Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Other VPN protocols?

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 7 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Slasky
      last edited by

      Hey

      I couldn't help to notice that pfsense only offers PPTP (unsecure), LT2P, OpenVPN and IPSec. All good and well VPN standards, but why isnt there support for SSTP and IKEv2 or any Open Source Version of IKEv2?

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        IKEv2 is supported in pfSense 2.2.

        1 Reply Last reply Reply Quote 0
        • S Offline
          Slasky
          last edited by

          Under IPsec tab then?

          And why isnt SSTP supported? Many hotels or workplaces Lock every port over 1024, rendering most of these VPN tunnels useless

          1 Reply Last reply Reply Quote 0
          • KOMK Offline
            KOM
            last edited by

            And why isnt SSTP supported?

            No idea.

            1 Reply Last reply Reply Quote 0
            • D Offline
              doktornotor Banned
              last edited by

              @KOM:

              And why isnt SSTP supported?

              No idea.

              Hmmm, probably because IP over TCP tunnels suck big time.

              1 Reply Last reply Reply Quote 0
              • K Offline
                kejianshi
                last edited by

                By suck, you mean blow?  Like huge latency?

                There is also this, which I plagiarized…

                SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem

                1 Reply Last reply Reply Quote 0
                • dotdashD Offline
                  dotdash
                  last edited by

                  Maybe there is no support for SSTP because you can run OpenVPN on low ports or TCP, and it's not Microsoft's standard…

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    Slasky
                    last edited by

                    I can understand the limitations on SSTP due to bandwith-issues and so on, and I've tried using OpenVPN on lower ports, the only problem is that the Client that you can extract still uses high ports for initial communication.

                    Tried IPSec now, but I Guess I have to fiddle with it to make it work.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      doktornotor Banned
                      last edited by

                      @Slasky:

                      the only problem is that the Client that you can extract still uses high ports for initial communication.

                      Huh? Pretty much everything uses high ports as source ports. Ports <1024 are generally reserved for users with special permissions on the sane part of OSes. What insane firewall are you being behind? You cannot even have a working web browser if you block those.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        The only port you should be concerning yourself with on OpenVPN is the destination port the server listens on.  The other side is "random."

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          Slasky
                          last edited by

                          @doktornotor:

                          @Slasky:

                          the only problem is that the Client that you can extract still uses high ports for initial communication.

                          Huh? Pretty much everything uses high ports as source ports. Ports <1024 are generally reserved for users with special permissions on the sane part of OSes. What insane firewall are you being behind? You cannot even have a working web browser if you block those.

                          To answer Your question: My workplace have 2 or 3 firewalls in Place between the local net and internet. One of those Blocks any high-port, to Block any unwanted traffic thats not generally approved. Therefore the need for a sourceport beneath 1024

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            That must work great.

                            You can put these in your advanced settings when you export client configs:

                            –port port
                                TCP/UDP port number for both local and remote. The current default of 1194 represents the official IANA port number assignment for OpenVPN and has been used since version 2.0-beta17. Previous versions used port 5000 as the default.
                            --lport port
                                TCP/UDP port number for bind.
                            --rport port
                                TCP/UDP port number for remote.

                            You could also add them in the advanced section on the client if you've already exported.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • J Offline
                              jgraham5481
                              last edited by

                              @Slasky:

                              Under IPsec tab then?

                              And why isnt SSTP supported? Many hotels or workplaces Lock every port over 1024, rendering most of these VPN tunnels useless

                              Two things:
                              1. You can change what the port number is, I do this when I want separate OpenVPN instances over the same wan IP.

                              2. Why would you EVER use a Tijuana glory hole when you've probably got a perfectly good flesh light in your pocket????? ie: You probably have a device that supports tethering. Public WiFi should never be used. Not only for the reasons you specified, but who else are you sharing that network with? Vendor redirects and ad injections are nightmares as well.

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                doktornotor Banned
                                last edited by

                                @Slasky:

                                @doktornotor:

                                @Slasky:

                                the only problem is that the Client that you can extract still uses high ports for initial communication.

                                Huh? Pretty much everything uses high ports as source ports. Ports <1024 are generally reserved for users with special permissions on the sane part of OSes. What insane firewall are you being behind? You cannot even have a working web browser if you block those.

                                To answer Your question: My workplace have 2 or 3 firewalls in Place between the local net and internet. One of those Blocks any high-port, to Block any unwanted traffic thats not generally approved. Therefore the need for a sourceport beneath 1024

                                Managed by idiots? As said, this breaks even simple web browsing.

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  Slasky
                                  last edited by

                                  Well it might be a layer 7 firewall, allowing high ports from certain programs, but blocking from others.

                                  Because web-browsing is working fine

                                  But thanks for the suggestions, gonna try out some of them and look at wireshark and firewall logs to see what happens.

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD Offline
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    best vpn for windows, iphone, android and many others, indeed.

                                    Hates me some spammers, precious.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • K Offline
                                      kejianshi
                                      last edited by

                                      The best vpn is the one where you own both ends.  Server and client.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.