DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th August 2009
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 28
Default VPN setup suggestions needed

I am working for a small non-profit that is moving from one facility to three. They will be located within a block of each other and will all use the same ISP with 40Mb/10Mb FiOS connections each and static IP's. I currently have an OpenBSD 4.3 gateway/firewall in place (lets call this home) and plan on using two WRT54GL routers running the DD-WRT VPN firmware at the remote sites. The thought was that I could run OpenVPN in bridged mode (tap) connecting the two very inexpensive Linksys routers to the existing firewall. This would create a simple extension of the home network to the remote locations, if my understanding is correct.

I have the two routers flashed with DD-WRT and OpenVPN 2.1 RC19 (from source) installed on the firewall. This is a small office running XP and Vista on a Windows 2008 AD domain totaling less than 20 computers with one remote site having two computers and the other five or so. I'm in need of some OpenVPN/OpenBSD help here, but before I lose hours of my life going in the wrong direction I would like to ask if this seems like the best approach?
Reply With Quote
  #2   (View Single Post)  
Old 30th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If it were me, I'd just use OpenBSD with IPSec at all three locations, instead of SOHO routers at the remote sites. I say that primarily because I've used both OpenVPN and IPSec with OpenBSD, and the latter is much, much easier to configure and use.

OpenVPN has its advantages, but I don't see any in this particular situation unless DD-WRT is required.
Reply With Quote
  #3   (View Single Post)  
Old 31st August 2009
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 28
Default

Quote:
Originally Posted by jggimi View Post
If it were me, I'd just use OpenBSD with IPSec at all three locations, instead of SOHO routers at the remote sites.
This isn't totally out of the question, except the routers are pre-existing (but available for re-provisioning) and I don't have any spare computers to run OpenBSD. I could get some used, but it will still cost probably $300 or more in hardware after purchasing the 2nd NIC's and new hard drives. I was just trying to save money.
Reply With Quote
  #4   (View Single Post)  
Old 31st August 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by mikesg View Post
...The thought was that I could run OpenVPN in bridged mode (tap) connecting the two very inexpensive Linksys routers to the existing firewall.
First, let me say that I am a fan of DD-WRT and OpenVPN. That said, the "very inexpensive Linksys routers" may not drive the 40Mb/10Mb FiOS links anywhere near saturation.

The Linksys' switch ports (switch port to switch port) will, but then you're not routing or VPN'ing. The WAN port may not, especially with openVPN encrypt/decrypt running.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #5   (View Single Post)  
Old 31st August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

A citation in support of s2scott's comment:

From Performance Analysis of OpenVPN on a Consumer Grade Router, http://www.cse.wustl.edu/~jain/cse567-08/ftp/ovpn.pdf:
Quote:
"The performance of OpenVPN depends on the router hardware, and the configuration parameters. The throughput was found to be limited by the router CPU, and is not sufficient for fast connections such as 10/100 Mbps LANs."
Reply With Quote
  #6   (View Single Post)  
Old 1st September 2009
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 28
Default

If I interpreted correctly, it seems my desired configuration above would be summarized by this statement from the study:
Quote:
For a configuration using the TAP interface with bridging, UDP transport protocol, AES256 cipher, and no compression, the throughput was 3.64 Mbps
Less than 4Mbps doesn't leave me feeling well. I will look into the IPSec method and possibly the ssh -w method I saw mentioned in another thread. Thanks both of you for the links and input.
Reply With Quote
  #7   (View Single Post)  
Old 1st September 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Just FYI regarding cipher and key sizes.

The computational work units needed to crack the AES block cipher strength at 128 is the same computational work units needed to crack a DH key at 3072 bits.

DH 1024 is no longer sufficient. DH 2048 is becoming insufficient.

AES128 is MORE then sufficient for a real-time stream, especially if you cipher block chain as openVPN does by default, and is out of reach for a fair while still given today's available processing power, including grid computing and Moore's Law factored in. DH3072 is out of reach for quite a while.

I love Admin's who use a weak 512 or 1024 DH key to secure an overly-strong AES256 cipher key.

Recommend you dial down the AES and dial up the periodic-event DH strengths. It'll help with your throughput.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 1st September 2009 at 04:11 AM.
Reply With Quote
  #8   (View Single Post)  
Old 1st September 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Oh, if the AES128 cipher operations uses a pre-shared key instead of a DH key exchange, then a pre-shared key of 63 characters of an "alphabet" of [0-9][a-z][A-Z][the other printable chars] is way out of reach.

Twelve (12) or fewer characters is vulnerable. Sixteen is considered "safe" minimum at today's processing power.

BTW, this is true for all the WPA and WPA2 wireless access points out there.

So amp-up the "password"/"key" lengths.

https://www.grc.com/passwords.htm is my favorite random key generator site. Notice it's SSL only access.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #9   (View Single Post)  
Old 4th September 2009
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 28
Default

Is there a good modern FAQ/HowTo for IPSec VPN's on OpenBSD? I've been reading this, but it's old, and many I have found are far older.

securityfocus.com/infocus/1859
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need suggestions on what to name this project TerryP Off-Topic 10 6th November 2010 03:13 PM
looking for external drive buy suggestions gosha General Hardware 20 5th September 2009 05:32 AM
Suggestions for Web Traffic Logging? Bruco FreeBSD Ports and Packages 16 18th September 2008 10:54 PM
Mini-ITX motherboard suggestions twisted_steel General Hardware 28 18th August 2008 09:32 PM
Software suggestions rex FreeBSD General 10 17th May 2008 12:00 AM


All times are GMT. The time now is 11:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick