VPN for Windows
-
I must say i personally understand where your coming from! Unfortunately Pfsense does not yet offer anything cool and easy like ssl vpn say like from barracuda or sonic wall, but in sure it will come. A good cheap solution in my opinion is buy a billion box, small company, but do a good ssl solution with ad integration and gets users connected and securely in minutes.
-
There is no such thing as a clientless "SSL" VPN. The ones that claim that all use some sort of client, it's just run using Java or a similar browser plugin and gets kicked off via HTTPS. Unfortunately, there aren't any open source equivalents that are actually up-to-date (e.g. Adito/OpenVPN ALS). Those have their own ups and downs anyhow. If we are to ever support that sort of VPN, there would need to be an OSS solution that actually worked and wasn't 5+ years from its last update.
OpenVPN is really easy for most people, it really is just a few clicks for the client once the server is setup. People whinge a lot about it but it isn't a big deal once you actually use it.
There are threads around the forum for setting up IPsec native on Windows, but it's pretty ugly. Eventually we'll probably support L2TP+IPsec, not until 2.2 at the earliest.
Think of installing OpenVPN as you would think of installing Firefox or Chrome - most of us don't trust the built-in Microsoft software for a reason. :-)
-
I was hoping someone would produce something like RDP within AJAX, something like that. Someone has already done it, but i wonder if something like that could be for future suggestions.. Or remote apps in the form of AJAX
-
SoftEther VPN?
http://www.softether.orgRuns under FreeBSD, is open source, supports SSTP, claims to be faster than everything else.
Seems too good to be true. Probably is!ย ::)
Steve
-
I haven't heard of that one, but it does sound almost too good to be true. Seems it just turned open source in the last couple months.
-
http://www.softether.org/3-spec/Current_Limitations makes me wonder if it's even worth looking at until next year.
Also the license is a bit odd, sort of BSD-like but not quite(?) http://www.softether.org/4-docs/1-manual/1._SoftEther_VPN_Overview/1.3_SoftEther_VPN_is_Freeware
If it's half as good as it claims, it may be worth someone poking at making a package for it for SSTP and SSL modes. I doubt we'd want it handling IPsec, L2TP, or OpenVPN.
And, the big oneโฆ http://www.softether.org/5-download/src - you can't download the source yet. Maybe when that happens...
-
Can we publish that to the developers and get their opinions on it?
-
I am one of "the developers" โ until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.
-
Ok excellent! Lets keep an eye on it! Always good talking to an expert! Hope your well.
-
Ah! I only looked at it briefly and didn't realise they haven't actually released and code yet. To be honest I then started Googling for any reviews of it since it looked too good to be true, found almost nothing and dismissed it.
Since there is no source code I'm trying to find what version of FreeBSD the package is compiled against but the only thing I can see is this:
Requirements: FreeBSD (32bit, 64bit) FreeBSD 5, 6, 7, 8, 9
Seems too imprecise.ย ::)
Steve
-
Ah! I only looked at it briefly and didn't realise they haven't actually released and code yet. To be honest I then started Googling for any reviews of it since it looked too good to be true, found almost nothing and dismissed it.
Since there is no source code I'm trying to find what version of FreeBSD the package is compiled against but the only thing I can see is this:
Requirements: FreeBSD (32bit, 64bit) FreeBSD 5, 6, 7, 8, 9
Seems too imprecise.ย ::)
Yeah, there is no chance we'd run a binary blob anyhow, I wouldn't want to do that even as a package. There is just no way to ensure it's secure. Even when the source appears, until someone else gives it a once-over, it's still not going to really be all that trustworthy, but at least it would be open to review.
For now though someone could toss the windows version on a local box, forward a few ports in, and have at it.
-
Does anyone want me to do any testing and report back?
-
I use Adito for users in environments who cannot install any VPN clients. I do not run Adito on pfSense, but on a Windows box behind pfSense.
Connection to Adito is done via a web browser over HTTPS. The somewhat painful part is that you'll need an SSL certificate. When users connects to Adito via the web browser, they log in into a Web GUI where they can start tunnels. The web browser then downloads a Java application (the "Adito Agent"), which is the VPN client. The Adito Agent communicates with the Adito server via HTTPS. Unlike your usual VPN client, the Adito Agent does not really provide LAN-like connectivity to the remote network. Instead, you access remote resources by connecting to Adito Agent (for example, a VNC tunnel which is configured to point to a VNC server at somehost.com:5800 will be used by entering 127.0.0.1:5800 as server address into the VNC client).
Adito appears to be bady maintained, if at all. It's written in Java. The only reason why I use it is that it works in restrictive environments where installation of applications is impossible and network traffic is layer 7 filtered to prevent anything useful going on (and only HTTPS traffic is unharmed).
-
Could we get something like this integrated into Pfsense?
http://www.cybelesoft.com/thinrdp/default.aspx/#tabs-4
-
Or even this which is open source!
http://guac-dev.org/
-
@craigduff - There is a "Packages Wishlist" thread for those kinds of suggestions.
If they actually work on FreeBSD, and someone wants to take the time to make a package out of one of them, it may show up.
-
Or even this which is open source!
http://guac-dev.org/You can install it (as I've made) on a Linux server behind pfSense and the result is the same..
-
Softether, to me seems like a fix for something thats not broken - openvpn.
That said, choices are nice.
As far as ease of use for the end user, if you ship a end user a exported openvpn config file that uses certs only and doesn't ever require a password and they are not smart enough to double click an executable and press a connect button, I'd suggest they aren't smart enough to use any vpn.
-
I am one of "the developers" โ until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.
The source code seems to be available now:
http://www.softether.org/9-about/News/800-open-source -
I am one of "the developers" โ until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.
The source code seems to be available now:
http://www.softether.org/9-about/News/800-open-sourcePlease, pleaseย ::) Add this nice vpn to pfsense 2.2 !
