Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VPN for Windows

    General pfSense Questions
    14
    31
    12215
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      unsichtbarre last edited by

      I am posting this in general because it is not specific to one type of VPN.

      My question is, since we all know PPTP is dead: what type of VPN can be configured with pfSense that is relatively easy for Windows users to connect to?

      The advantage to PPTP, while insecure, it is natively supported by Windows.

      1 Reply Last reply Reply Quote 0
      • S
        srk3461 last edited by

        Try OpenVpn, It's really easy to configure and works well with windows too.

        Watch this video for the step up-> http://www.youtube.com/watch?v=VdAHVSTl1ys

        1 Reply Last reply Reply Quote 0
        • U
          unsichtbarre last edited by

          Easy for the types of people who spend their time reading and answering posts on pfSense forum, and easy enough for the average Windows user are, unfortunately, two entirely different concepts.

          I have a requirement to provide guest users (Windows users) a simple set of instructioms to connect via VPN for training purposes. Security is less important than connectivity, but most important of all is simplicity!

          The acceptable level of complexity is defined by hundreds of 'how to' articles like this one: http://www.pcworld.com/article/210562/how_set_up_vpn_in_windows_7.html. Any greater complexity and users will simply move on.

          My only current problem with PPTP (aside from less than desirabe security) is the inability to specify what interface or IP PPTP is configured for.

          While the PPTP board is full of posts admonishing users to move on, we need something to replace it.

          Thanks for your consideration.

          1 Reply Last reply Reply Quote 0
          • S
            srk3461 last edited by

            Ok I get it, I don't know what complexity is their while installing an open-vpn client (any normal user who can hit "next" a couple of times and "finish" is good to go). To make it easier, PfSense also exports a open-vpn installer with cert's.

            I don't know anything more user friendly than that.  :)

            1 Reply Last reply Reply Quote 0
            • U
              unsichtbarre last edited by

              so when the remote user wants to acquire the client and cert, what is the process? The youtube vid you suggested earlier covers only the pfSense setjp.

              1 Reply Last reply Reply Quote 0
              • S
                srk3461 last edited by

                Did you watch the full video without skipping it!? ;) Do spare a 5 min and watch it fully.
                He also covers the export utility for windows and one of the basic error people make when configuring the open-vpn and connects to the open-vpn.

                The only thing you need to do for your guest users is to had/send them the Open-Vpn client Installer you exported with pfsense along with "username", "password".

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  Can you not use IPSec? I thought that was built into Windows these days.
                  Since I've never had to use it though I could be wrong.  ::)

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • C
                    craigduff last edited by

                    I must say i personally understand where your coming from! Unfortunately Pfsense does not yet offer anything cool and easy like ssl vpn say like from barracuda or sonic wall, but in sure it will come. A good cheap solution in my opinion is buy a billion box, small company, but do a good ssl solution with ad integration and gets users connected and securely in minutes.

                    Kind Regards,
                    Craig

                    1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate last edited by

                      There is no such thing as a clientless "SSL" VPN. The ones that claim that all use some sort of client, it's just run using Java or a similar browser plugin and gets kicked off via HTTPS. Unfortunately, there aren't any open source equivalents that are actually up-to-date (e.g. Adito/OpenVPN ALS). Those have their own ups and downs anyhow. If we are to ever support that sort of VPN, there would need to be an OSS solution that actually worked and wasn't 5+ years from its last update.

                      OpenVPN is really easy for most people, it really is just a few clicks for the client once the server is setup. People whinge a lot about it but it isn't a big deal once you actually use it.

                      There are threads around the forum for setting up IPsec native on Windows, but it's pretty ugly. Eventually we'll probably support L2TP+IPsec, not until 2.2 at the earliest.

                      Think of installing OpenVPN as you would think of installing Firefox or Chrome - most of us don't trust the built-in Microsoft software for a reason. :-)

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • C
                        craigduff last edited by

                        I was hoping someone would produce something like RDP within AJAX, something like that. Someone has already done it, but i wonder if something like that could be for future suggestions.. Or remote apps in the form of AJAX

                        Kind Regards,
                        Craig

                        1 Reply Last reply Reply Quote 0
                        • stephenw10
                          stephenw10 Netgate Administrator last edited by

                          SoftEther VPN?
                          http://www.softether.org

                          Runs under FreeBSD, is open source, supports SSTP, claims to be faster than everything else.

                          Seems too good to be true. Probably is!  ::)

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • jimp
                            jimp Rebel Alliance Developer Netgate last edited by

                            I haven't heard of that one, but it does sound almost too good to be true. Seems it just turned open source in the last couple months.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • jimp
                              jimp Rebel Alliance Developer Netgate last edited by

                              http://www.softether.org/3-spec/Current_Limitations makes me wonder if it's even worth looking at until next year.

                              Also the license is a bit odd, sort of BSD-like but not quite(?) http://www.softether.org/4-docs/1-manual/1._SoftEther_VPN_Overview/1.3_SoftEther_VPN_is_Freeware

                              If it's half as good as it claims, it may be worth someone poking at making a package for it for SSTP and SSL modes. I doubt we'd want it handling IPsec, L2TP, or OpenVPN.

                              And, the big one… http://www.softether.org/5-download/src - you can't download the source yet. Maybe when that happens...

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • C
                                craigduff last edited by

                                Can we publish that to the developers and get their opinions on it?

                                Kind Regards,
                                Craig

                                1 Reply Last reply Reply Quote 0
                                • jimp
                                  jimp Rebel Alliance Developer Netgate last edited by

                                  I am one of "the developers" – until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    craigduff last edited by

                                    Ok excellent! Lets keep an eye on it! Always good talking to an expert! Hope your well.

                                    Kind Regards,
                                    Craig

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10
                                      stephenw10 Netgate Administrator last edited by

                                      Ah! I only looked at it briefly and didn't realise they haven't actually released and code yet. To be honest I then started Googling for any reviews of it since it looked too good to be true, found almost nothing and dismissed it.

                                      Since there is no source code I'm trying to find what version of FreeBSD the package is compiled against but the only thing I can see is this:

                                      Requirements: FreeBSD (32bit, 64bit) FreeBSD 5, 6, 7, 8, 9

                                      Seems too imprecise.  ::)

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • jimp
                                        jimp Rebel Alliance Developer Netgate last edited by

                                        @stephenw10:

                                        Ah! I only looked at it briefly and didn't realise they haven't actually released and code yet. To be honest I then started Googling for any reviews of it since it looked too good to be true, found almost nothing and dismissed it.

                                        Since there is no source code I'm trying to find what version of FreeBSD the package is compiled against but the only thing I can see is this:

                                        Requirements: FreeBSD (32bit, 64bit) FreeBSD 5, 6, 7, 8, 9

                                        Seems too imprecise.  ::)

                                        Yeah, there is no chance we'd run a binary blob anyhow, I wouldn't want to do that even as a package. There is just no way to ensure it's secure. Even when the source appears, until someone else gives it a once-over, it's still not going to really be all that trustworthy, but at least it would be open to review.

                                        For now though someone could toss the windows version on a local box, forward a few ports in, and have at it.

                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          craigduff last edited by

                                          Does anyone want me to do any testing and report back?

                                          Kind Regards,
                                          Craig

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            Klaws last edited by

                                            I use Adito for users in environments who cannot install any VPN clients. I do not run Adito on pfSense, but on a Windows box behind pfSense.

                                            Connection to Adito is done via a web browser over HTTPS. The somewhat painful part is that you'll need an SSL certificate. When users connects to Adito via the web browser, they log in into a Web GUI where they can start tunnels. The web browser then downloads a Java application (the "Adito Agent"), which is the VPN client. The Adito Agent communicates with the Adito server via HTTPS. Unlike your usual VPN client, the Adito Agent does not really provide LAN-like connectivity to the remote network. Instead, you access remote resources by connecting to Adito Agent (for example, a VNC tunnel which is configured to point to a VNC server at somehost.com:5800 will be used by entering 127.0.0.1:5800 as server address into the VNC client).

                                            Adito appears to be bady maintained, if at all. It's written in Java. The only reason why I use it is that it works in restrictive environments where installation of applications is impossible and network traffic is layer 7 filtered to prevent anything useful going on (and only HTTPS traffic is unharmed).

                                            1 Reply Last reply Reply Quote 0
                                            • C
                                              craigduff last edited by

                                              Could we get something like this integrated into Pfsense?

                                              http://www.cybelesoft.com/thinrdp/default.aspx/#tabs-4

                                              Kind Regards,
                                              Craig

                                              1 Reply Last reply Reply Quote 0
                                              • C
                                                craigduff last edited by

                                                Or even this which is open source!

                                                http://guac-dev.org/

                                                Kind Regards,
                                                Craig

                                                1 Reply Last reply Reply Quote 0
                                                • jimp
                                                  jimp Rebel Alliance Developer Netgate last edited by

                                                  @craigduff - There is a "Packages Wishlist" thread for those kinds of suggestions.

                                                  If they actually work on FreeBSD, and someone wants to take the time to make a package out of one of them, it may show up.

                                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                  Need help fast? Netgate Global Support!

                                                  Do not Chat/PM for help!

                                                  1 Reply Last reply Reply Quote 0
                                                  • G
                                                    Gabri.91 last edited by

                                                    @craigduff:

                                                    Or even this which is open source!
                                                    http://guac-dev.org/

                                                    You can install it (as I've made) on a Linux server behind pfSense and the result is the same..

                                                    1 Reply Last reply Reply Quote 0
                                                    • K
                                                      kejianshi last edited by

                                                      Softether, to me seems like a fix for something thats not broken - openvpn.

                                                      That said, choices are nice.

                                                      As far as ease of use for the end user, if you ship a end user a exported openvpn config file that uses certs only and doesn't ever require a password and they are not smart enough to double click an executable and press a connect button, I'd suggest they aren't smart enough to use any vpn.

                                                      1 Reply Last reply Reply Quote 0
                                                      • A
                                                        athurdent last edited by

                                                        @jimp:

                                                        I am one of "the developers" – until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.

                                                        The source code seems to be available now:
                                                        http://www.softether.org/9-about/News/800-open-source

                                                        1 Reply Last reply Reply Quote 0
                                                        • werter
                                                          werter last edited by

                                                          @athurdent:

                                                          @jimp:

                                                          I am one of "the developers" – until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.

                                                          The source code seems to be available now:
                                                          http://www.softether.org/9-about/News/800-open-source

                                                          Please, please  ::) Add this nice vpn to pfsense 2.2 !

                                                          1 Reply Last reply Reply Quote 0
                                                          • A
                                                            adam65535 last edited by

                                                            That is an interesting solution assuming the code can be trusted (has it been thoroughly looked at yet for security issues after going open source for example).

                                                            One of the things that held me up using OpenVPN for users (I still use it for admins) is that openvpngui must be run as administrator or the routes needed do not get created when a user authenticates to start the tunnel.  I am waiting for the day that openvpn creates a Windows service in the official installer to handle that for the user to get around that restriction.  Yes you can get around it by making the tunnels not require authentication during startup and have the tunnels start up automatically but I do not like that idea from a security standpoint (which is the whole idea of the solution to begin with).

                                                            1 Reply Last reply Reply Quote 0
                                                            • H
                                                              hmh last edited by

                                                              Hi!
                                                              SoftEther is in freebsd ports
                                                              https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188437

                                                              Maybe it's time to look on SoftEther as part of pfSense?

                                                              1 Reply Last reply Reply Quote 0
                                                              • K
                                                                KeyJey last edited by

                                                                I've been using Softether for many years and never had any issues. Would be very nice to add this software to pfsense ;)

                                                                1 Reply Last reply Reply Quote 0
                                                                • J
                                                                  jakecrew Banned last edited by

                                                                  This post is deleted!
                                                                  1 Reply Last reply Reply Quote 0
                                                                  • First post
                                                                    Last post