Folks I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be "inside" my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home. I already have this working using M$'s PPTP using my home Centos 6 gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection. I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements: 1) As noted, it should be secure (anti NSA?) 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future, Windows 10) 3) Can be set up on the server with command line interfaces only (no GUI) And, should not be a nightmare to set up. Any thoughts? David
SoftEther VPN Once setup, it just works.... Regards, Richard --- Richard Zimmerman Systems / Network Administrator River Bend Hose Specialty, Inc. 1111 S Main Street South Bend, IN 46601-3337 (574) 233-1133 (574) 280-7284 Fax -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of david Sent: Monday, April 04, 2016 1:57 PM To: CentOS mailing list Subject: [CentOS] VPN suggestions centos 6, 7 Folks I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be "inside" my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home. I already have this working using M$'s PPTP using my home Centos 6 gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection. I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements: 1) As noted, it should be secure (anti NSA?) 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future, Windows 10) 3) Can be set up on the server with command line interfaces only (no GUI) And, should not be a nightmare to set up. Any thoughts? David _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
And openvpn. Avoid ipsec as it's too complex and pptp is unsecure. Eero 4.4.2016 9.55 ip. "Richard Zimmerman" <rzimmerman at riverbendhose.com> kirjoitti:> SoftEther VPN > > Once setup, it just works.... > > Regards, > > Richard > > > --- > Richard Zimmerman > Systems / Network Administrator > River Bend Hose Specialty, Inc. > 1111 S Main Street > South Bend, IN 46601-3337 > (574) 233-1133 > (574) 280-7284 Fax > > -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of david > Sent: Monday, April 04, 2016 1:57 PM > To: CentOS mailing list > Subject: [CentOS] VPN suggestions centos 6, 7 > > Folks > > I would like to have my windows 7 laptop communicate with my home server > via a VPN, in such a way that it appears to be "inside" my home network. > It should not only let me appear to be at home for any external query, but > also let me access my computers inside my home. > > I already have this working using M$'s PPTP using my home Centos 6 > gateway/router as the PoPToP server. However, I am concerned about the > privacy/security of such a connection. > > I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and > probably others I haven't noted). I'd be interested in hearing from anyone > who wishes to comment about which to use, with the following requirements: > > 1) As noted, it should be secure (anti NSA?) > 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future, > Windows 10) > 3) Can be set up on the server with command line interfaces only (no GUI) > > And, should not be a nightmare to set up. > > Any thoughts? > > David > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
My partner has been using Openvpn extensively. It looks very reasonable
and has been quite trustworthy.
It is configured via commandline. The server seems to work on Windows,
too ("Vista and later"). There are good tutorials for CentOs, for
example
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7
- Jussi
On 4.4.2016 20.57, david wrote:
(...)> 1) As noted, it should be secure (anti NSA?)
> 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future,
> Windows 10)
> 3) Can be set up on the server with command line interfaces only (no GUI)
On Mon, 4 Apr 2016, david wrote:> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan > (and probably others I haven't noted). I'd be interested in hearing > from anyone who wishes to comment about which to use, with the > following requirements: > > 1) As noted, it should be secure (anti NSA?) > 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the > future, Windows 10) > 3) Can be set up on the server with command line interfaces > only (no GUI)OpenVPN can be all that. I say "can be" because you'll want to research how best to configure it. Done poorly, it won't be as secure as you want. Thankfully, there are a lot of blog posts and list threads to consult; it won't take more than a couple hours of reading to work out the base configuration.> And, should not be a nightmare to set up.This might be a problem. :-) OpenVPN is designed to scale pretty well, but scaling it requires a decent knowledge of SSL infrastructure: creating, distributing, and revoking certificates. The Easy-RSA utility can ease the process, but using it securely takes time and reading. A very small OpenVPN setup can be done with shared static key, but that approach has its own disadvantages (no PFS, all keys in plain text, no distribution mechanism). In short, OpenVPN is an excellent toolset that can be made very secure -- and will manage much of the complexity for you -- but it requires a non-trivial amount of effort to configure correctly. To paraphrase The Princess Bride: Security is pain. Anyone who says differently is selling something. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
On 04/04/2016 10:57 AM, david wrote:> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan > (and probably others I haven't noted). I'd be interested in hearing > from anyone who wishes to comment about which to use, with the > following requirements:I recommend l2tp/ipsec. It's supported out of the box on a wide variety of client platforms, which means significantly less work to set up the clients. OpenVPN is a popular choice, and it's fine for most people. It's more work to set up than l2tp/ipsec, typically. We used it for quite a while at my previous employer, though ultimately dropped it because the Windows GUI requires admin rights to run, and we didn't want to continue giving admin rights to the users we supported.
Am 04.04.2016 um 19:57 schrieb david:> Folks > > I would like to have my windows 7 laptop communicate with my home server > via a VPN, in such a way that it appears to be "inside" my home > network. It should not only let me appear to be at home for any > external query, but also let me access my computers inside my home. > > I already have this working using M$'s PPTP using my home Centos 6 > gateway/router as the PoPToP server. However, I am concerned about the > privacy/security of such a connection. > > I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and > probably others I haven't noted). I'd be interested in hearing from > anyone who wishes to comment about which to use, with the following > requirements: > > 1) As noted, it should be secure (anti NSA?) > 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future, > Windows 10) > 3) Can be set up on the server with command line interfaces only (no GUI) > > And, should not be a nightmare to set up. > > Any thoughts? > > Davidhttps://www.tinc-vpn.org/ Alexander
IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on. -- Eero 2016-04-04 23:18 GMT+03:00 Gordon Messmer <gordon.messmer at gmail.com>:> On 04/04/2016 10:57 AM, david wrote: > >> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and >> probably others I haven't noted). I'd be interested in hearing from anyone >> who wishes to comment about which to use, with the following requirements: >> > > I recommend l2tp/ipsec. It's supported out of the box on a wide variety > of client platforms, which means significantly less work to set up the > clients. > > OpenVPN is a popular choice, and it's fine for most people. It's more > work to set up than l2tp/ipsec, typically. We used it for quite a while at > my previous employer, though ultimately dropped it because the Windows GUI > requires admin rights to run, and we didn't want to continue giving admin > rights to the users we supported. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On 04/05/2016 12:30 PM, Gordon Messmer wrote:> IPSec is typically encapsulated on UDP port 4500, due to the ubiquity > of NAT. OpenVPN doesn't really have an advantage, there.IPSec and OpenVPN (and the others) each have their use cases. I have had experience with IPSec (via SmoothWall's SmoothTunnel implementation), Cisco's VPN implementation, and the commercial OpenVPN Access Server, and I have found OpenVPN AS the easiest to support for the road warrior use case, including and especially wifi and 3G/4G connected ios and android devices. OpenVPN AS will listen on TCP port 443, and virtually no one blocks TCP/443 (although you do lose some tunnel functionality with TCP encapsulation). I did have numerous issues with the road warrior cases with the IPSec solution, many of which were firewall/captive portal issues and not issues with the otherwise excellent SmoothTunnel. I will admit that I have not tried an IPsec solution in a while, but I haven't had the need to do so, either. OpenVPN AS takes all the hard parts out of the server-side config, and it works well on CentOS 7 (which is the platform on which I am running the server). For point-to-point remote offices, I deploy small routers running DD-WRT, which has a reasonable OpenVPN client that works well once you get it working initially. It isn't necessarily the easiest to get working, though.
Have a look at Openconnect Server (ocserv), it's a free implementation of Cisco AnyConnect. It's the easiest VPN I ever had to setup and it's compatible with most Cisco AnyConnect clients and of course OpenConnect clients (such as NetworkManager-openconnect). http://www.infradead.org/ocserv/ hth -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message -----> From: "david" <david at daku.org> > To: "CentOS mailing list" <centos at centos.org> > Sent: Monday, 4 April, 2016 18:57:12 > Subject: [CentOS] VPN suggestions centos 6, 7> Folks > > I would like to have my windows 7 laptop communicate with my home > server via a VPN, in such a way that it appears to be "inside" my > home network. It should not only let me appear to be at home for any > external query, but also let me access my computers inside my home. > > I already have this working using M$'s PPTP using my home Centos 6 > gateway/router as the PoPToP server. However, I am concerned about > the privacy/security of such a connection. > > I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan > (and probably others I haven't noted). I'd be interested in hearing > from anyone who wishes to comment about which to use, with the > following requirements: > > 1) As noted, it should be secure (anti NSA?) > 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future, > Windows 10) > 3) Can be set up on the server with command line interfaces only (no GUI) > > And, should not be a nightmare to set up. > > Any thoughts? > > David > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
> > >Folks > >I would like to have my windows 7 laptop communicate with my home >server via a VPN, in such a way that it appears to be "inside" my >home network. It should not only let me appear to be at home for >any external query, but also let me access my computers inside my home. > >I already have this working using M$'s PPTP using my home Centos 6 >gateway/router as the PoPToP server. However, I am concerned about >the privacy/security of such a connection. > >I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan >(and probably others I haven't noted). I'd be interested in hearing >from anyone who wishes to comment about which to use, with the >following requirements: > >1) As noted, it should be secure (anti NSA?) >2) Works on Centos 6 and Centos 7 and Windows 7 (and for the >future, Windows 10) >3) Can be set up on the server with command line interfaces only (no GUI) > >And, should not be a nightmare to set up. > >Any thoughts? > >David---------------------------- FOLLOWUP & REPORT I had lots of suggestions, and the most persuasive was to try OpenVPN. I already had a CA working, so issuing certificates was easy. The HOW-TO guides were less helpful than I could hope, but comparing several of them, applying common sense, and trying things out, I arrived at a dead-end. Here's essentially what happened: - None of the HOW-TOs were very clear about the need to add some attributes to a certificate, keyUsage and extendedKeyUsage. They had different values for server and client. OpenSSL documentation was a big vague on how to add them, but I think I did - the print out of the entity certificates showed the values. The attempt to connect failed. The client log is below. I think it's complaining that the CA certificate doesn't have the ke Usage extension, which makes no sense to me. Such an extension should be in the end-entity certificate, not the CA's, unless I'm wrong. I checked the server and really think that the certificates are in the right place. To review the situation: Client: A windows 7 laptop, and it definitely moves around. Server: Centos 6 running in my home. Protocol is TCP Client log, some details replace with XXXXX --------------------------- Mon Apr 18 05:34:47 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 10 2016 Mon Apr 18 05:34:47 2016 Windows version 6.1 (Windows 7) Mon Apr 18 05:34:47 2016 library versions: OpenSSL 1.0.1s 1 Mar 2016, LZO 2.09 Enter Management Password: Mon Apr 18 05:34:47 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Mon Apr 18 05:34:47 2016 Need hold release from management interface, waiting... Mon Apr 18 05:34:48 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'state on' Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'log all on' Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'hold off' Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'hold release' Mon Apr 18 05:34:48 2016 Socket Buffers: R=[8192->8192] S=[8192->8192] Mon Apr 18 05:34:48 2016 MANAGEMENT: >STATE:1460982888,RESOLVE,,, Mon Apr 18 05:34:48 2016 Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock] Mon Apr 18 05:34:48 2016 MANAGEMENT: >STATE:1460982888,TCP_CONNECT,,, Mon Apr 18 05:34:49 2016 TCP connection established with [AF_INET]X.X.X.X:1194 Mon Apr 18 05:34:49 2016 TCPv4_CLIENT link local: [undef] Mon Apr 18 05:34:49 2016 TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194 Mon Apr 18 05:34:49 2016 MANAGEMENT: >STATE:1460982889,WAIT,,, Mon Apr 18 05:34:49 2016 MANAGEMENT: >STATE:1460982889,AUTH,,, Mon Apr 18 05:34:49 2016 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=63eed44a 8be061de Mon Apr 18 05:34:50 2016 VERIFY OK: depth=1, C=US, ST=California, L=San Francisco, OU=Certificate Authority, O=XXXX, CN=X.X.X Mon Apr 18 05:34:50 2016 Certificate does not have key usage extension Mon Apr 18 05:34:50 2016 VERIFY KU ERROR Mon Apr 18 05:34:50 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Mon Apr 18 05:34:50 2016 TLS Error: TLS object -> incoming plaintext read error Mon Apr 18 05:34:50 2016 TLS Error: TLS handshake failed