IPsec VPN for non-technical Windows users



  • Hi, folks. Apologies if this is an oft-repeated question, but I'm looking for a replacement for our current PPTP VPN setup (an old Watchguard), and the best (perhaps only) thing on that is the "client-less" VPN. That means users can pretty much get connected without any downloads or help - they just need the URL and credentials.

    I've seen tutorials for pfSense IPsec setups, but they all seem to required installing a VPN client, and then changing a LOT of the options in it - that's not something easily sold to users, who might have to do all this themselves remotely.

    How easy is it to get pfSense IPsec setup in such a way that the Windows VPN connections "just work" with the default settings?

    thanks,


  • Banned

    Site-to-site IPsec does not require anything installed on the clients. If you are talking about roadwarrior clients, frankly - stick with OpenVPN.



  • That's going to be a harder sell to the business. Seems like a step backwards really, if we can't use the VPN client built into every user's laptop already.


  • Banned

    Feel free to complain to MS. Native != easy/good/user friendly. On that note L2TP/IPsec is not implemented anyway, so you'd need a third-party client regardless. With OVPN client export package, the whole "effort" is limited to clicking Next a couple of times.


  • Rebel Alliance Developer Netgate

    Why is it that people will load a ton of random software on their PCs, but insist on a "native" VPN client?

    I don't trust Windows' built-in native VPNs any more than I trust Internet Explorer to surf the web.

    People use FF and Chrome as second nature now, so too must you use an alternate VPN client.



  • Under no circumstances would Microsoft accidentally or purposely undermine your privacy.  You can trust them.  Just ask them  ;)



  • We don't load a bunch of crap on our corporate laptops, and I have to support real users that have no idea what they're doing. It's an unfortunate truth of dealing with non-technical staff that have to occasionally connect from home. I "insist on a native VPN client" support because the most widely used client OS has one (I assume the others too), and seems not totally ridiculous to think maybe it's in some people's interest to support it.

    Built-in VPN has worked for years for us with PPTP, so it seemed a reasonable question to ask.

    I'll look at the OVPN again, if that's what it takes.

    The whole "zomg M$$ can't be trusted" thing is getting a bit old now too.



  • @doktornotor:

    stick with OpenVPN.

    Any particular reason to prefer OpenVPN over the Shrew Soft one?


  • Banned

    Bunch of crap, oh yeah… such as Cisco VPN Client. Oh, why don't they use the totally trustworthy, wonderful and absolutely best M$ native client? Absolutely cannot be that it sucks, no?

    And on that note, the PPTP has had excellent results, no? No damn waste of time required with implementing backdoors, everyone can get the data without any effort!  :P

    Seems like you took the wrong-colored pill last time.

    @Cylindric:

    Any particular reason to prefer OpenVPN over the Shrew Soft one?

    Yeah. That any particular reason is that it works. No matter what, no matter whether you are behind NAT or not, and without wasting days of time with tweaking the "oh so wonderful" native MS stuff.


  • Rebel Alliance Developer Netgate

    The OpenVPNManager GUI (checkbox option in the client export) installs OpenVPN as a service and is simpler for the user to use. It doesn't support multiple profiles, though.

    And M$ can't be trusted, because they can't be trusted. It's old, but it's true. Just because the horse is dead doesn't mean it doesn't need an occasional beating if nobody is cleaning up the mess.

    PPTP may have worked for years, but it can be decrypted 100% of the time by a third party. It was never secure, who knows how long that flaw was known before it was published.

    There are OpenVPN clients for every major OS – Windows, OS X, BSD, Linux, Android, iOS, and so on. There really isn't any reason not to use it these days.



  • There are only two good reasons to run the VPNs built into Microsoft vs. Openvpn.

    1.  So much legacy infrastructure and legacy clients thats all you can support reliable/universally.  Not often the case.
    2.  The Admin is a moron.  Happens alot.

    Openvpn just works…   If it doesn't work, its usually because there is no internet.

    The other VPN techs range from bad to good but all are less reliable than openvpn across a variety of network conditions / NAT.


  • Rebel Alliance Developer Netgate

    @Cylindric:

    @doktornotor:

    stick with OpenVPN.

    Any particular reason to prefer OpenVPN over the Shrew Soft one?

    The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).



  • OpenVPN sounds like just the ticket then. Thanks for all the info folks, even if some of it seems to presented in a somewhat aggressive manner. Not sure if I have taken the wrong pill in the past, but a few chill-pills wouldn't go amiss today, that's for sure.


  • Banned

    @jimp:

    The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).

    Yeah, I just wasted a day with configuring that thing… It works. Between exactly defined sites A and B. Explicitely said in the contract that there is absolutely no guarantee it's gonna work elsewhere, not that it will work once they've reconfigured their routers, DNS, CAs or anything else in any way.


  • Rebel Alliance Developer Netgate

    @doktornotor:

    @jimp:

    The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).

    Yeah, I just wasted a day with configuring that thing… It works. Between exactly defined sites A and B. Explicitely said in the contract that there is absolutely no guarantee it's gonna work elsewhere, not that it will work once they've reconfigured their routers, DNS, CAs or anything else in any way.

    Using Shrew Soft is better these days now that we do support pushing settings to IPsec using mod cfg. It's not quite that dire in most cases now. It used to be absolutely horrible to use (not Shrew Soft's fault at the time, but our lack of auto support). Now with the right settings on both ends it's tolerable, but still quite a ways behind OpenVPN in practically every way.



  • @kejianshi:

    There are only two good reasons to run the VPNs built into Microsoft vs. Openvpn.
    1.  So much legacy infrastructure and legacy clients thats all you can support reliable/universally.  Not often the case.
    2.  The Admin is a moron.  Happens alot.

    To play devil's advocate wrt "native" MS VPN, what about using GPO to provision VPN client settings ?


  • Banned

    Already been said there's no support for L2TP/IPsec in pfSense. Nothing to push, will not work.



  • To summarize:

    pfSense supports IPsec IKEv1 using the standard "ipsec-tools" package (also used by most Linux distros)

    Windows prior to 7 wants L2TP/IPsec, not plain IPsec IKEv1. That does not work with pfSense.
    Windows 7 and later actually has native IPsec but uses IKEv2 (not IKEv1). Which again does not work with pfSense.

    PPTP is considered deprecated, but anyway pf lacks a PPTP-proxy.



  • GPO wouldn't make anything rolled into microsoft more reliable (or even as reliable) than openvpn.  Just easier.



  • Okay, that all seemed easy enough to get set up - my client is connected. Am I correct in thinking that the rule created by the OpenVPN wizard (looks like a * * * * * * allow-all rule) should mean that anyone connecting via the VPN has access to everything?


  • Rebel Alliance Developer Netgate

    Yes that's correct. You can tighten that up as needed of course.



  • Brilliant. I can't actually ping or reach anything at the moment, but I've not read any of the docs yet, so I'll go and check up on some of the OpenVPN-related stuff.

    Thanks, all.

    M


  • Rebel Alliance Developer Netgate

    The client needs to run as Administrator (unless you're using the openvpnmanager gui running it as a service) or it can't add routes.

    To make sure you're actually pushing routes to the client, ensure you have the "local network" box filled in, or that you have the option set to redirect the client gateway so that all traffic goes over the tunnel.



  • Hmmmm.
    Which version of windows are you using?

    If its not windows XP, you need to right click the install file and "run as admin" otherwise you get connected but won't route you anywhere.
    If you didn't install it as admin, easy fix is uninstall it, then reinstall (Run as admin this time).

    Occasionally you get an issue where you have to allow it in your firewall rules on a windows box, depending on the firewall.