×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Low Cost VPN Solutions?

Cliff posted more than 9 years ago | from the your-net-over-the-internet dept.

The Internet 100

whschwartz asks: "I'm looking for a low cost solution for allowing myself and a few others the ability to share a server at one of our locations. One thought was using SSH tunnels to establish secure connections, forwarding any ports needed by our apps. We'd want to be able to map network drives, control the server with something like PC Anywhere or VNC with the possibility of running apps that have remote data on the server. I use the Cisco VPN solution for work, but that's not in our price range and is probably overkill. Are there any other options I should be looking at other than using SSH port forwarding?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

100 comments

If Linux is ok.. (3, Informative)

ADRA (37398) | more than 9 years ago | (#11246521)

You could use vtun (http://vtun.sourceforge.net/) to get the job done.

It has VPN functionality, although I don't think it has Windows support, if that's a requirement.

Re:If Linux is ok.. (2, Informative)

nocomment (239368) | more than 9 years ago | (#11246665)

If linux is ok and yo uhave some spare boxes sitting around, then go download the Mandrake Multi-Network Firewall. I toyed around with it a couple years ago and got it working. I used OpenBSD now, but the MNF was really easy to configure. It also has packet sniffers to detect hack attempts built in (portsentry AND snort IIRC).

Re:If Linux is ok.. (1)

GMC-jimmy (243376) | more than 9 years ago | (#11271358)

I use OpenVPN [sourceforge.net] because it works on damn near anything. It allows for network tunneling which covers any port or protocol you could need. From Linux to Windows or Windows to Windows or Linux to Linux. Windows File Sharing works without a hitch. As does games and VNC. Only had to open one port on the firewall to allow the VPN software to talk to each other. The only thing I'm limited by is my internet bandwidth.

Re:If Linux is ok.. (1)

lachlan76 (770870) | more than 9 years ago | (#11250786)

Well since he was talking about using VNC for admin stuff, and mapping network drives, I'd assume Windows support is required.

Re:If Linux is ok.. (1)

kwerle (39371) | more than 9 years ago | (#11255183)

Certainly worth noting that vtun works on OSX, *bsd, and there is always a vtun port to windows in the wings, but it never seems to arrive.

How the... (1)

manifest37 (632701) | more than 9 years ago | (#11246541)

How are we supposed to answer the question when you don't even tell us the host operating system and the client systems?

Is it linux, windows or a bsd? Ah screw it, too many options to even think about posting a usable response.

Re:How the... (1, Flamebait)

svanstrom (734343) | more than 9 years ago | (#11246846)

If he knew what OS he's using he would have been smart enough to google for the answer... then again, maybe people prefer to spend maybe days getting lots of different (working and not working) answers from slashdoters, instead of getting something that works in about 5 minuters from google??!

OpenVPN (5, Informative)

LiENUS (207736) | more than 9 years ago | (#11246548)

Theres always http://openvpn.sourceforge.net/ [sourceforge.net] which has clients and servers for windows, or you could always tunnel pppd over ssh, http://www.tldp.org/HOWTO/VPN-HOWTO/ [tldp.org] for details

Re:OpenVPN (3, Interesting)

the_maddman (801403) | more than 9 years ago | (#11246607)

I second OpenVPN. Way easier to setup then FreeSWAN, and less overhead. You do have to setup the server per machine that wants to connect, but it works on my linux and windows boxes.

There are problems with tunneling ppp over SSH, since that's packing a TCP stream inside another TCP stream and can screw up the packet counters, and seriously, OpenVPN is easier to setup.

Re:OpenVPN (1)

Sexy Bern (596779) | more than 9 years ago | (#11246843)

OpenVPN all the way. I have very non-IT-literate clients and they are amazed that they never see the "dial-up" any more (MS's PPTP client). OpenVPN is virtually transparent to the user and (as has already been said) it's a doddle to set up.

I personally tend to go for TUN configuration, but YMMV.

Re:OpenVPN (4, Informative)

bill_mcgonigle (4333) | more than 9 years ago | (#11246998)

since that's packing a TCP stream inside another TCP stream and can screw up the packet counters

I knew this comment would lurk here somewhere, it always does.

There's a theoretical problem with TCP in TCP on connections with errors. That said, I've built network appliances that do TCP over TCP. From a practical perspective it works just fine, and I've sent terabytes of data over such a link and the throughput approaches the line speed.

Somebody's firewall is going to kill your connection long before other problems kick in.

Re:OpenVPN (1)

the_maddman (801403) | more than 9 years ago | (#11247898)

Right, I know that it's fine as long as packets aren't dropped, but sadly I have cable from Charter Communications, so my internet connection is spotty, I've never had any luck with ssh+pppd, it may just be a bad combination.

Re:OpenVPN (2, Interesting)

schon (31600) | more than 9 years ago | (#11255155)

There's a theoretical problem with TCP in TCP on connections with errors

No, it's not theoretical, and it's not just with errors. A single link with high latency will kill your connections. It really does happen.

From a practical perspective it works just fine

Only if you're extremely lucky. If you're not, you *will* experience problems. If any of the connections between sites become saturated, you'll experience dropped packets, which starts the snowball rolling down the hill.

Re:OpenVPN (1)

bill_mcgonigle (4333) | more than 9 years ago | (#11255524)

Only if you're extremely lucky. If you're not, you *will* experience problems. If any of the connections between sites become saturated, you'll experience dropped packets, which starts the snowball rolling down the hill.

I understand the theory, but if that's true in practice I've been extremely lucky across hundreds of sites across the US over a period of a couple years, which seems unlikely.

Re:OpenVPN (3, Informative)

#undefined (150241) | more than 9 years ago | (#11247579)

i also recommend openvpn [sf.net]. supported on a majority of systems: windows 2k/xp, linux, mac os x, bsds, & solaris. here's the howto [sourceforge.net].

imho, great example of kernel/user-land separation: tun/tap virtual device driver is the only kernel-side part, the rest is in user-land. no more having freeswan keep the system from cleanly shutting down because of a lost reference to a network device. but there is overhead from context switches between kernel & user, though it's a trade-off i think is worthwhile.

you can do ip or ethernet tunneling, depending how far down the osi model you want to go and how much overhead you are willing/able to process. with a single wireless client in my household, i do ethernet tunneling, as it frees me from having to do any ip routing and configuring a wins server (which i've found problematic with windows 2000 and samba 2.2 on debian stable).

openvpn openvpn can use shared key or tls, just depends on what you want. you can quickly develop a proof of concept with shared keys (prove software installation, network communication, etc work) and then "upgrade" to tls.

openvpn uses openssl for it's encryption/authentication engine. that means that all the scrutiny and improvements openssl receives (security analysis, assembly encoded algorithms, hardware engines, etc) benefits openvpn. i'm interested in doing openvpn on the via epia platform [via.com.tw] with hardware-assisted openssl [logix.cz] serving as wireless xterminals.

encrypting lots of bandwidth means lots of processor cycles, and depending on the speed of your processors and the bandwidth between the two, expect some slow down. this is not particular to openvpn, but any (software) encryption, so choose your hardware accordingly (with lots of benchmarking for your particular use case).

ipsec is a valid option, though i prefer openvpn. ipsec is a standard, and is supported on more platforms than openvpn (especially embedded systems & dedicated hardware), but is firstly cumbersome to configure and secondly compatibility is theoretically possible between all implementation but not guaranteed. i once connected windows 2000 and linux/freeswan using ipsec. nate carlson's howto [natecarlson.com] is invaluable. with linux 2.6 it's even harder to implement ipsec with iptables because neither the in-kernel ipsec implementation nor openswan support virtual interfaces (ipsec[0-9]). supposedly it's "possible" using iptables to tag packets, but i won't consider it "practical" until it's easy enough to be documented in a howto.

Re:OpenVPN (2, Interesting)

PGillingwater (72739) | more than 9 years ago | (#11254175)

By default, OpenVPN uses UDP, so the problem of TCP tunneling inside TCP doesn't need to happen (although in my experience is minimal except on heavily congested or small MTU links.) I think the parent post isn't referring to using OpenVPN with TCP (although this can be done). [Aside: TCP inside TCP isn't really a problem with packet counters, it's the sliding windows and retransmissions which causes problems.]

I've used many VPN solutions, starting with proprietary (Raptor with IPIP), through to MS PPtP and IPSec (FW-1), and have also sold solutions based on FreeS/WAN, but have found OpenVPN the most simple to use and configure.

Another advantage of OpenVPN is it can tunnel at layer 2 or layer 3, i.e., you can use it to bridge or route. It will happily support host to host, host to LAN and LAN to LAN.

Its Windows client plays nice with Linux endpoints, and because it uses OpenSSL, it has very flexible keying and certificate handling options.

Its only downside is lack of interoperability with IPSec-based solutions -- but if that's a requirement, then look at OpenS/WAN.

Bottom line: if you need to build up a low cost, flexible VPN solution based only on software, with full source code available and full of features (like dynamic end-points) then OpenVPN is a great choice. It also avoids the hassle of NAT-T which IPSec has to use due to address translation.

Re:OpenVPN (1)

supertux (608589) | more than 9 years ago | (#11246957)

I'll second this.

I'm rolling out an openvpn 2 setup now, and I have to say I'm quite impressed by the package. It seems very stable, gives good performance, has clients for everything we are going to use, and is open source.

The big reason why I chose openvpn over other solutions like IPSEC was basically because I couldn't find free IPSEC clients for windows.

If I had any advice for someone setting up openvpn, it would be to figure out what kind of a setup you want before you try to implement it. There are so many options and possibilities that you probably won't need. I had trouble keeping everything straight before I diagramed what I wanted the VPN setup to look like in the end (routed/nat/two factor authentication/etc)

-SuperTux

Re:OpenVPN (1)

Gadzinka (256729) | more than 9 years ago | (#11247111)

I second that, especially since OpenVPN uses tried and true cryptographic infrastructure that SSL/TLS is.

I mean, there are countless problems with homebrew crypto solutions because many people think that just using crypto will solve all the problems. And all the time those new, "unorthodox" implementations make horrendous mistakes that often nullify all the security that crypto could give. This kind of problems keep popping up in VTUN, PPTP and WEP protocols.

And when you (wisely) use tested infrastructure like SSL/TLS you are virtually free from those problems. IPSEC is as good or better, but some network hardware/software has problems with routing IPSEC traffic. SSL/TLS tunnels on the other hand are plain and simple TCP connections.

Robert

Re:OpenVPN (2, Insightful)

bloo9298 (258454) | more than 9 years ago | (#11251308)

Oh come on, you can't say there are problems with homegrown protocols without pointing people towards Peter Gutmann's comment [mit.edu] on penis-shaped sound waves. :-)

I agree with you for the most part, but I think it is worth stating that using SSL/TLS or SSH does not free you from all problems. Secure (integrity not confidentiality) distribution of public keys is still a significant challenge (to be read as "something that's easy to screw up").

Re:OpenVPN (1)

PGillingwater (72739) | more than 9 years ago | (#11254429)

Just to clarify what appears to be confusion. OpenSSL provides the key exchange and authentication options within OpenVPN, but doesn't handle the tunneling. Instead, OpenVPN uses ESP, the same as IPSec. Basically, think of it as the IPSec payload, but without AH or IKE, running over UDP. While many SSL/TLS tunnels use TCP, this is not required with OpenVPN. See the OpenVPN security model [sourceforge.net] for details.

Re:OpenVPN (3, Informative)

erth64net (47842) | more than 9 years ago | (#11248051)

I second OpenVPN was well.

We've used FreeS/WAN (now OpenVPN) since 2001, with nary an issue. We currently have 12 connections ranging from 144KBit to 3Mbit (all business quality!) all connected together. The VPN/firewall hardware at each site is a Pentium 120Mhz w/ 32MB or RAM, two network cards, and nothing but a floppy disk booting/running LEAF [sf.net]'s Bering-uCLib. We have Win2K/XP VPN clients connecting to these "LEAF" systems as well. In theory, OpenVPN can support many hundreds of VPN tunnels - though the highest we've pushed it was around 30 (ie: permeant tunnels plus the Win32 clients) - with about 600 users between all the sites.

When we stress-tested this hardware/software combo, we were able to push just over 7Mbit/sec, and only added about 5ms latency to the link!

This combo has been rock solid - not a single connection failure can be blamed on the VPN software - it has been either the last mile, a NIC failure, or a bad floppy disk. Administration is via SSH [ucc.asn.au] (with a web-based admin console in development), and the firewall code is Shorewall [shorewall.net].

Re:OpenVPN (0)

Anonymous Coward | more than 9 years ago | (#11250167)

OpenVPN is not related to FreeSwan. I think you have confused OpenVPN with OpenSwan. I use Freeswan for a couple of lan to lan connections and it is pretty rock solid for that. However, I had no end of trouble with the raodwarrior setup and so now use OpenVPN for those and it works well for that function.

FreeSwan (1)

phoenix_V (16542) | more than 9 years ago | (#11246563)

If the OS's involved are linux or you can insert a low cost box into the mix then Freeswan is a good choice.

I have had great sucess using it to connect a main office with a wharehouse across the highway. After setting it up I only had to touch the boxes to do upgrades. The only downside is the need for two servers, one for each end of the tunnel.

Smoothwall (4, Informative)

Computerguy5 (661265) | more than 9 years ago | (#11246586)

You could use a smoothwall [smoothwall.org] router. Only cost is standard hardware.

Re:Smoothwall (0)

Anonymous Coward | more than 9 years ago | (#11247836)

I use Smoothwall 2.0 and its VPN is a little bit sucky. I used in anger, it works but very temperemental. Also keys are clear-text on the client-side.

Re:Smoothwall (1)

Corrado (64013) | more than 9 years ago | (#11253004)

Bah, you probably want to use IPCop [ipcop.org] instead. The Smoothwall community has a history of being, ummm..., moody and really pissed a lot of people off [google.com]. IPCop was forked off of Smoothwall several years ago to make a more friendly product, and I have to say I like it much better.

On Topic: I haven't used the VPN functionality yet, but with my new cable modem I plan on connecting to a couple of sites I support (all with IPCop).

Linksys (2, Informative)

Dr. Bent (533421) | more than 9 years ago | (#11246593)

Linksys sells a VPN router [google.com] that uses the IPSec standard, for around $100. I've been using it for the last year or so and I love it. You can connect to it using the IPSec tunnel built into Windows, or connect under Linux using FreeS/Wan

Re:Linksys (1)

teg (97890) | more than 9 years ago | (#11249547)

Linksys sells a VPN router that uses the IPSec standard, for around $100.

We have some of those, and they work great.

That said, has anyone set up the IPSEC in 2.6 to work with one of them? Would be nice to be able to do it over the wireless connection too...

Re:Linksys (1)

Jacco de Leeuw (4646) | more than 9 years ago | (#11256211)

AFAIK the Broadcom wireless chipset used in that Linksys is closed source so you are basically stuck with kernel 2.4.

Re:Linksys (1)

teg (97890) | more than 9 years ago | (#11256773)

AFAIK the Broadcom wireless chipset used in that Linksys is closed source so you are basically stuck with kernel 2.4.

I'm thinking of Linux connecting to one of them (they have native IPSEC in hardware, and can do 50-75 tunnels depending on the model), not on replacing the hardware on the unit itself.

Re:Linksys (1)

Jacco de Leeuw (4646) | more than 9 years ago | (#11257016)

The native IPsec in the Linksys is based on Linux as well, but it is outdated and buggy [openswan.org] and possibly insecure.

Re:Linksys (1)

teg (97890) | more than 9 years ago | (#11257470)

Not the same. I'm thinking of the ones with dedicated IPSEC hardware (BEVP41). And given that it is simple to set up, works well through NAT etc, it was well worth the price, compared to all the hours I spent trying to make Freeswan work. No moving parts etc. being good too. And it plays well with other IPSEC hardware... so all I'm wondering of now is the easiest way to get Linux to connect to it as a road warrior with FC2/3

Re:Linksys (1)

velkro (11) | more than 9 years ago | (#11263482)

Ironically, that one uses FreeS/WAN too, IIRC.

I wrote the interop howto, at http://www.freeswan.ca/docs/BEFVP41/

Ken (Openswan Developer)

PPP over SSH (1)

spribyl (175893) | more than 9 years ago | (#11246601)

I have done this for almost for years now.

I set it for my personal use and then when my company need a solution we did this to.

Here is a how to [ishiboo.com]

OpenVPN (1)

fiber_halo (307531) | more than 9 years ago | (#11246611)

I recently started using OpenVPN [sourceforge.net] and it works great. It took a little bit to set it up in the multi-client configuration, but it wasn't bad.

I'm going to set everyone in my company up using it. We're small and everyone works either on customer sites or from home. This will allow us to more easily share resources. It works with Linux, Windows, etc.

I highly recommend it.

Re:OpenVPN (1)

4of12 (97621) | more than 9 years ago | (#11253616)


We're small and everyone works either on customer sites or from home.

Before I made it Real Easy for my co-workers to VPN in from home I'd be checking to make sure their home computers had pristine reputations. I know this kind of touchy issue, too. "Whaddya mean suggesting my computer sleeps around!"

windows xp vpn server (5, Informative)

uits (792760) | more than 9 years ago | (#11246643)

It seems you are trying to connect to a windows machine, and you are using windows clients. Since we can assume it's not Server 2000/2003 (otherwise why would you be asking...) the following link shows how to set up a VPN server on windows xp.

http://www.onecomputerguy.com/networking/xp_vpn_se rver.htm [onecomputerguy.com]

Might not be the coolest way...but it's simple & low cost, using the hardware/software you have already.

Re:windows xp vpn server (1)

superpulpsicle (533373) | more than 9 years ago | (#11247644)

Boy, I think this is the only post we need for all windows vpn solution. That site is the single most organized windows tutorial site I have ever seen in my life. And trust me, I have seen quite a number.

IPCop (1)

Ridgelift (228977) | more than 9 years ago | (#11246661)

Simplest way I've done it is to setup IPCop [ipcop.org] on both ends. You can use throw-away hardware (Pentium or greater) with little RAM and hard drive space and two network cards. VPN's are a breeze to setup.

The only issue will then be bandwidth, the faster the better. My main site uses cable and the remote site uses ADSL, and it's fast enough to be usable, but not as fast as a thin-client (Citrix) installation is. But we're talking trade-offs of cost for speed here, but since it's so cheap to do you can set it up and try it and see if it's the right solution for you.

Re:IPCop (1)

oops.sgw (831993) | more than 9 years ago | (#11247471)

I am also using IPCOP for VPNs here.

Very easy to setup a net-to-net-connection, a little harder to set up a host-to-net-connection, when it comes to connect a so-called Road-Warrior with dynamic IP.

If you need to provide IPSEC to XP-Clients, this works as well, just a little fiddling necessary. There are several HOWTOs out there.

I use a Pentium I 133 MHz with 100MB RAM here ... works like a charm.

And you also get loads of other functionality as well. Webproxy, DNS-Proxy, IDS, QoS, NTP, DHCP, ...

Smoothwall (0)

Anonymous Coward | more than 9 years ago | (#11246703)

We use smoothwall (http://www.smoothwall.org) between two locations. You need two el junko pc's to do the job (one on each end), but then the VPN is nicely transparent to the computers, and no software needed to install on the clients. Easy to setup too, and lots of community support. If you want to pay money and get a contract, you can purchase the smoothwall corporate edition.

A couple of options (2, Informative)

Some guy named Chris (9720) | more than 9 years ago | (#11246752)

PPP tunnelled over SSH is simple, quick to set up, and works without a hitch. I've used it to connect 20+ locations, and it's just as good as having a dedicated frame link between the sites.

IPSEC (using openeswan or similar) work well, but are in my experience more complicated and harder to maintain than using the PPPoverSSH method.

Both of these are free.

Re:A couple of options (1)

MikeBabcock (65886) | more than 9 years ago | (#11263376)

It seems to me that in the post-dialup world, many people ditched PPP as fast as they could because of the miseries they had setting it up in those days.

With modern tools like wvdial and rp-pppoe however, you never need to see the pppd command-line anymore.

PPP is a very powerful protocol and it will work for many of your situations. IPSec however does have a lot of features not implicit in SSH + PPP.

the U.S. Robotics 8200 might work for you (0)

Anonymous Coward | more than 9 years ago | (#11246769)

I'm not sure it will satisfy *every* one of those requests out of the box, but it's linux-based, and can be modified.

The USR8200 firewall/vpn/nas [usr.com] is probably more intended for small business networks, but I run one at home and it to set up a VPN server, file server (with a firewire hd) and anonymous or permission-based FTP server. It supports port forwarding for inbound traffic, and as far as a firewall, it seems to have all the features found on $500 firewall-only products.

It was around $300 and while I could have done most of those things on a linux box, it took me about 25 minutes to set it all up. You can also bridge two of them together to create a "distributed" LAN, and it supports IPsec if you're into that.

PPP over SSH (1)

c (8461) | more than 9 years ago | (#11246777)

I've had decent luck with PPP over SSH. It's not the fastest (although I haven't done any tuning of my PPP config), but all the components needed are pre-installed on most modern 'nix boxes.

See http://www.faqs.org/docs/Linux-mini/ppp-ssh.html [faqs.org]

c.

Re:PPP over SSH (1)

LWATCDR (28044) | more than 9 years ago | (#11247769)

Any docs on using it with a windows client?
It would be nice to have in OS independent solution.

Netgear FVS328 and FVS318 routers with VPN (2, Informative)

Futurepower(R) (558542) | more than 9 years ago | (#11247193)


This may be helpful to someone:

We have extensive experience with the Netgear FVS328 and FVS318 routers with VPN. We have had many many problems with them.

Note that the FVS318 does NOT have secure login for remote maintenance. The password is sent in the clear.

Netgear apparently has no technical support representatives that work for the company. They apparently all work for contractors in India and the United States. We have found them to have very, very little information about these Netgear products.

Here are a few of our extensive notes about the problems:

We establish an IKE and VPN policy, and start a VPN. It works fine the first time, but, after we disconnect we cannot connect later, even though no changes have been made to the policies.

1) There is general agreement among Netgear technical support people that there is a problem.

Netgear technical support people have standard IKE and VPN policy setups they like to use, which they say are proven to work. The most common one, however, is slow and drops a lot of pings. More sophisticated IKE and VPN settings are faster, even though better encryption is used. We have no idea why this is so.

2) Turning the router power off and restarting sometimes cures the problem with not being able to re-establish a VPN. We have seen cases where the menu choice reboot did not cure a problem, but turning the power off and on did cure it.

3) Something hidden seems to time out after several hours. Sometimes VPN connection problems fix themselves after a day or so.

4) When establishing a VPN Auto Policy, the help says:

Remote VPN Endpoint Select the desired option (IP address or Domain Name) and enter the address of the remote VPN Gateway/Server or client you wish to connect to. Note: The remote VPN endpoint must have this VPN Gateway's address entered as it's "Remote VPN Endpoint".

However, we had a case where the address of one of the routers had changed from that given in the "Remote VPN Endpoint", but the VPN was re-established. The impression is given that specifying the address increases security. Apparently this is not so. Again, something seems to be keeping information for several hours, and then timing out.

5) We have seen a case where deleting all the policies and starting over cured a persistent problem with not being able to re-establish a VPN.

6) We have seen cases which seem to indicate browser dependence. For example, there may be Javascript that works perfectly only in Microsoft Internet Explorer, but sometimes fails in other browsers.

7) We have seen cases where choosing "Log Out" does not actually log out. Netgear technical support people say they've seen this also.

It seems to help if we exit from the browser completely. However, if the browser is Firefox (or Mozilla), and there are several Firefox windows open, exiting from Firefox means exiting from all the windows and tabs, which means that work opening those windows is lost. (Firefox and Mozilla do not have multiple instances; all windows come from the same instance.)

Logging out sometimes seems to leave something in the router which gets confused, and prevents re-establishing the VPN.

Version tested -- We have not tested the FVS328 firmware beta version. This report is about the FVS328 firmware Version 1.0 Release 09.

Re:Netgear FVS328 and FVS318 routers with VPN (0)

Anonymous Coward | more than 9 years ago | (#11252220)

None of this surprises me at all.

I've never actually tried to use Netgear as VPN endpoints (let's face it - IPSEC is a complicated standard and the manufacturers of a low end SOHO router are not going to bother implementing all of it) but I can add one piece of additional info :

Netgear's routers can't even handle IPSEC passthrough properly.

Meaning that if you put a proper VPN gateway behind one or try to connect to a VPN gateway from behind one, you are in for a world of hurt.

If they can't even make a router that passes IPSEC traffic from other sources without mangling it, they are unlikely to make one that works well as a VPN gateway. Avoid like the plague.

Re:Netgear FVS328 and FVS318 routers with VPN (0)

Anonymous Coward | more than 9 years ago | (#11253522)

This is all very stange to me. I have used this setup for over a year now with little to no problems. Granted the setup is a bit conveluted but overall no problems. I run mixed Netgear FVL318 and FVS328's with a few Linksys boxes mixed in and they all are happy campers. I would try upgrading your firmware I think you will find that it will cure 80-90% of your headaches. I know it did mine when I first started out.

One thing I am sure the Netgear people won't tell you is that if you use agressive keys it will blast through alot of problems. Go figure...

Dealing with Netgear has been miserable. (1)

Futurepower(R) (558542) | more than 9 years ago | (#11255293)


The firmware is the latest. Maybe Netgear made some defective units. However, if so, units of different models made at different times and from different suppliers have the same problem.

My experience with Netgear technical support is that they are somewhat friendly, but almost useless. They haven't been given training in Netgear products, as far as I can tell. For example, second level technical support cannot interpret VPN logs. They just try things for an hour, then they say they can't do more. Eight of those, and that's their work day.

It's been a miserable, miserable experience, dealing with Netgear. Linksys seems to be the best, right now.

I think it possible that if someone set up a VPN and left it running, they would have no troubles.

However, I have found many, many small bugs in Netgear firmware, so I presume that there are more big ones to be found.

Theory of the origin of sloppy software: There is a type of management of programming in which the programmers are not trusted. The manager doesn't really understand what the programmers are doing, and just manages by hassling. It goes like this:

Can we ship it?

No.

Why not?

Because of [some technical reason the manager does not understand].

It looks like it works, lets ship it!

No, it is not finished.

Okay, you have until Thursday, then we ship it.

That's my theory how we get the Microsofts and Symantecs and Netgears of the world.

Managers (0)

Anonymous Coward | more than 9 years ago | (#11259615)

That's my theory how we get the Microsofts and Symantecs and Netgears of the world.

Don't tell your theory to that manager you mentioned. He would just say something like "See?".

You see, it's hopeless...

Re:Dealing with Netgear has been miserable. (0)

Anonymous Coward | more than 9 years ago | (#11260819)

I manage programmers, and do some of the programming myself. My predecessor in this job was extremely friendly and trusting of the programmers to do their jobs well. In fact, he just let them go and do their thing.

I inherited a thoroughly awful, undocumented mess, full of our young cowboys' unbelievably inept experimentation and convoluted approaches to problem solving (2 + 2? Yessir, we'll get right on that as soon as we can buy a new calculus book! ... 3 months later... 2 + 2? Yessir, that's 6689.998 E + 05 * pi .. but while we were solving that problem we found that we first had to go back the ancient Greeks and correct Pythagoras, so it turns out we then had to pretty much reinvent mathematics and even though we know the answer is 6689.998 E +05 * pi, it will take us another 20 years to implement it. PS, considering that C# will clearly be outdated by that time we've used our noggins, thought ahead and already begun to implement it in As-hol 25, an up and coming new language written by a team of idiot-savants down at the arcade where we spend all the time we should be using to have our fucking heads examined)

Oh dear, I'm out of control

LOL. (1)

Futurepower(R) (558542) | more than 9 years ago | (#11264970)


Funny, and definitely heavily connected with the truth.

Someday I would like to see a well-run technology business. (Besides Google, maybe.)

Re:Dealing with Netgear has been miserable. (1)

drinkypoo (153816) | more than 9 years ago | (#11282910)

My experience with netgear is that they have some of the highest quality low end hardware but that their software sucks eggs. Linksys has the best software, but the worst hardware. This networkanywhere brand which appears to just be a rehash of linksys stuff is probably identical to the linksys stuff in every way but logos and color schemes but is often a little less expensive than the linksys stuff.

Re:Netgear FVS328 and FVS318 routers with VPN (1)

SwellJoe (100612) | more than 9 years ago | (#11256724)

I'll just chime in with a "Me too!" on the "NetGear VPN sucks" issue.

I've always liked NetGear switches and wireless routers. They tend to work well, and I've never had one die out of dozens in the field (that's not to say they're necessarily more reliable than other decent low-end brands, but I've a lot of others prove historically less reliable). But their VPN Routers are atrocious. Simply terrible. They offer a "ProSafe" IPSec VPN client package for Windows that is terribly buggy, confusing to use, and not worth the CD it's distributed on. The router itself is also clumsy to configure and doesn't support road warrior configurations in any sane manner.

We eventually got it working, but it was so clumsy that we switched to a PPTP VPN instead (the server being Linux or Windows 2k3, as available). It may not be as secure as IPSec, but it works for all of the clients easily and I don't have to spend hours on the phone with every person that needs access.

Netgear does not restrict VPNs to WAN addresses. (1)

Futurepower(R) (558542) | more than 9 years ago | (#11273532)


NOTE: Anyone wanting a secure VPN should pay attention to number 4 above. FVS328s ignore the WAN addresses specified during configuration, apparently, or there is some other bug.

Linux based VPN gateways (3, Informative)

PinkX (607183) | more than 9 years ago | (#11247225)

Are cheap, easy to setup and mantain, highly flexible and very cost-effective.

Depending on what you're planning to do, you can use any of the several VPN implementations out there, just to name a few:

* PoPToP [poptop.org], a PPTP server, compatible with the VPN client that Windows has always has,
* vpnd [sunsite.dk], really easy to set up, ideal gw to gw VPN solution, seems a little outdated but works great over slow links,
* OpenVPN [sourceforge.net], a highly portable, flexible and multiplatform VPN solution, which supports gw to gw and gw to host style VPNs,
* etc. There is also LinVPN, FreeS/WAN / Openswan, et al

Best regards.

Re:Linux based VPN gateways (1)

drinkypoo (153816) | more than 9 years ago | (#11282962)

A recent exploit discovered in MSCHAP means that PPTP VPNs are an utterly insecure solution. I've used vpnd and it was as close to troublefree as I've seen yet. What I want to know is how to get any of the assorted ipsec implementations to work, I have yet to find a coherent howto that will let me set up freeswan OR openswan properly. At some point in the howto everything breaks down and there are commands which cannot be issued or files that do not exist. Some of the howtos tell you to follow some steps from other howtos because their authors were too lazy to explain how it is done, but they leave out crucial information needed to apply one to the other. And, of course, the documentation for the programs themselves is either virtually or literally nonexistent (you get pointed to a wiki with a bunch of pages whose contents are "TODO" and/or one of the aforementioned inapplicable FAQs or HOWTOs.)

SSH SOCKS (1)

gseidman (97) | more than 9 years ago | (#11247255)

You can use ssh with explicit port forwarding, but it sounds like you'd benefit from using it as a SOCKS proxy. OpenSSH can provide a SOCKS4 proxy with the -D switch and PuTTY can provide a SOCKS5 proxy. I've found that this works quite nicely for most purposes.

Re:SSH SOCKS (1)

Tuck (41529) | more than 9 years ago | (#11284785)

OpenSSH's -D (aka "DynamicForward") supports SOCKS5 as well (since the 3.7x release).

Symantec 200R (1)

ables (174982) | more than 9 years ago | (#11247484)

I'm not sure if you mean "Low Cost" as in "Free with a lot of my time installing/configuring" or "Low Cost" as in "Under $1000 plug-and-play," but our company recently bought a Symantec 200R VPN Server and firewall. You can get them for about $500 online. (Make sure you get the 200R, as the 100 and 200 don't have the actual VPN endpoint.)

Setup and installation was a breeze. I had it working out of the box in about an hour, including mucking around with the client they provide. I have a Debian Samba box as my Windows domain/WINS server, and it's been pretty smooth sailing.

I'd highly recommend it for a small shop. Yeah, I could have made something work with just the Debian box, but the amount of my time needed to make that happen would have added up to way more than $500 in lost productivity.

Looking for a solution (1)

yamla (136560) | more than 9 years ago | (#11247515)

I'm looking for a solution as well. My situation is that I want to tunnel two LANs together. One of them is behind a firewall that I control and has a semi-static IP address. That is, the IP address is resolvable using a DNS lookup. However, the other LAN is behind a firewall I do NOT control (though I have all necessary consent, of course) and does NOT have a static IP address.

OpenVPN therefore does not seem to work for me, though perhaps I was reading the documentation incorrectly. It seems that it requires both endpoints have static IP addresses. Also, am I correct in saying that it requires UDP?

TCP works, too. (1)

Futurepower(R) (558542) | more than 9 years ago | (#11247597)


Did you see this from the OpenVPN first page? "Can OpenVPN tunnel over a TCP connection? Yes, starting with version 1.5."

Re:Looking for a solution (3, Informative)

PinkX (607183) | more than 9 years ago | (#11247658)

You are certainly doing something wrong. I have multiple points OpenVPN setups which only has dynamic IP address on all of them, using a dyn dns server, and it's always up and running.

Here is my config for all of the VPN gw's (/etc/openvpn/${HOST}.conf):

dev tun
remote ${REMOTEHOST}
ifconfig ${LOCAL_VPN_IP} ${REMOTE_VPN_IP}
secret /etc/openvpn/${REMOTEHOST}.key
route ${REMOTE_NETWORK} ${REMOTE_NETMASK} vpn_gateway 1
ping 20
ping-restart 60
persist-key
ping-timer-rem
persist-tun
user nobody
port 5001
verb 3
resolv-retry infinite


of course substitute all the variable names with your own values.

Best regards,

Re:Looking for a solution (1)

canuck57 (662392) | more than 9 years ago | (#11296729)

OpenVPN therefore does not seem to work for me, though perhaps I was reading the documentation incorrectly. It seems that it requires both endpoints have static IP addresses. Also, am I correct in saying that it requires UDP?

I am not familiar with OpenVPN, but I am with some others. If you are behind a NAT firewall or on a dynamic IP address you may need to turn off AH to make it reliable. AH authenticates the IP address header so if it is altered or tampered with the IPSec/VPN can reject the packet. Having AH on is more secure as it authenticates the source, but loosing it is still secure enough for most uses as the EA keys are unknown to others and without EA keys they cannot generate acceptable data packets.

Alternatively, to keep AH - put the VPN system directly on the Internet network and do not NAT. If it is a dynamic DHCP assigned address, you will need to re-configure the IPSec/VPN each time it changes to keep the AH component working.

Other hardware or SSH experiences? (1)

Futurepower(R) (558542) | more than 9 years ago | (#11247540)


OpenVPN seems to be the winner of the comments so far. However, I'd like to see other hardware VPN solutions, too.

From the Slashdot question: "Are there any other options I should be looking at other than using SSH port forwarding?"

It would be interesting to know more about experiences with SSH, too.

Re:Other hardware or SSH experiences? (1)

aminorex (141494) | more than 9 years ago | (#11247742)

You want hardware in your VPN? Get an SSL accelerator card.

You want your VPN to run on a spindle-free low-failure appliance? Run OpenVPN on a Linksys WRT54G ($57.00, inclusive of shipping in the U.S.)

OpenVPN for the WRT54G? (1)

Futurepower(R) (558542) | more than 9 years ago | (#11248177)


Is there a version of OpenVPN that runs on the WRT54G? If there is, that sounds like an excellent option.

Re:OpenVPN for the WRT54G? (1)

bonezed (187343) | more than 9 years ago | (#11249481)

yes there is

first thing to do is run openwrt on the box and then add the openvpn package

problem sorted

Any advice about adding OpenVPN to the WRT54G? (1)

Futurepower(R) (558542) | more than 9 years ago | (#11251617)


Amazing! Thanks. Any advice about how to install OpenVPN on the WRT54G? Which package [openwrt.org] would you recommend? Do the OpenWrt packages have an adminstration console? I don't see any mention of that. It looks complicated, since I read that there is no Wi-Fi Protected Access (WPA) [openwrt.org] until installed.

Also, I note that OpenVPN will NOT work [sourceforge.net] on Windows XP SP2 unless the pre-release version 2.0 is used. I suppose you don't care if you are using a WRT54G at both ends of the VPN. I'm not knowledgeable about this, but I guess that running VPN software on a WRT54G would be more secure than running it on a PC.

I note that Sveasoft provides firmware with PPTP VPN software [sveasoft.com], but there seems to be some question about whether PPTP is sufficiently secure.

Just guessing, but this seems to be a considerable job to configure. I wish there were a commercial release with the OpenVPN built in.

OpenWrt [openwrt.org].

Linksys WRT54G Wireless-G Broadband Router [linksys.com].

Linksys WRT54GS Wireless-G Broadband Router with SpeedBooster [linksys.com].

WRT54GS has updated chipset [tomsnetworking.com].

WRT54GS Under $70 [google.com].

Both Linksys products have GPL'd firmware [linksys.com].

There is intense interest [google.com.br] in the WRT54G and WRT54GS. One company, Sveasoft [sveasoft.com], provides upgraded firmware.

SnapGear (CyberGuard) (1)

linuxwrangler (582055) | more than 9 years ago | (#11247695)

I've had excellent results with the SnapGear (since bought by CyberGuard) appliance. You can have it up and running in fairly short order via the web interface. It runs on Linux and all the Linux configs are easily accessible in case you need more flexibility than the web interface offers.

There's one on eBay at the moment for $138 (sorry, I already bought his other ones to augment what I already had installed).

OpenVPN (0, Redundant)

samdu (114873) | more than 9 years ago | (#11247883)

It's free, runs on Linux, has clients for Linux, Windows, and Mac, SSL based, secure and stable. Oh, and relatively easy to configure.

Moderate Parent UP. (0)

Futurepower(R) (558542) | more than 9 years ago | (#11248346)


Moderators: Please moderate this up. In this situation, a little redundancy is not a bad thing. In this discussion, we are trying to build a consensus.

m0n0wall? (3, Informative)

M1FCJ (586251) | more than 9 years ago | (#11247888)

It does the job. I use it as a CD-based system + floppy on very old hardware with 64MB. Setting up the VPN was very easy and it was dead-easy to maintain/backup. I use it between three sites but I intend to use it at work as well.

CyberGuard SG530 (2, Interesting)

brian0x00FF (701559) | more than 9 years ago | (#11248798)

I use the CyberGuard SG530 [cyberguard.info] for my personal VPN needs. It's a box about the size of your average 8-port switch, it runs a version of embedded linux and come default with PoPToP for PPTP v2 and FreeSwan for IPSEC. It has a web based config and if fairly painless to set up.

I was searching specifically for a PPTP device simply because it is so easy to configure and use, especially for Windows-based clients.

If you have a spare computer you wanted to use for this, you may want to look at IPCop, but at about US$350 the sg530 is not a bad alternative.

Re:CyberGuard SG530 (1)

dorkus123 (512839) | more than 9 years ago | (#11259936)

I have several CyberGuard (aka SnapGear) in service. Good stuff. I prefer the the models like the SG550 or SG570. They cost a little more but they provide ssl and ssh access to maintenance, the lower models do not.

They aren't cheap but if you're only buying one for remote access, they won't break the bank either.

Note: If you get one, update the firmware. It is usally out of date comapred to what is on the website.

Take a look at SSL-Explorer (1)

zorkmid (115464) | more than 9 years ago | (#11248887)

It's opensource. Works pretty well and seems to be evolving pretty fast.

SSL Explorer provides an entry-level SSL VPN to individuals and small businesses. This practicable remote access solution includes SSL tunneling, web site proxying, Microsoft Windows file sharing and Java application deployment through a standard browser

http://3sp.com/

http://sourceforge.net/projects/sslexplorer/

Re:Take a look at SSL-Explorer (0)

Anonymous Coward | more than 9 years ago | (#11252268)

Yes, but it's an SSL VPN. Which means it works great with web based apps. And nothing else. Of course, in the case of commercial solutions you might be able to install a highly platform dependant "redirector" which intercepts network traffic from other apps and sends it down the SSL tunnel.

In other words you will spend money on hardware in order to recreate an SSH tunnel. Except with less flexibility and compatibility.

If you think that an SSL VPN can provide a transparent link between 2 LANs in the same way that an IPSEC VPN can, you need to think again.

Re:Take a look at SSL-Explorer (0)

Anonymous Coward | more than 9 years ago | (#11252606)

Dear AC,

I think you need to research SSL VPNs. The can provide transparent links between 2 LANs.

Thanks,

AC

Cisco VPN Solution (1)

greendeath (231782) | more than 9 years ago | (#11254219)

Actually, a Cisco VPN solution os not that expensive (it is more than free).

Get a pix 501 10 user bundle from CDW for $399-
http://www.cdw.com/shop/products/default.as px?EDC= 337727

Download the VPN client from Cisco (free) configure the box and you are reay to VPN.

Re:Cisco VPN Solution (1)

qavvo (846369) | more than 9 years ago | (#11258221)

I've used Cisco PIX 501 firewalls extensively, primarily for mobile-user VPN boxes. They are easy to set up and work well for a relatively small number of users. Feel free to email me if anyone has questions about this solution.

OpenVPN (1)

hackus (159037) | more than 9 years ago | (#11256169)

Primary reason why I like it as it uses UDP protocol for packet transmission.

That is REALLY effective in utilizing multiple connections to the same locations for redundancy, with varying weights, for example if you use something like Quagga for BGP routing management.

Works fabulously and the config is trivial.

-Hack

PopTop worked for us (1)

psykocrime (61037) | more than 9 years ago | (#11256854)

I've used PopTop in the past, and it works fine for the kind of scenario you're describing. It's free (as in speech and beer), has adequate - albeit not great - documentation, and is fairly easy to install and configure.

The biggest downside I'm aware of is that the MS-CHAPv2 protocol doesn't use the world's best encryption. Research MS-CHAP, see if it's secure enough for your needs; if so, I think PopTop would be a fine solution.

The next thing that comes to mind is something like FreeSWAN/OpenSWAN, which are IPSEC based, instead of PPTP, and which presumably offer better security.

Re:PopTop worked for us (1)

drinkypoo (153816) | more than 9 years ago | (#11282983)

MSCHAP was recently blown away. You should consider a PPTP VPN to be completely unencrypted. IPSEC is the ostensible answer (besides OpenVPN) but the documentation is AWFUL.

webdav/https (1)

JBdH (613927) | more than 9 years ago | (#11262135)

I've used apache with webdav over https on several occasions for remote file sharing. Works great on 2000 & XP through webfolders without additional software. Users can just browse using windows explorer as if working with local files. OSX needs a special app (goliath). tuning apache to user webdav with XP is the hardest part (but there's an manual here [ibiblio.org] and here [caltech.edu].

OpenVPN (3, Informative)

eno2001 (527078) | more than 9 years ago | (#11263720)

Go look at my very first JE a while back and I point out that OpenVPN is cross platform (Windows, Linux, MacOS X, BSDs, etc...) and works fairly well. Be warned that you need to use the latest Beta with Windows XP as SP2 breaks the last stable version. I've been using it going from Linux to Linux and it works great. Full access to my network at home from anywhere. All you need to do is open on UDP port and this will actually tunnel TCP and UDP traffic, so even Voice over IP will work with this for a private IP phone setup. Check it [sourceforge.net] out. It's worth the effort.

As a side note, I used to use SSH tunnels. That worked very well for me too, but it required a good deal of setup and mapping ports on the remote end to ports on the local end. It's great as far as cross-platform goes, and if you don't have things changing much on your network, it really works well, but it won't handle UDP traffic. Not to mention, when I used it with VNC, I had to map remote ports to local ports that were unused. So if I connected to 'mymachine:1' at home, I would connect to '127.0.0.1:21' at work since I couldn't stomp over :1 on my machine here. With OpenVPN, that all goes away. You just connect to the remote machine by its own IP (or if you get DNS or hosts set up right by its name).

I'll also mention that I'm using OpenVPN in "routing" mode. I throw all traffic destined for my home network to the tun1 interface that openVPN brings up on my local machine. You can also use openVPN in bridged mode which is a bit more of a headache to set up since you need to know how to break your network up into ranges for each location. Bascially subnetting. But the advantage of bridged mode is that broadcasts will be carried over the tunnel. OpenVPN is about the closest you get in a free project to having a virtual ethernet cable going from one end of the connection to the other. In the end, I think this is what you want. Hope this helps.

OpenBSD / isakmpd (0)

Anonymous Coward | more than 9 years ago | (#11277215)

It cannot get cheaper than that :)

Zebedee - a simple, free, secure tunnel program (1)

Falsebart (797933) | more than 9 years ago | (#11284194)

It is not exaktly a VPN programm, but it do that what you want do with a VPN:
- give access to the all the internal servers (SaMBa, Mail, WWW)
- has strong encryption
- has public key authenification
- is invisible (NO default ports)
- Linux and Windows Version.
Just work.
http://www.winton.org.uk/zebedee/ [winton.org.uk]

I'm using it in a few project with NO problems at all.

CIPE/vtun not great options (0)

Anonymous Coward | more than 9 years ago | (#11287491)

Article at this site [auckland.ac.nz] explains some of the why.. PPTP (via poptop) has some advantages (mostly in terms of interoperability) but openvpn or frees/wan are probably your best choices..

VPN - All sorts of ways (1)

canuck57 (662392) | more than 9 years ago | (#11296627)

"I'm looking for a low cost solution for allowing myself and a few others the ability to share a server at one of our locations. One thought was using SSH tunnels to establish secure connections,

OpenBSD, FreeBSD, Solaris (Intel) and most Linux distros offer IPSec VPN as part of the OS Most run well on older hardware and can be a router, gateway, NAT, IP tunnrling as well as a mail relay, IMAP server and of course come with repected firewalls. You can also run IDS software such as Snort, AprWatch and comes with a nice network sniffing tools.

I have been using Solaris this way for years now without issues, and a friends of mine use OpenBSD and Solaris. This allows us to securely share information over the Internet on a private IPSec and tunneled network.

With IPSec VPN the two networks near and far can be ordinary unencrypted networks. The Internet routing systems do all the work of crypto between the sites. IPSec will route all ports, Windows services and even a virus if one end gets infected. That is in part why I prefer xNIX solutions as you can use IPFilter or PF to block unwanted services.

There are some inexpensive appliance systems that have less features than above but then the appliance does not require the working knowledge of the network as the above options do. Some of these are getting quite reasonable in cost.

So your real problem is how, there are lots of ways. With google, search for IPSec and the OS of choice. May the force of privacy be with you!

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...