"One-Click Install"



  • Hello !

    I always worked on PPTP & IPSEC VPN… But today, i received the following mission :

    "Anywhere, a packaged secured vpn config that can be installed in 1 click...."

    And, after a few words, openvpn was announced as a requested solution...

    Well, i read many posts on this forum, tried openvpn howto quoted, etc...

    I preferred post here in order ton obtain advices...

    And i have some doubts :

    • A guy that copies openvpn config (ca.crt, client.crt, client.key, config.ovpn) to another computer, can directly connect to vpn (i hope no...) ???

    • A setup w/ a packaged config easy to deploy : achievable ?

    • I heard about Zerina on IPCOP : really best than pfSense, regarding to OpenVPN ?

    • In case of a packaged config, setup easily, is it possible to use openvpn w/ firewall rules, as default gateway (example : once openvpn setup as service on the computer, once user is logged, all the traffic goes through openvpn with traffic filtered...) ? And how to protect it from the user disabling it (we suppose that this one wanted to stop vpn, in order to have traffic unfiltered) ?

    • I thought about a setup packaged like this :

    openvpn gui
    openvpn config files
    batch that copies config files to right folders + setup openvpn as automatic service

    Do you think that is the right way to setup ?

    • Is it possible to user DHCP and Static clients in OpenVPN pfSense, at the same time ?

    • Should i use sthg else than OpenVPN, for this setup ?

    Thank you for your answers,

    Sincerely,

    XZed



  • yellow,

    you still need a to tell the OpenVPN server the correct password after connecting using the .crt and keys.

    I'v seen a professional called Astro or something similar that actually used parts of openVPN (if not all) that was a 1 click install all it needed was a config file and a it was very easy to install.

    I don't know about Zerina, but if your asking if its better than pfSense (at handling / for) OpenVPN you might get a slightly biased answer asking here ;)

    I remember reading about a setting that made all traffic go through Openvpn on the client that it was using but it needed to be set on both the server and the client but i don't know if this can be bypassed. (found it) http://forum.pfsense.org/index.php/topic,6056.0.html



  • @johii:

    yellow,

    you still need a to tell the OpenVPN server the correct password after connecting using the .crt and keys.

    Oh, ok…i really didn't remember this condition...so it isn't really possible to schedule vpn connection w/o user interaction  :-[ … yeah, i understand... have to choose between easiness and security lol  :-\

    [quote]I'v seen a professional called Astro or something similar that actually used parts of openVPN (if not all) that was a 1 click install all it needed was a config file and a it was very easy to install.
    Perhaps, are you talkin' about ? : http://www.astaro.com/our_products/astaro_security_gateway/hardware_appliances/astaro_vpn_clients
    If it isn't your main thought and if you remember what it was, please post it, thank you  ;D

    I don't know about Zerina, but if your asking if its better than pfSense (at handling / for) OpenVPN you might get a slightly biased answer asking here ;)

    Of course, i understand your answer  ;D… But if i ask it here, it's because i think than present people are "adult enough" to discuss about it seriously...

    I remember reading about a setting that made all traffic go through Openvpn on the client that it was using but it needed to be set on both the server and the client but i don't know if this can be bypassed. (found it) http://forum.pfsense.org/index.php/topic,6056.0.html

    Oh, it seems really nice  ;D ! Thank you very much !

    If anyone else have an idea, i'm ready to read your posts  ;D

    Thank you again for answering,

    Sincerely,

    XZed



  • Sorry to persist again but i managed to connect to openvpn pfsense w/ certs w/o password (following various howto)…

    But i want to know concretely :

    How secure is OpenVPN ?

    Sorry again, i'm really afraid about 2/3 files staying on a computer and that just a simple copy/paste is necessary to connect from another computer...

    If i had misunderstood the openvpn functioning, thanks to explain me  ;D...

    And if i had really spotted the disavantadge, can someone explain me how to secure it ?

    I read about a TLS-Key, but hadn't tried it...

    Thanks for answering.

    Sincerely,

    XZed



  • Perhaps, are you talking' about ? : http://www.astaro.com/our_products/astaro_security_gateway/hardware_appliances/astaro_vpn_clients
    If it isn't your main thought and if you remember what it was, please post it, thank you  Grin

    YES ! thats the one but the client IS a openvpn client that they have put a pretty picture on and changed a few names i don't know about the embedded hardware software but my suspicion is that's its borrowed from BSD and openVPN aswell.

    Oh, ok…i really didn't remember this condition...so it isn't really possible to schedule vpn connection w/o user interaction  Embarrassed ... yeah, i understand... have to choose between easiness and security lol  Undecided

    No you can, I'm not sure if your meant to :P but my VPN client even tho its not working completely atm. was connecting with anyone typing in the password but after i changed it back and forth you needed to type it in.
    I got this comment in my log file

    WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this

    but even if your certificates are compromised/stolen you need the login password, and you can always disable individual accounts/client, this would be good enough for pretty much anything apart from pentagon. who would need a laser cut iris-scanning crystal for authorisation.



  • @johii:

    YES ! thats the one but the client IS a openvpn client that they have put a pretty picture on and changed a few names i don't know about the embedded hardware software but my suspicion is that's its borrowed from BSD and openVPN aswell.

    Yeah, as many commercial products : a "sexy interface" (dixit one of my customers) to attract customers…but inside it : classic tools  ;D

    No you can, I'm not sure if your meant to :P but my VPN client even tho its not working completely atm. was connecting with anyone typing in the password but after i changed it back and forth you needed to type it in.
    I got this comment in my log file
    WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this

    I really need to setup the whole thing from scratch again to study this…

    but even if your certificates are compromised/stolen you need the login password, and you can always disable individual accounts/client, this would be good enough for pretty much anything apart from pentagon. who would need a laser cut iris-scanning crystal for authorisation.

    Lolololol  ;D ! I can't pretend to such a security level  ;D ! I think the real thing in this story is what you said : "even compromised, you need the login password'… I'll setup from scratch the whole thing cause it seems you're talking about a first login password that can be cached but, in the case of theft, it'll be required again...

    I really thank you for your answers and will study the whole thing again and tell you then the results...

    Sincerely,

    XZed



  • Hello !

    I've been testing various OpenVPN installations…

    I've tested pfSense+easyrsa4pfsense, OpenVPN Admin Webmin Module, looked at IPCOP+Zerina, and read a lot of openvpn documentations  :)...

    Any of these really convinced me (easyrsa4pfsense misses the revocation tool, webmin module is too "cheap", etc...).

    So, i think i'm going to finally opt for manual setups...

    But i've 2/3 doubts :

    I need 2 or 3 virtual ip ranges for my openvpn subnet (roadwarrior users and external but not mobile users)...

    In order to simplify we can take the example quoted in the previous link.

    Let's say : 10.8.0.0/24 for roadwarriors users and 10.8.1.0/24 for external users.

    For roadwarriors, i want dhcp leasing and for externals users i wanna static ips (via "Client-Config-Dir" option, in OpenVPN).

    For this setup type, do i need to run 2 instances of the openvpn server, i mean 2 servers listening on 2 different ports ?

    Or, is it possible to setup it like this :

    Put "server 10.8.0.0/23" in server conf, and then :

    Configure static ips in the 10.8.1.0 range, supposing that, for the mobile users, the openvpn server will lease dhcp adresses in the 10.8.0.0 range (because i suppose the server leases it in the order, beginning at 10.8.0.0)...

    What do u think about it  :) ?

    And, last question :

    In pfSense, i had to enable Advanced Outbound Nat (AON), in order to nat the openvpn subnet to WAN : i think it's specific to pfsense, and that i'm not going to have this issue in a manual OpenVPN setup, isn't it ?

    Thank you very much for your answers  ;D

    Sincerely,

    XZed



  • Thank you for all your answers !

    I finally opted for manually setting up OpenVPN in a fresh Debian install  ;D !

    It works like a charm  :) !


Log in to reply