Free SSL VPN Solutions? 70
poison1701 asks: "I am in the process of evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far the only free SSL VPN product I have come across is SSL Explorer Community Edition which looks like a very good product, but the free version lacks some of the features that I want (like the full IPSec client). What other SSL VPN solutions are out there? "
Openvpn (Score:5, Informative)
Re: (Score:2, Informative)
Re:Openvpn (Score:5, Informative)
I'm using it with both Linux and Windows.
Tunnels and point-to-point.
I used to use IPSec, a lot of hassle, takes too long to bring the tunnel back up if it goes down, would go down and not come back up without manual intervention.
OpenVPN however has been perfectly reliable for the 6 weeks I've been using it so far.
The Windows GUI version from http://openvpn.se/ [openvpn.se] seems to work simply enough for many Windows users.
Re: (Score:2)
Another issue with ipsec btw, is that because of the strange protocols it uses for setting up the connection, it often fails to work on some cheaper consumer grade DSL routers.
This gets any UDP link (Score:3, Informative)
I've switched OpenVPN to TCP and she's a all work, but I could switch just one side of the link to TCP and she's all still work.
If you only want to forward one or a few TCP ports, you can use ssh (-L and -R options). Do take care to have the thing be paranoi
Re: Mac too (Score:3, Informative)
Re: (Score:2)
The client works wonderfully under Linux, FreeBSD, OSX, and Windows, at the very least. And yes, OpenVPN is the way to go for all your VPN needs.
Re:Openvpn (Score:4, Informative)
Re: (Score:3, Interesting)
I use IPSec because I can buy cheap wireless routers that have hardware accelerated IPSec, and IPSec clients are widely available (built into MacOS X, easily installable in Linux).
IPSec does work with NAT. IPSec AH (authenticate only, not encrypt) mode doesn't, but nobody uses that and many devices don't support it. IPSec ESP works fine through NAT.
Re: (Score:2)
Also, some of those cheap wireless routers actually run linux, so it's not unrealistic to modify them to support openvpn encryption in hardware instead.
Here's a thought tho, many wireless cards support hardware encryption acceleration, how easy would it be to make OpenSSL support these cards?
Re: (Score:2)
Yes, good point. There is an open source firmware for the popular WRV54G that supports OpenVPN or PPTP. But, then I have to install OpenVPN + a tun/tap kernel driver on my PowerBook. Not a huge deal, but third pary kernel modules scare me a bit. Instead, I picked up a surprisingly powerful router/firewall/802.11g/IPSec VPN device on eBay for $50 a
Re: (Score:2, Informative)
Same here: OpenVPN rocks (Score:2)
Regulations? (Score:1, Insightful)
Having said that, there are plenty of roll-your-own SSL VPN solutions out there - many of which are open source. I'd recommend starting with Google.
Not to mod (Score:1)
Seeing as how this was the 2nd post in the thread, it's kinda hard for it to be duplicating something when his point is entirely different than the first post.
-Rick
Re: (Score:1, Insightful)
While on-topic, not flamebait and not trolls (although I'd call them trolls), these posts contribute absolutely nothing to the discussion. Because they are almost the same post regardless of the question... "Well, since (blah) and since (blah), you shouldn't ask Slashdot. Why don't you talk t
Re: (Score:2)
-Rick
Re: (Score:2)
If you're in a regulated environment, odds are that you're making enough money that spending a little money on some professional consulting time (or perhaps the software itself) for this problem is a far better solution than Asking Slashdot(tm).
Who said he's not doing both? The two options are not mutually exclusive as you imply.
---
Open source software is everything that closed source software is. Plus the source is available.
Another vote for openvpn (Score:2)
It has been very stable for us, we run the server on an OpenBSD box. The documentation is pretty good, and you can make your own windows installer with your configurations preloaded. One minor
Open SSL? (Score:2, Insightful)
I'm a bit confused, too, about why IPSec is a requirement if you are looking to use an SSL VPN?
In the meantime, just check out openssl.org.
Re: (Score:2, Informative)
My thought exactly. Isn't one of SSL's advantages in not *needing* the infrastructure that IPSec requires (support in your kernel, router, etc.)?
Re: (Score:2)
Google is your friend. (Score:1)
dupe! (Score:2, Insightful)
http://ask.slashdot.org/article.pl?sid=06/04/25/00 7206 [slashdot.org]
http://ask.slashdot.org/article.pl?sid=06/04/13/17 16227 [slashdot.org]
http://ask.slashdot.org/article.pl?sid=05/01/03/16 17208 [slashdot.org]
Google says... (Score:2)
http://sourceforge.net/projects/sslexplorer [sourceforge.net]
*sigh*
Re: (Score:2)
(That and OpenVPN is a higher on Google than SSL-Explorer
What do you want. (Score:5, Informative)
SSL/TLS is a Transport Layer. It does not mean web based. That said, here are your options for types of vpn's that typical end users usually connect to:
1) Full IP Access: Traditional VPN System. May put you on diff VLAN, but gives you an internal IP (or split tunnel) with access to internal resources directly. This will include OpenVPN, Hamachi, Typical IPSec VPN's, etc.
2) Web based VPN: Usually encapsulated over https (ssl), this creates a pretty frontend for typical tasks. IE File browser for Samba/Win2000/2003 Servers, VNC w/ Redirection, etc
3) Remote Machine Access: This includes NX, Remote Desktop, ssh and vnc. These give you direct access to a specific machine, which has access to other machines internally.
It seems like when you say SSL, you mean web based. And when you say IPSec, you mean Full IP Access. If this is correct, then you'll need to use two open source products.
I'd highly recommend using SSL Explorer for web based access, and OpenVPN for IP based access. If you don't mind paying, some of the low end Netscreens from Juniper will do both beautifully.
Either way, please familiarize yourself with the technologies before you go talking to vendors, unless you're looking to get ripped off.
Re: (Score:2)
Re:What do you want. (Score:4, Insightful)
He pointed to SSL Explorer, which is a Web Based VPN. But, as a web based vpn, it doesn't give you a full internal ip. My belief was that that by pointing to a web based vpn, called SSL Explorer, he thought SSL based VPN meant Web Based VPN.
You're right, he never said Web Based directly, but his use of the technology, the stuff he pointed to as examples, etc. lead me to believe that we need to get the terminology down before going forward.
Why users want SSL VPNs - Clientless browser-only (Score:2)
CLientless SSL-based VPNs are really convenient - some of them are genuinely clientless, and some of them have Java-glue
Re: (Score:2)
Don't know what your specific requirements are... (Score:2)
Re:Don't know what your specific requirements are. (Score:2)
I know from experience that IPSec can be a bitch to get working correctly *at* *all*!
There are so many things wrong with it I don't know where to begin...
Under Linux the log entries are virtually encrypted; its extremely difficult to work out what they mean and whats wrong.
Then theres the protocols; if you need to run several IPSec VPNs through ADSL modems things will get tough. IPSec doesn't just use the normal TCP/UDP protoco
Re: (Score:2)
Nope just extensive experience as at about a year and a half ago.
In all the modems I tested performance was pretty adequate, mostly indistinguishable until 2 or 3 IPSec vpns came up.
The best of them -- USR -- would slow down very badly.
The worst of them -- D-link if I recall -- would repeatedly reboot when 2 VPNs had a lot of traffic or if 3 VPNs came up at once. Modem go down, modem come up. Really annoying.
Sorry I can't give you
Re: (Score:2)
I must admit I have had no trouble with IPSEC through ADSL modems. IPSEC through NAT used to be a big problem, in particular if you wanted several tunnels through the same NAT device. These days everything supports NAT-T, and that's just UDP on port 4500.
Re: (Score:2, Informative)
We use SSL-Explorer (Score:2)
Juniper (Score:5, Informative)
Re: (Score:2, Informative)
Built in AV scanning, IDS, etc is nice too.
If you're supporting an enterprise
Re: (Score:2)
Well, free limits it ... (Score:2, Informative)
If you don't need free and have a few thousand users to support, combining RSA/SecurID, ACE, and Nortel products like Shastas or Contivity Extranet Switches are excellent. If you don't need the flexibility of a Shasta, the CES line is under $20k to support 2k users. http://www.nortel.com/solutions/smb/business_solut ions/comparisons/contivity_1000.html [nortel.com]
http://pro [nortel.com]
IPCOP (Score:1)
- stateful firewall
- ipsec(built-in)/SSL (open vpn add-on) unlimited VPNs
- proxy/url filtering (add-ons)
- IDS
- all kind of traffic monitoring/bloking modules (add-ons)
So yo
RealVNC+ssh (Score:2)
I'm not sure if it's what you want, but VNC [realvnc.com] can tunnel through ssh. The combination works for me, anyway.
Re:almost ANYTHING+ssh (Score:2)
For that matter, anything that can be locked down to a specific port or range of ports (i.e., VNC works because you can nail it down to something like 5901-5910, depending on the number of displays, but FTP won't because of its tendancy to use random high-numbered ports) will work through ssh. So http, smb/cifs, nfs, etc all seem to work. Requires a bit more work for some exotic protocols, though -- yo
Dear Slashdot (Score:5, Funny)
Re: (Score:2)
So, just keep asking those stupid questions, please...
X.
Re: (Score:3, Insightful)
Whore (Score:2)
If you want to go open source, that's fine, go open source. But don't sit here and beg for handouts while insulting those of us who make it our life
where do you get "as in cash"? (Score:2)
As for "those of us who make it our life's work"...get over it! I started writing sort routines in assembler in the late seventies, but I'm not b
Free Beer vs. Commercial solutions (Score:2)
OpenVPN -- what it is, and isn't. (Score:5, Informative)
OpenVPN is the only "SSL VPN" that uses UDP, yes. They invented a protocol that
uses SSL over UDP for authentication, and until they did, SSL had never been
implemented over UDP. There's now an IETF Internet Draft for DTLS, which is
another SSL over UDP protocol specification, but no one else uses it yet,
AFAIK, and it's still just an Internet Draft, not an RFC yet. The others
implemented their SSL VPNs over TCP for two reasons:
1) There wasn't a standard SSL over UDP specification to implement.
2) SSL over UDP doesn't look like HTTPS, which is half the appeal of these
products, because looking like HTTPS is often what gets them through
a firewall on their end when a conventional VPN client can't get through.
Note that OpenVPN doesn't transport its data stream over SSL. They use IPSec
ESP over UDP for that, the same as standard IPSec NAT-T does. They just use
SSL over UDP for session authentication and management--in other words, as
an IKE replacement, as far as I can tell. In that respect, there's really
not much to differentiate it from IPSec NAT-T.
ssl explorer (Score:1)
Netgear? (Score:2)
http://www.tomsnetworking.com/2006/09/26/netgear_s sl312_ssl_vpn_gateway_review/ [tomsnetworking.com]
This is a small hardware box available for under $400 that looks like it may do what you want.
I do admit that there are free software options available, but those require a server somewhere, and probably a bit of trial-and-error and time to get it running. This hardware box, on the other hand, looks like it would be set up in less than an hour.
Just an option...
OpenVPN For Sure (Score:1)
OpenVPN or SSH (Score:2)
Another thing you could try is using SSH. It's possible to use it as a VPN, but you have to use something like PPTP with it. I'm not sure about Windows support, though. If you use corkscrew, an SSH VPN could also work over a proxy.
Clusty and Scroogle are your friends. (fuck google's data retention poli
Openvpn with IPSEC (Score:1)
The OpenVPN windows client creates a tun/tap device, which looks like just another network device under windows.
If you had a site to site openvpn-based vpn up and running, connecting two subnets, you could easily use windows' IPSEC implementation between two microsoft boxes, across the VPN - they would never know it was there.
I *think* you could do the same thing, even if the openvpn package is running direct