Does pfSense support any type of SSL VPN?
-
I'm interested in using IPSec or OpenVPN but one client location is behind a firewall that only allows a couple of ports (eg. 80, 443, etc).
I'm aware that I could use SSH (PuTTy) and port forwarding and that works well for certain things but not for CIFS/SMB file sharing, etc.
Does pfSense support any type of SSL VPN?
-
http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43
–>VPN
pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.
So yes pfSense does support an SSL based VPN.
-
Hmm… are you referring to OpenVPN? The features list it as an "SSL VPN" so I suppose that works but it does require software to be installed and it works on several ports outside of 80 and 443. :(
-
OpenVPN is an SSL based VPN - exactly what you asked about. In your initial post you said nothing about not wanting to have to install client software.
If you want a browser based VPN then that's different, and not the question you asked ;) pfSense doesn't have any VPN solution that support browser based VPNs.
-
Also OpenVPN doesn't "use several ports outside of 80/443".
It uses exactly one port: the one you specify it should use.
If you configure the server to use 443 and the client to use a https-proxy you can even get through some of the most strict setups.
We use this here at work since we need access to our licence servers even when in a guest-subnet at a customer. -
Huh. I must have read the wrong information… thanks for letting me know!
One last question... can I run two different VPNs (ie. OpenVPN and IPSec) on pfSense at the same time?
(Also, if anybody knows of any good web-based VPN software please let me know; espicially if it will run on pfSense!)
-
One last question… can I run two different VPNs (ie. OpenVPN and IPSec) on pfSense at the same time?
Yes.
(Also, if anybody knows of any good web-based VPN software please let me know; espicially if it will run on pfSense!)
IMO, there is no good web-based VPN software. The one's I have used just used the browser to push a client on to the PC. I haven't used them all, but OpenVPN is better than any 'web-based' VPN I have tried.
-
Adito (SSL Explorer Fork) is the only web based VPN that we have used and found to be very useful.
If you search around, you can find a VM running Adito on OpenBSD
We use a combo of OpenVPN for full network access and Adito for "client less" web access to internal resources, Adito give the option of uploading extensions for different applications. (or you can write your own)
Few things:
- search the forum and you will that others have asked about SSL Explorer on PFSense. I think the main concern was running Java on the firewall.
- Not really sure what status Adito is in currently. As it is, i find it pretty darn stable, but since OpenVPN took it over, i don't think they are actively going to invest time in the software. This is a shame. Open VPN is great, but still needs a client install to run. (Technically Adito does also, but it is a light java client.) I am hoping OpenVPN realizes this and keeps the project going.
I am a long time user of SSL Explorer and Adito and still think it is one of the best solutions out there.
-
The OpenVPN version of Adito, OpenVPN ALS, is here: http://sourceforge.net/projects/openvpn-als/
As others mentioned, the main concern is running Java on the firewall and all of the server-side requirements therein. You might be able to run it on a box behind the firewall and forward some ports though.
Personally, I prefer to run the OpenVPN client and connect that way. If I don't trust a PC well enough to install the client, it has no business connecting to my VPN. :)
-
Thanks for all of the help everybody. I'll check OpenVPN ALS (Adito) but I'm just wondering… is there a way on the firewall rules to only allow my iPhone to connect even it's IP is constantly changing? (ie. 3G network)
I was hoping to use the MAC address but I've learned that it isn't passed across the internet...
-
No, there is no way to limit that to your phone, not unless your cell provider would give you a static IP, which is unlikely.
Most VPNs are left open to the world because they have increased authentication requirements (lengthy PSKs, PKI authentication, etc) and can't be brute forced by traditional means. PPTP and SSL VPNs are an exception to that rule, but that's all part of the classic security-vs-convenience tradeoff.