DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th June 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Question Setup Remote Access VPN

Hi all,

I'm looking to switch my VPN access from Cisco over to my OpenBSD FW. I've done a bit of looking around and I believe OpenVPN is the software I should be using? However I don't seem to be finding any info on setting it up for my purposes, remote access from a workstation. I only see creating tunnels "site-to-site" configurations.

So would anyone here have any info? Is OpenVPN even the right application?

Your help is appreciated.
Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 29th June 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

You mean something as explained in http://www.securityfocus.com/infocus/1859? ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 29th June 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

That's a static site-to-site "how to". It doesn't describe road warrior use, using the newer, easier-to-configure ipsec.conf and ipsecctl(8).

For site-to-site VPN, as shown in that how to -- the admin sets up two gateways with static addresses. For "road warrior" VPN setup, the admin configures "any" rather than static IP addresses, and typically uses ike passive mode for the VPN gateway.

(I'm using IPSec, but only for WiFi on a local LAN with static addresses.)
Reply With Quote
  #4   (View Single Post)  
Old 1st July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Thanks for the replies.

Okay so let me get this straight.

1. OpenVPN is not used?
2. Setting up VPN access is essentially the same between site-to-site and remote access except with remote access you use "any" as the peer?
3. Road warrior?
4. I'm not sure I see how to set encryption algorithms, or more so force one.

Hope you can help. Thanks again for both your help.
Reply With Quote
  #5   (View Single Post)  
Old 1st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by plexter View Post
1. OpenVPN is not used?
Correct. You have a Cisco device, which uses IPSec. OpenVPN is a different VPN technology (SSL/TLS over UDP or TCP), and requires OpenVPN clients and servers at all VPN nodes.
Quote:
2. Setting up VPN access is essentially the same between site-to-site and remote access except with remote access you use "any" as the peer?
The peer is the end node of a tunnel. I don't know if "peer any" is appropriate, or if "peer default" should be used. I would set up and test your expected environment carefully. It is easy for an admin to misconfigure SAs such that they think they are encrypting traffic, without actually doing so. The tcpdump tool is invaluable for confirming if packets are flowing properly via ESP protocol between tunnel endpoints.
Quote:
3. Road warrior?
road warrior

Slang. a person who travels extensively on business.

Origin:
suggested by the film Mad Max: The Road Warrior (1981)
Quote:
4. I'm not sure I see how to set encryption algorithms, or more so force one.
If your two endpoints are OpenBSD, you can leave the defaults, they'll just work (TM). But, with Cisco or other OSes as IPSec nodes, you might need to adjust accordingly. One of the platforms used here with IPSec is my wife's Windows XP WiFi connection. For that connection, I've set both end points of the tunnel to use SHA1 for authentication and 3DES for encryption, as that's the best available for WXP with either what's available from Microsoft built-in (Policy Management snap-in) or available for install from them (ipseccmd.exe), or the IPSec client I'm using on WXP (DrayTek's Smart VPN).

Here's an excerpt from my ipsec.conf file, sort of. The IP address used is a static address for her PC. There is a second ike command for traffic in the opposite direction. On that command, the direction is from the same address to any, with the router's IP address as the peer (tunnel end node), and otherwise the same ike command options.
Code:
ike from any to 192.168.x.y peer 192.168.x.y \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des psk "pre-shared-keyword"

Last edited by jggimi; 1st July 2009 at 03:53 AM.
Reply With Quote
  #6   (View Single Post)  
Old 1st July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by jggimi View Post
Correct. You have a Cisco device ...
Quote:
Originally Posted by plexter;
I'm looking to switch my VPN access from Cisco over to my OpenBSD FW...
If I'm understanding the OP's direction -- away from Cisco to openBSD+pf -- then then answer set is quite different.

Yes, OpenVPN is a very nice option, especially in mixed O/S environments (for example, road-warrior=Windows, and gateway=openBSD). In a mixed O/S topology, OpenVPN is *arguably* the easier of all options to get working, once you've sourced the binary installs for each side -- client and gateway.

If you want to stay in the IPSec realm, I've had road-warrior success with Shrew Soft's http://www.shrew.net/ (freeware, donations accepted), where the road-warriors O/S are Windows- or Linux- or certain xBSD-based, in IPSec session with openBSD as the firewall/gateway.

If you're using openBSD *both* as the client road-warrior O/S and as the gateway O/S, then you can (and should) keep it native openBSD IPSec (i.e. no openVPN, no shrew.net).

In an openBSD-openBSD (or linux-openBSD) topology, ssh tunneling (ssh -w) is an interesting, easily achived VPN as well.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 1st July 2009 at 11:41 AM.
Reply With Quote
  #7   (View Single Post)  
Old 1st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
If I'm understanding the OP's direction -- away from Cisco to openBSD+pf -- then then answer set is quite different.
Thanks for clarifying, Scott.
Reply With Quote
  #8   (View Single Post)  
Old 1st July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hi s2scott/jggimi,

Thanks for clarifying for me. I was about to reply regarding that as well. :P

Essentially my environment (regarding VPN access) will consist primarily of Windows machines running the client connecting to my OpenBSD box.

That said I believe I'm still where I started. Not sure where to begin with setting up remote access.

I've already installed OpenVPN (OpenBSD 4.5 Package), however I'm not apposed to using IPSec either. I'm more concerned with "ease-of-use" when connecting to the VPN. The Shrew client looks nice and easy to use. Does OpenVPN have a similar Windows client? Does OpenVPN support 64bit Windows?

Anyway your help/advise is appreciated. Thanks!
Reply With Quote
  #9   (View Single Post)  
Old 1st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
I'm more concerned with "ease-of-use" when connecting to the VPN
The Microsoft IPSec implementation is considered difficult to configure and use. There are many commercial 3rd party IPSec client implementations, and a couple of free ones.

Having used both OpenVPN and IPSec, I can say I prefer the simple "Smart VPN" IPSec client to the OpenVPN Windows client, from ease-of-use alone. I haven't tried Shrew, but if it's just as easy, then IPSec can be easier than OpenVPN on the client.

From an overall administrative perspective, the configuration effort for both types of VPNs is probably similar.

OpenVPN can create virtual subnets for remote users who are connecting in to the local private network, this may or may not be useful.

IPSec is more efficient than OpenVPN on the network.

Both work.

The OpenVPN.org website's blurb for the Windows release candidate 2.1 says it runs on Windows x86 or x64.
Reply With Quote
Old 1st July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by plexter View Post
Does OpenVPN have a similar [gui] Windows client?
No, and yes. "No," in that OpenVPN is configured by text files. "Yes," in that once the needed text files are in place there is a USER GUI to point-and-shoot OpenVPN's operation. Stated differently -- no Admin GUI, just a USER GUI.

Quote:
Originally Posted by plexter View Post
Does OpenVPN support 64bit Windows?
Yes. It claims full native Vista-64 support. Not personally used in this mode (yet).

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 1st July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by jggimi View Post
...OpenVPN can create virtual subnets for remote users who are connecting in to the local private network, this may or may not be useful.
Matters like this are going to be what your decision pivots on, not the ADMIN GUI experience.

If you need split-horizon topologies, DNS flexibility, the means to punch out of fire walled location, or any one of another half-dozen "requirements," then your going to find OpenVPN more flexible and easier to be successful with. Once the text files are mastered and correct, they are set so I don't recommend making the choice about something that -- once working -- you won't be playing with any more.

Is your VPN topology one-to-one or many-to-one. If many, how many.

Many-to-one dictates an OpenVPN setup in its TLS "Server" mode. This mode requires X.509 certificates (self-signed (free) or otherwise). A lot of Admin's are Cert Authority phobic. And if you have a lot of clients, then OpenVPN's admin burden tilts to the CA operations and management, not the VPN. (There *is* a way to make one client-side cert set and then *cheat* by giving ALL your users the same cert set; however, this is NOT recommended.)

OpenVPN -- the Company -- has recently created the "OpenVPN Access Server." It has a web-admin. It is a commercial product/open source hybrid form of the open source OpenVPN we've all known. I have not tried it (yet), but it may make the CA work easier. I can't say, except to say it's a *linux* based distro.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 1st July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by jggimi View Post
IPSec is more efficient than OpenVPN on the network.
Actually, I found that when you correctly tune the max MSS/MTU sizes and a couple of other tweekable params, OpenVPN outperformed it's alternatives.

That said ... I've blown my brains out with IPSec in mixed O/S topologies. Hence, once it was working, I didn't have and couldn't spend a lot of time tweeking and tuning. Also, shrew.net has evolved over time; therefore, while my experience is true at that point in time, it may not be true today and by another's (i.e. IPSec guru's) hand.

Architecturally speaking, OpenVPN's potential performance ceiling is that it is a userland app (thunking through pseudo TUN/TAP devices vs. IPSec being an in-kernel thing. While being a critique factor, I haven't found it to be a critical factor.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 2nd July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

There are advantages to OpenVPN: the main one being that since it's using a "standard" UDP payload, it can snake data into places where IPSec may not be able to easily go. IPSec may have trouble with NAT transitions, or have trouble with firewalls outside of the VPN admin's control that block ESP/AH protocols.

Performance of OpenVPN might become an issue for high workload or high collision/retransmission networks. My use was a light load (1-2 simultaneous workstation users) and on end-to-end wired networks, so I didn't have performance issues. My biggest problem with OpenVPN was dealing with remote user support issues (configuration/operation).
Reply With Quote
Old 2nd July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hi all,

Thanks for your replies, -lots- to think about!

I think based on what you've said I'll stick with OpenVPN, primarily based on the below.

Quote:
If you need split-horizon topologies, DNS flexibility, the means to punch out of fire walled location, or any one of another half-dozen "requirements," then your going to find OpenVPN more flexible and easier to be successful with. Once the text files are mastered and correct, they are set so I don't recommend making the choice about something that -- once working -- you won't be playing with any more.
I'm pretty sure as it stands now that I'll be requiring "flexibility" / split-horizon.

Quote:
There are advantages to OpenVPN: the main one being that since it's using a "standard" UDP payload, it can snake data into places where IPSec may not be able to easily go. IPSec may have trouble with NAT transitions, or have trouble with firewalls outside of the VPN admin's control that block ESP/AH protocols.
Uncontrolled firewalls may be an issue should I be in a "public place" for example.

As for performance I'm not sure that is really an issue. My VPN will mostly be for maintenance use or probably at most with a few users on at a time.

Sooo... with that said. Would there be a similar "walk-through" as the "Zero to IPSec in 4 minutes" but for OpenBSD/OpenVPN? Or would you be able to assist with which "configuration files" to modify? I've already looked at them (briefly) but really have no clue what each are for. I'm not sure I will need certificates and probably just use PSK for now, at least get it working first anyhow.

Thanks for your help!
Reply With Quote
Old 2nd July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Wow okay I just found this

http://openvpn.net/index.php/open-so...to.html#config

Not sure how I missed this before... However I'm not seeing PSK and only certificate use. Is OpenVPN only capable of using certificates?

Thanks!
Reply With Quote
Old 2nd July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Firewalls in "public" places, such as WiFi hotspots, will not block ESP/AH packets, because otherwise their customers would not be able to connect to their corporate VPNs.

Where IPSec may have FW trouble is when you are behind someone else's corporate firewall -- as a visitor, for example. Their network, their rules.

NAT transition may be a problem, depending on the NAT router/gateway and its limitations (e.g.: SOHO router with a maximum of one IPSec tunnel at a time), or on limitations for NAT transition due to the specific VPN configuration.

As for OpenVPN and certificates: it's been so long since I've dealt with OpenVPN, I no longer recall if certs were mandatory. Consider that you're using SSL or TLS, where authentication by cert is baked right in. Certs are relatively easy to create. If you Google for "OpenVPN OpenBSD" you'll find several how-to's -- I haven't read them, so there's no guarantee, of course, that any of them are up to date, accurate, or useful.
Reply With Quote
Old 3rd July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by plexter View Post
Is OpenVPN only capable of using certificates
The many-to-one VPN server mode is TLS-and-Cert based. OpenVPN has other, non-Cert, modes.

How many clients are you looking to support concurrently and in total?

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 3rd July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by plexter View Post
As for performance I'm not sure that is really an issue.
A P-III 1GHz host can easily drive the TUN/TAP driver at equiv. 10Mbps, while doing all the other pf and gateway work.

If your broadband connection is, say, 5Mbps down/640Kbps up-link, then realize that 640Kbps folds into 10Mbps quite a few times.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 3rd July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by plexter View Post
Wow okay I just found this...
Ahem ...

http://www.daemonforums.org/showthre...hlight=openvpn

It's a bit dated as OpenVPN now has nicer split topology config verbs, but nevertheless got/gets the job done.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 6th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Thanks for the replies.

I have not yet had a chance to go ahead and set things up yet but I did want to verify. Regarding the interface the VPN uses.

I notice "tun0" is used. However I also plan on having PPPOE. With that said I should have two tun interfaces created correct?

Thanks for all your help!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with NAT setup Quaxo OpenBSD Installation and Upgrading 6 27th January 2009 08:03 PM
DJ Setup tad1214 FreeBSD General 8 21st July 2008 01:50 PM
Remote Access to File Server Oko OpenBSD Security 7 23rd June 2008 05:17 PM
How To Setup WPA? warriors OpenBSD General 8 15th June 2008 04:39 PM
postfix setup Demodog General software and network 12 11th June 2008 07:43 PM


All times are GMT. The time now is 07:30 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick