VPN for Windows



  • I am posting this in general because it is not specific to one type of VPN.

    My question is, since we all know PPTP is dead: what type of VPN can be configured with pfSense that is relatively easy for Windows users to connect to?

    The advantage to PPTP, while insecure, it is natively supported by Windows.



  • Try OpenVpn, It's really easy to configure and works well with windows too.

    Watch this video for the step up-> http://www.youtube.com/watch?v=VdAHVSTl1ys



  • Easy for the types of people who spend their time reading and answering posts on pfSense forum, and easy enough for the average Windows user are, unfortunately, two entirely different concepts.

    I have a requirement to provide guest users (Windows users) a simple set of instructioms to connect via VPN for training purposes. Security is less important than connectivity, but most important of all is simplicity!

    The acceptable level of complexity is defined by hundreds of 'how to' articles like this one: http://www.pcworld.com/article/210562/how_set_up_vpn_in_windows_7.html. Any greater complexity and users will simply move on.

    My only current problem with PPTP (aside from less than desirabe security) is the inability to specify what interface or IP PPTP is configured for.

    While the PPTP board is full of posts admonishing users to move on, we need something to replace it.

    Thanks for your consideration.



  • Ok I get it, I don't know what complexity is their while installing an open-vpn client (any normal user who can hit "next" a couple of times and "finish" is good to go). To make it easier, PfSense also exports a open-vpn installer with cert's.

    I don't know anything more user friendly than that.  :)



  • so when the remote user wants to acquire the client and cert, what is the process? The youtube vid you suggested earlier covers only the pfSense setjp.



  • Did you watch the full video without skipping it!? ;) Do spare a 5 min and watch it fully.
    He also covers the export utility for windows and one of the basic error people make when configuring the open-vpn and connects to the open-vpn.

    The only thing you need to do for your guest users is to had/send them the Open-Vpn client Installer you exported with pfsense along with "username", "password".


  • Netgate Administrator

    Can you not use IPSec? I thought that was built into Windows these days.
    Since I've never had to use it though I could be wrong.  ::)

    Steve



  • I must say i personally understand where your coming from! Unfortunately Pfsense does not yet offer anything cool and easy like ssl vpn say like from barracuda or sonic wall, but in sure it will come. A good cheap solution in my opinion is buy a billion box, small company, but do a good ssl solution with ad integration and gets users connected and securely in minutes.


  • Rebel Alliance Developer Netgate

    There is no such thing as a clientless "SSL" VPN. The ones that claim that all use some sort of client, it's just run using Java or a similar browser plugin and gets kicked off via HTTPS. Unfortunately, there aren't any open source equivalents that are actually up-to-date (e.g. Adito/OpenVPN ALS). Those have their own ups and downs anyhow. If we are to ever support that sort of VPN, there would need to be an OSS solution that actually worked and wasn't 5+ years from its last update.

    OpenVPN is really easy for most people, it really is just a few clicks for the client once the server is setup. People whinge a lot about it but it isn't a big deal once you actually use it.

    There are threads around the forum for setting up IPsec native on Windows, but it's pretty ugly. Eventually we'll probably support L2TP+IPsec, not until 2.2 at the earliest.

    Think of installing OpenVPN as you would think of installing Firefox or Chrome - most of us don't trust the built-in Microsoft software for a reason. :-)



  • I was hoping someone would produce something like RDP within AJAX, something like that. Someone has already done it, but i wonder if something like that could be for future suggestions.. Or remote apps in the form of AJAX


  • Netgate Administrator

    SoftEther VPN?
    http://www.softether.org

    Runs under FreeBSD, is open source, supports SSTP, claims to be faster than everything else.

    Seems too good to be true. Probably is!  ::)

    Steve


  • Rebel Alliance Developer Netgate

    I haven't heard of that one, but it does sound almost too good to be true. Seems it just turned open source in the last couple months.


  • Rebel Alliance Developer Netgate

    http://www.softether.org/3-spec/Current_Limitations makes me wonder if it's even worth looking at until next year.

    Also the license is a bit odd, sort of BSD-like but not quite(?) http://www.softether.org/4-docs/1-manual/1._SoftEther_VPN_Overview/1.3_SoftEther_VPN_is_Freeware

    If it's half as good as it claims, it may be worth someone poking at making a package for it for SSTP and SSL modes. I doubt we'd want it handling IPsec, L2TP, or OpenVPN.

    And, the big one… http://www.softether.org/5-download/src - you can't download the source yet. Maybe when that happens...



  • Can we publish that to the developers and get their opinions on it?


  • Rebel Alliance Developer Netgate

    I am one of "the developers" – until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.



  • Ok excellent! Lets keep an eye on it! Always good talking to an expert! Hope your well.


  • Netgate Administrator

    Ah! I only looked at it briefly and didn't realise they haven't actually released and code yet. To be honest I then started Googling for any reviews of it since it looked too good to be true, found almost nothing and dismissed it.

    Since there is no source code I'm trying to find what version of FreeBSD the package is compiled against but the only thing I can see is this:

    Requirements: FreeBSD (32bit, 64bit) FreeBSD 5, 6, 7, 8, 9

    Seems too imprecise.  ::)

    Steve


  • Rebel Alliance Developer Netgate

    @stephenw10:

    Ah! I only looked at it briefly and didn't realise they haven't actually released and code yet. To be honest I then started Googling for any reviews of it since it looked too good to be true, found almost nothing and dismissed it.

    Since there is no source code I'm trying to find what version of FreeBSD the package is compiled against but the only thing I can see is this:

    Requirements: FreeBSD (32bit, 64bit) FreeBSD 5, 6, 7, 8, 9

    Seems too imprecise.  ::)

    Yeah, there is no chance we'd run a binary blob anyhow, I wouldn't want to do that even as a package. There is just no way to ensure it's secure. Even when the source appears, until someone else gives it a once-over, it's still not going to really be all that trustworthy, but at least it would be open to review.

    For now though someone could toss the windows version on a local box, forward a few ports in, and have at it.



  • Does anyone want me to do any testing and report back?



  • I use Adito for users in environments who cannot install any VPN clients. I do not run Adito on pfSense, but on a Windows box behind pfSense.

    Connection to Adito is done via a web browser over HTTPS. The somewhat painful part is that you'll need an SSL certificate. When users connects to Adito via the web browser, they log in into a Web GUI where they can start tunnels. The web browser then downloads a Java application (the "Adito Agent"), which is the VPN client. The Adito Agent communicates with the Adito server via HTTPS. Unlike your usual VPN client, the Adito Agent does not really provide LAN-like connectivity to the remote network. Instead, you access remote resources by connecting to Adito Agent (for example, a VNC tunnel which is configured to point to a VNC server at somehost.com:5800 will be used by entering 127.0.0.1:5800 as server address into the VNC client).

    Adito appears to be bady maintained, if at all. It's written in Java. The only reason why I use it is that it works in restrictive environments where installation of applications is impossible and network traffic is layer 7 filtered to prevent anything useful going on (and only HTTPS traffic is unharmed).



  • Could we get something like this integrated into Pfsense?

    http://www.cybelesoft.com/thinrdp/default.aspx/#tabs-4



  • Or even this which is open source!

    http://guac-dev.org/


  • Rebel Alliance Developer Netgate

    @craigduff - There is a "Packages Wishlist" thread for those kinds of suggestions.

    If they actually work on FreeBSD, and someone wants to take the time to make a package out of one of them, it may show up.



  • @craigduff:

    Or even this which is open source!
    http://guac-dev.org/

    You can install it (as I've made) on a Linux server behind pfSense and the result is the same..



  • Softether, to me seems like a fix for something thats not broken - openvpn.

    That said, choices are nice.

    As far as ease of use for the end user, if you ship a end user a exported openvpn config file that uses certs only and doesn't ever require a password and they are not smart enough to double click an executable and press a connect button, I'd suggest they aren't smart enough to use any vpn.



  • @jimp:

    I am one of "the developers" – until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.

    The source code seems to be available now:
    http://www.softether.org/9-about/News/800-open-source



  • @athurdent:

    @jimp:

    I am one of "the developers" – until the source shows up, it's not an option. When the source shows up, if it's feasible, we'll look at it.

    The source code seems to be available now:
    http://www.softether.org/9-about/News/800-open-source

    Please, please  ::) Add this nice vpn to pfsense 2.2 !



  • That is an interesting solution assuming the code can be trusted (has it been thoroughly looked at yet for security issues after going open source for example).

    One of the things that held me up using OpenVPN for users (I still use it for admins) is that openvpngui must be run as administrator or the routes needed do not get created when a user authenticates to start the tunnel.  I am waiting for the day that openvpn creates a Windows service in the official installer to handle that for the user to get around that restriction.  Yes you can get around it by making the tunnels not require authentication during startup and have the tunnels start up automatically but I do not like that idea from a security standpoint (which is the whole idea of the solution to begin with).



  • Hi!
    SoftEther is in freebsd ports
    https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188437

    Maybe it's time to look on SoftEther as part of pfSense?



  • I've been using Softether for many years and never had any issues. Would be very nice to add this software to pfsense ;)