IPsec VPN for non-technical Windows users
-
-
Bunch of crap, oh yeah… such as Cisco VPN Client. Oh, why don't they use the totally trustworthy, wonderful and absolutely best M$ native client? Absolutely cannot be that it sucks, no?
And on that note, the PPTP has had excellent results, no? No damn waste of time required with implementing backdoors, everyone can get the data without any effort! :P
Seems like you took the wrong-colored pill last time.
Any particular reason to prefer OpenVPN over the Shrew Soft one?
Yeah. That any particular reason is that it works. No matter what, no matter whether you are behind NAT or not, and without wasting days of time with tweaking the "oh so wonderful" native MS stuff.
-
The OpenVPNManager GUI (checkbox option in the client export) installs OpenVPN as a service and is simpler for the user to use. It doesn't support multiple profiles, though.
And M$ can't be trusted, because they can't be trusted. It's old, but it's true. Just because the horse is dead doesn't mean it doesn't need an occasional beating if nobody is cleaning up the mess.
PPTP may have worked for years, but it can be decrypted 100% of the time by a third party. It was never secure, who knows how long that flaw was known before it was published.
There are OpenVPN clients for every major OS – Windows, OS X, BSD, Linux, Android, iOS, and so on. There really isn't any reason not to use it these days.
-
There are only two good reasons to run the VPNs built into Microsoft vs. Openvpn.
1. So much legacy infrastructure and legacy clients thats all you can support reliable/universally. Not often the case.
2. The Admin is a moron. Happens alot.Openvpn just works… If it doesn't work, its usually because there is no internet.
The other VPN techs range from bad to good but all are less reliable than openvpn across a variety of network conditions / NAT.
-
stick with OpenVPN.
Any particular reason to prefer OpenVPN over the Shrew Soft one?
The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).
-
OpenVPN sounds like just the ticket then. Thanks for all the info folks, even if some of it seems to presented in a somewhat aggressive manner. Not sure if I have taken the wrong pill in the past, but a few chill-pills wouldn't go amiss today, that's for sure.
-
The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).
Yeah, I just wasted a day with configuring that thing… It works. Between exactly defined sites A and B. Explicitely said in the contract that there is absolutely no guarantee it's gonna work elsewhere, not that it will work once they've reconfigured their routers, DNS, CAs or anything else in any way.
-
The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).
Yeah, I just wasted a day with configuring that thing… It works. Between exactly defined sites A and B. Explicitely said in the contract that there is absolutely no guarantee it's gonna work elsewhere, not that it will work once they've reconfigured their routers, DNS, CAs or anything else in any way.
Using Shrew Soft is better these days now that we do support pushing settings to IPsec using mod cfg. It's not quite that dire in most cases now. It used to be absolutely horrible to use (not Shrew Soft's fault at the time, but our lack of auto support). Now with the right settings on both ends it's tolerable, but still quite a ways behind OpenVPN in practically every way.
-
There are only two good reasons to run the VPNs built into Microsoft vs. Openvpn.
1. So much legacy infrastructure and legacy clients thats all you can support reliable/universally. Not often the case.
2. The Admin is a moron. Happens alot.To play devil's advocate wrt "native" MS VPN, what about using GPO to provision VPN client settings ?
-
Already been said there's no support for L2TP/IPsec in pfSense. Nothing to push, will not work.
-
To summarize:
pfSense supports IPsec IKEv1 using the standard "ipsec-tools" package (also used by most Linux distros)
Windows prior to 7 wants L2TP/IPsec, not plain IPsec IKEv1. That does not work with pfSense.
Windows 7 and later actually has native IPsec but uses IKEv2 (not IKEv1). Which again does not work with pfSense.PPTP is considered deprecated, but anyway pf lacks a PPTP-proxy.
-
GPO wouldn't make anything rolled into microsoft more reliable (or even as reliable) than openvpn. Just easier.
-
Okay, that all seemed easy enough to get set up - my client is connected. Am I correct in thinking that the rule created by the OpenVPN wizard (looks like a * * * * * * allow-all rule) should mean that anyone connecting via the VPN has access to everything?
-
Yes that's correct. You can tighten that up as needed of course.
-
Brilliant. I can't actually ping or reach anything at the moment, but I've not read any of the docs yet, so I'll go and check up on some of the OpenVPN-related stuff.
Thanks, all.
M
-
The client needs to run as Administrator (unless you're using the openvpnmanager gui running it as a service) or it can't add routes.
To make sure you're actually pushing routes to the client, ensure you have the "local network" box filled in, or that you have the option set to redirect the client gateway so that all traffic goes over the tunnel.
-
Hmmmm.
Which version of windows are you using?If its not windows XP, you need to right click the install file and "run as admin" otherwise you get connected but won't route you anywhere.
If you didn't install it as admin, easy fix is uninstall it, then reinstall (Run as admin this time).Occasionally you get an issue where you have to allow it in your firewall rules on a windows box, depending on the firewall.
