Low Cost VPN Solutions? 100
whschwartz asks: "I'm looking for a low cost solution for allowing myself and a few others the ability to share a server at one of our locations. One thought was using SSH tunnels to establish secure connections, forwarding any ports needed by our apps. We'd want to be able to map network drives, control the server with something like PC Anywhere or VNC with the possibility of running apps that have remote data on the server. I use the Cisco VPN solution for work, but that's not in our price range and is probably overkill. Are there any other options I should be looking at other than using SSH port forwarding?"
If Linux is ok.. (Score:4, Informative)
It has VPN functionality, although I don't think it has Windows support, if that's a requirement.
Re:If Linux is ok.. (Score:3, Informative)
Re:If Linux is ok.. (Score:2)
Re:If Linux is ok.. (Score:2)
Re:If Linux is ok.. (Score:2)
How the... (Score:1)
Is it linux, windows or a bsd? Ah screw it, too many options to even think about posting a usable response.
Re:How the... (Score:2, Flamebait)
OpenVPN (Score:5, Informative)
Re:OpenVPN (Score:3, Interesting)
There are problems with tunneling ppp over SSH, since that's packing a TCP stream inside another TCP stream and can screw up the packet counters, and seriously, OpenVPN is easier to setup.
Re:OpenVPN (Score:1)
I personally tend to go for TUN configuration, but YMMV.
Re:OpenVPN (Score:5, Informative)
I knew this comment would lurk here somewhere, it always does.
There's a theoretical problem with TCP in TCP on connections with errors. That said, I've built network appliances that do TCP over TCP. From a practical perspective it works just fine, and I've sent terabytes of data over such a link and the throughput approaches the line speed.
Somebody's firewall is going to kill your connection long before other problems kick in.
Re:OpenVPN (Score:1)
Re:OpenVPN (Score:3, Interesting)
No, it's not theoretical, and it's not just with errors. A single link with high latency will kill your connections. It really does happen.
From a practical perspective it works just fine
Only if you're extremely lucky. If you're not, you *will* experience problems. If any of the connections between sites become saturated, you'll experience dropped packets, which starts the snowball rolling down the hill.
Re:OpenVPN (Score:2)
I understand the theory, but if that's true in practice I've been extremely lucky across hundreds of sites across the US over a period of a couple years, which seems unlikely.
Re:OpenVPN (Score:3, Informative)
i also recommend openvpn [sf.net]. supported on a majority of systems: windows 2k/xp, linux, mac os x, bsds, & solaris. here's the howto [sourceforge.net].
imho, great example of kernel/user-land separation: tun/tap virtual device driver is the only kernel-side part, the rest is in user-land. no more having freeswan keep the system from cleanly shutting down because of a lost reference to a network device. but there is overhead from context switches between kernel & user, though it's a trade-off i think is worthwhile.
y
Re:OpenVPN (Score:3, Interesting)
I've used many VPN solutions, starting with proprietary (Raptor with IPIP), through to MS PPtP
Re:OpenVPN (Score:1)
Re:OpenVPN (Score:1)
I'm rolling out an openvpn 2 setup now, and I have to say I'm quite impressed by the package. It seems very stable, gives good performance, has clients for everything we are going to use, and is open source.
The big reason why I chose openvpn over other solutions like IPSEC was basically because I couldn't find free IPSEC clients for windows.
If I had any advice for someone setting up openvpn, it would be to figure out what kind of a setup you want before you try to implement it. There a
Re:OpenVPN (Score:2)
I mean, there are countless problems with homebrew crypto solutions because many people think that just using crypto will solve all the problems. And all the time those new, "unorthodox" implementations make horrendous mistakes that often nullify all the security that crypto could give. This kind of problems keep popping up in VTUN, PPTP and WEP protocols.
And when you (wisely) use tested infrastructure
Re:OpenVPN (Score:3, Insightful)
Oh come on, you can't say there are problems with homegrown protocols without pointing people towards Peter Gutmann's comment [mit.edu] on penis-shaped sound waves. :-)
I agree with you for the most part, but I think it is worth stating that using SSL/TLS or SSH does not free you from all problems. Secure (integrity not confidentiality) distribution of public keys is still a significant challenge (to be read as "something that's easy to screw up").
Re:OpenVPN (Score:2)
Re:OpenVPN (Score:4, Informative)
We've used FreeS/WAN (now OpenVPN) since 2001, with nary an issue. We currently have 12 connections ranging from 144KBit to 3Mbit (all business quality!) all connected together. The VPN/firewall hardware at each site is a Pentium 120Mhz w/ 32MB or RAM, two network cards, and nothing but a floppy disk booting/running LEAF [sf.net]'s Bering-uCLib. We have Win2K/XP VPN clients connecting to these "LEAF" systems as well. In theory, OpenVPN can support many hundreds of VPN tunnels - though the highest we've pushed it was around 30 (ie: permeant tunnels plus the Win32 clients) - with about 600 users between all the sites.
When we stress-tested this hardware/software combo, we were able to push just over 7Mbit/sec, and only added about 5ms latency to the link!
This combo has been rock solid - not a single connection failure can be blamed on the VPN software - it has been either the last mile, a NIC failure, or a bad floppy disk. Administration is via SSH [ucc.asn.au] (with a web-based admin console in development), and the firewall code is Shorewall [shorewall.net].
Re:OpenVPN (Score:2, Informative)
FreeSwan (Score:1)
I have had great sucess using it to connect a main office with a wharehouse across the highway. After setting it up I only had to touch the boxes to do upgrades. The only downside is the need for two servers, one for each end of the tunnel.
Smoothwall (Score:4, Informative)
Re:Smoothwall (Score:2)
On Topic: I haven't used the VPN functionality yet, but with my new cable modem I plan on connecting to a couple of sites I support (all with IPCop).
Linksys (Score:3, Informative)
Re:Linksys (Score:1)
Re:Linksys (Score:2)
Linksys sells a VPN router that uses the IPSec standard, for around $100.
We have some of those, and they work great.
That said, has anyone set up the IPSEC in 2.6 to work with one of them? Would be nice to be able to do it over the wireless connection too...
Re:Linksys (Score:2)
Re:Linksys (Score:2)
AFAIK the Broadcom wireless chipset used in that Linksys is closed source so you are basically stuck with kernel 2.4.
I'm thinking of Linux connecting to one of them (they have native IPSEC in hardware, and can do 50-75 tunnels depending on the model), not on replacing the hardware on the unit itself.
Re:Linksys (Score:2)
Re:Linksys (Score:2)
Not the same. I'm thinking of the ones with dedicated IPSEC hardware (BEVP41). And given that it is simple to set up, works well through NAT etc, it was well worth the price, compared to all the hours I spent trying to make Freeswan work. No moving parts etc. being good too. And it plays well with other IPSEC hardware... so all I'm wondering of now is the easiest way to get Linux to connect to it as a road warrior with FC2/3
Re:Linksys (Score:2)
I wrote the interop howto, at http://www.freeswan.ca/docs/BEFVP41/
Ken (Openswan Developer)
Re:Linksys (Score:1, Redundant)
Linksys is a division of Cisco Systems!
PPP over SSH (Score:1)
I set it for my personal use and then when my company need a solution we did this to.
Here is a how to [ishiboo.com]
OpenVPN (Score:2)
I'm going to set everyone in my company up using it. We're small and everyone works either on customer sites or from home. This will allow us to more easily share resources. It works with Linux, Windows, etc.
I highly recommend it.
Re:OpenVPN (Score:1)
http://openvpn.sourceforge.net/gui.html [sourceforge.net]
Re:OpenVPN (Score:2)
We're small and everyone works either on customer sites or from home.
Before I made it Real Easy for my co-workers to VPN in from home I'd be checking to make sure their home computers had pristine reputations. I know this kind of touchy issue, too. "Whaddya mean suggesting my computer sleeps around!"
windows xp vpn server (Score:5, Informative)
It seems you are trying to connect to a windows machine, and you are using windows clients. Since we can assume it's not Server 2000/2003 (otherwise why would you be asking...) the following link shows how to set up a VPN server on windows xp.
http://www.onecomputerguy.com/networking/xp_vpn_se rver.htm [onecomputerguy.com]
Might not be the coolest way...but it's simple & low cost, using the hardware/software you have already.
Re:windows xp vpn server (Score:2)
IPCop (Score:2)
The only issue will then be bandwidth, the faster the better. My main site uses cable and the remote site uses ADSL, and it's fast enough to be usable, but not as fast as a thin-client (Citrix) installation is. But we're talking trade-offs of cost for speed here, but since it's so cheap to do you can set i
Re:IPCop (Score:1)
Very easy to setup a net-to-net-connection, a little harder to set up a host-to-net-connection, when it comes to connect a so-called Road-Warrior with dynamic IP.
If you need to provide IPSEC to XP-Clients, this works as well, just a little fiddling necessary. There are several HOWTOs out there.
I use a Pentium I 133 MHz with 100MB RAM here
And you also get loads of other functionality as well. Webproxy, DNS-Proxy, IDS, QoS, NTP, DHCP,
Re:IPCop (Score:1)
A couple of options (Score:3, Informative)
PPP tunnelled over SSH is simple, quick to set up, and works without a hitch. I've used it to connect 20+ locations, and it's just as good as having a dedicated frame link between the sites.
IPSEC (using openeswan or similar) work well, but are in my experience more complicated and harder to maintain than using the PPPoverSSH method.
Both of these are free.
Re:A couple of options (Score:2)
With modern tools like wvdial and rp-pppoe however, you never need to see the pppd command-line anymore.
PPP is a very powerful protocol and it will work for many of your situations. IPSec however does have a lot of features not implicit in SSH + PPP.
PPP over SSH (Score:2)
See http://www.faqs.org/docs/Linux-mini/ppp-ssh.html [faqs.org]
c.
Re:PPP over SSH (Score:2)
It would be nice to have in OS independent solution.
Netgear FVS328 and FVS318 routers with VPN (Score:3, Informative)
This may be helpful to someone:
We have extensive experience with the Netgear FVS328 and FVS318 routers with VPN. We have had many many problems with them.
Note that the FVS318 does NOT have secure login for remote maintenance. The password is sent in the clear.
Netgear apparently has no technical support representatives that work for the company. They apparently all work for contractors in India and the United States. We have found them to have very, very little information about these Netgear products.
Here are a few of our extensive notes about the problems:
We establish an IKE and VPN policy, and start a VPN. It works fine the first time, but, after we disconnect we cannot connect later, even though no changes have been made to the policies.
1) There is general agreement among Netgear technical support people that there is a problem.
Netgear technical support people have standard IKE and VPN policy setups they like to use, which they say are proven to work. The most common one, however, is slow and drops a lot of pings. More sophisticated IKE and VPN settings are faster, even though better encryption is used. We have no idea why this is so.
2) Turning the router power off and restarting sometimes cures the problem with not being able to re-establish a VPN. We have seen cases where the menu choice reboot did not cure a problem, but turning the power off and on did cure it.
3) Something hidden seems to time out after several hours. Sometimes VPN connection problems fix themselves after a day or so.
4) When establishing a VPN Auto Policy, the help says:
Remote VPN Endpoint Select the desired option (IP address or Domain Name) and enter the address of the remote VPN Gateway/Server or client you wish to connect to. Note: The remote VPN endpoint must have this VPN Gateway's address entered as it's "Remote VPN Endpoint".
However, we had a case where the address of one of the routers had changed from that given in the "Remote VPN Endpoint", but the VPN was re-established. The impression is given that specifying the address increases security. Apparently this is not so. Again, something seems to be keeping information for several hours, and then timing out.
5) We have seen a case where deleting all the policies and starting over cured a persistent problem with not being able to re-establish a VPN.
6) We have seen cases which seem to indicate browser dependence. For example, there may be Javascript that works perfectly only in Microsoft Internet Explorer, but sometimes fails in other browsers.
7) We have seen cases where choosing "Log Out" does not actually log out. Netgear technical support people say they've seen this also.
It seems to help if we exit from the browser completely. However, if the browser is Firefox (or Mozilla), and there are several Firefox windows open, exiting from Firefox means exiting from all the windows and tabs, which means that work opening those windows is lost. (Firefox and Mozilla do not have multiple instances; all windows come from the same instance.)
Logging out sometimes seems to leave something in the router which gets confused, and prevents re-establishing the VPN.
Version tested -- We have not tested the FVS328 firmware beta version. This report is about the FVS328 firmware Version 1.0 Release 09.
Dealing with Netgear has been miserable. (Score:2)
The firmware is the latest. Maybe Netgear made some defective units. However, if so, units of different models made at different times and from different suppliers have the same problem.
My experience with Netgear technical support is that they are somewhat friendly, but almost useless. They haven't been given training in Netgear products, as far as I can tell. For example, second level technical support cannot interpret VPN logs. They just try things for an hour, then they say they can't do more. Eight o
LOL. (Score:2)
Funny, and definitely heavily connected with the truth.
Someday I would like to see a well-run technology business. (Besides Google, maybe.)
Re:Dealing with Netgear has been miserable. (Score:2)
Re:Netgear FVS328 and FVS318 routers with VPN (Score:2)
I've always liked NetGear switches and wireless routers. They tend to work well, and I've never had one die out of dozens in the field (that's not to say they're necessarily more reliable than other decent low-end brands, but I've a lot of others prove historically less reliable). But their VPN Routers are atrocious. Simply terrible. They offer a "ProSafe" IPSec VPN client package for Windows that is terribly buggy, confusing to use,
Netgear does not restrict VPNs to WAN addresses. (Score:2)
NOTE: Anyone wanting a secure VPN should pay attention to number 4 above. FVS328s ignore the WAN addresses specified during configuration, apparently, or there is some other bug.
Linux based VPN gateways (Score:4, Informative)
Depending on what you're planning to do, you can use any of the several VPN implementations out there, just to name a few:
* PoPToP [poptop.org], a PPTP server, compatible with the VPN client that Windows has always has,
* vpnd [sunsite.dk], really easy to set up, ideal gw to gw VPN solution, seems a little outdated but works great over slow links,
* OpenVPN [sourceforge.net], a highly portable, flexible and multiplatform VPN solution, which supports gw to gw and gw to host style VPNs,
* etc. There is also LinVPN, FreeS/WAN / Openswan, et al
Best regards.
Re:Linux based VPN gateways (Score:2)
SSH SOCKS (Score:2)
Re:SSH SOCKS (Score:2)
Symantec 200R (Score:1)
Setup and installation was a breeze. I had it working out of the box in about an hour, including mucking around with the client they provide. I have a Debian Samba box as
Looking for a solution (Score:2)
OpenVPN therefore does not seem to work for me, though perhaps I was reading the documentation incorrectly. It seems that it
TCP works, too. (Score:2)
Did you see this from the OpenVPN first page? "Can OpenVPN tunnel over a TCP connection? Yes, starting with version 1.5."
Re:Looking for a solution (Score:4, Informative)
Here is my config for all of the VPN gw's (/etc/openvpn/${HOST}.conf):
dev tun
remote ${REMOTEHOST}
ifconfig ${LOCAL_VPN_IP} ${REMOTE_VPN_IP}
secret
route ${REMOTE_NETWORK} ${REMOTE_NETMASK} vpn_gateway 1
ping 20
ping-restart 60
persist-key
ping-timer-rem
persist-tun
use
port 5001
verb 3
resolv-retry infinite
of course substitute all the variable names with your own values.
Best regards,
Re:Looking for a solution (Score:2)
OpenVPN therefore does not seem to work for me, though perhaps I was reading the documentation incorrectly. It seems that it requires both endpoints have static IP addresses. Also, am I correct in saying that it requires UDP?
I am not familiar with OpenVPN, but I am with some others. If you are behind a NAT firewall or on a dynamic IP address you may need to turn off AH to make it reliable. AH authenticates the IP address header so if it is altered or tampered with the IPSec/VPN can reject the packet.
Other hardware or SSH experiences? (Score:2)
OpenVPN seems to be the winner of the comments so far. However, I'd like to see other hardware VPN solutions, too.
From the Slashdot question: "Are there any other options I should be looking at other than using SSH port forwarding?"
It would be interesting to know more about experiences with SSH, too.
Re:Other hardware or SSH experiences? (Score:2)
You want your VPN to run on a spindle-free low-failure appliance? Run OpenVPN on a Linksys WRT54G ($57.00, inclusive of shipping in the U.S.)
OpenVPN for the WRT54G? (Score:2)
Is there a version of OpenVPN that runs on the WRT54G? If there is, that sounds like an excellent option.
Re:OpenVPN for the WRT54G? (Score:1)
first thing to do is run openwrt on the box and then add the openvpn package
problem sorted
Any advice about adding OpenVPN to the WRT54G? (Score:2)
Amazing! Thanks. Any advice about how to install OpenVPN on the WRT54G? Which package [openwrt.org] would you recommend? Do the OpenWrt packages have an adminstration console? I don't see any mention of that. It looks complicated, since I read that there is no Wi-Fi Protected Access (WPA) [openwrt.org] until installed.
Also, I note that OpenVPN will NOT work [sourceforge.net] on Windows XP SP2 unless the pre-release version 2.0 is used. I suppose you don't care if you are using a WRT54G at both ends of the VPN. I'm not knowledgeable about this, but I
SnapGear (CyberGuard) (Score:2)
There's one on eBay at the moment for $138 (sorry, I already bought his other ones to augment what I already had installed).
Moderate Parent UP. (Score:1)
Moderators: Please moderate this up. In this situation, a little redundancy is not a bad thing. In this discussion, we are trying to build a consensus.
Re:OpenVPN (Score:1)
great open source program
m0n0wall? (Score:3, Informative)
CIPE (Score:2)
CyberGuard SG530 (Score:2, Interesting)
I use the CyberGuard SG530 [cyberguard.info] for my personal VPN needs. It's a box about the size of your average 8-port switch, it runs a version of embedded linux and come default with PoPToP for PPTP v2 and FreeSwan for IPSEC. It has a web based config and if fairly painless to set up.
I was searching specifically for a PPTP device simply because it is so easy to configure and use, especially for Windows-based clients.
If you have a spare computer you wanted to use for this, you may want to look at IPCop, but at about U
Re:CyberGuard SG530 (Score:1)
They aren't cheap but if you're only buying one for remote access, they won't break the bank either.
Note: If you get one, update the firmware. It is usally out of date comapred to what is on the website.
Take a look at SSL-Explorer (Score:1)
SSL Explorer provides an entry-level SSL VPN to individuals and small businesses. This practicable remote access solution includes SSL tunneling, web site proxying, Microsoft Windows file sharing and Java application deployment through a standard browser
http://3sp.com/
http://sourceforge.net/projects/sslexplorer/
SSL Explorer is worth a look. (Score:2)
Looks to me as though SSL Explorer is worth a look. It's impressive.
Cisco VPN Solution (Score:1)
Get a pix 501 10 user bundle from CDW for $399-
http://www.cdw.com/shop/products/default.a
Download the VPN client from Cisco (free) configure the box and you are reay to VPN.
Re:Cisco VPN Solution (Score:1)
OpenVPN (Score:2)
That is REALLY effective in utilizing multiple connections to the same locations for redundancy, with varying weights, for example if you use something like Quagga for BGP routing management.
Works fabulously and the config is trivial.
-Hack
PopTop worked for us (Score:2)
The biggest downside I'm aware of is that the MS-CHAPv2 protocol doesn't use the world's best encryption. Research MS-CHAP, see if it's secure enough for your needs; if so, I think PopTop would be a fine solution.
The next thing that comes to mind is something like FreeSWAN/OpenSWAN, whic
Re:PopTop worked for us (Score:2)
Use these (Score:1)
webdav/https (Score:1)
OpenVPN (Score:4, Informative)
As a side note, I used to use SSH tunnels. That worked very well for me too, but it required a good deal of setup and mapping ports on the remote end to ports on the local end. It's great as far as cross-platform goes, and if you don't have things changing much on your network, it really works well, but it won't handle UDP traffic. Not to mention, when I used it with VNC, I had to map remote ports to local ports that were unused. So if I connected to 'mymachine:1' at home, I would connect to '127.0.0.1:21' at work since I couldn't stomp over
I'll also mention that I'm using OpenVPN in "routing" mode. I throw all traffic destined for my home network to the tun1 interface that openVPN brings up on my local machine. You can also use openVPN in bridged mode which is a bit more of a headache to set up since you need to know how to break your network up into ranges for each location. Bascially subnetting. But the advantage of bridged mode is that broadcasts will be carried over the tunnel. OpenVPN is about the closest you get in a free project to having a virtual ethernet cable going from one end of the connection to the other. In the end, I think this is what you want. Hope this helps.
Zebedee - a simple, free, secure tunnel program (Score:1)
- give access to the all the internal servers (SaMBa, Mail, WWW)
- has strong encryption
- has public key authenification
- is invisible (NO default ports)
- Linux and Windows Version.
Just work.
http://www.winton.org.uk/zebedee/ [winton.org.uk]
I'm using it in a few project with NO problems at all.
VPN - All sorts of ways (Score:2)
"I'm looking for a low cost solution for allowing myself and a few others the ability to share a server at one of our locations. One thought was using SSH tunnels to establish secure connections,
OpenBSD, FreeBSD, Solaris (Intel) and most Linux distros offer IPSec VPN as part of the OS Most run well on older hardware and can be a router, gateway, NAT, IP tunnrling as well as a mail relay, IMAP server and of course come with repected firewalls. You can also run IDS software such as Snort, AprWatch and c