, I get:
SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No
When looking at the CLIENT’s purpose, I get
SSL client : Yes SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No
The difference between what I have and what you reported is that I’ve got SSL Client NO on the server, and SSL server NO on the client, which makes sense to me. The CA certificate itself, says:
Certificate purposes:
SSL client : Yes SSL client CA : Yes SSL server : Yes SSL server CA : Yes Netscape SSL server : Yes Netscape SSL server CA : Yes S/MIME signing : Yes S/MIME signing CA : Yes S/MIME encryption : Yes S/MIME encryption CA : Yes CRL signing : Yes CRL signing CA : Yes Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : Yes Time Stamp signing : No Time Stamp signing CA : Yes
Advice would be appreciated.
David
I’m not sure that’s actually what the log is indicating. I think there’s a mismatch between what extensions the server certificate says it can provide and what the client is expecting.
Can you provide the SSL/TLS parts of your client configuration?
In particular, I expect you’ll have a “remote-cert-tls server”
directive. I’d suggest commenting that out (or replacing it with
“ns-cert-type server”) and trying again.
If that succeeds, you’ll probably need to review your CA
configuration.
At 08:57 AM 4/19/2016, you wrote:
Paul I’m not sure what you mean by the SSL/TLS parts of client configuration. Here’s what I have for openvpn Configuration files… comment lines removed
The client file at c:\program files\OpenVPN\config\client.opvn
————————–