Other VPN protocols?



  • Hey

    I couldn't help to notice that pfsense only offers PPTP (unsecure), LT2P, OpenVPN and IPSec. All good and well VPN standards, but why isnt there support for SSTP and IKEv2 or any Open Source Version of IKEv2?



  • IKEv2 is supported in pfSense 2.2.



  • Under IPsec tab then?

    And why isnt SSTP supported? Many hotels or workplaces Lock every port over 1024, rendering most of these VPN tunnels useless



  • And why isnt SSTP supported?

    No idea.


  • Banned

    @KOM:

    And why isnt SSTP supported?

    No idea.

    Hmmm, probably because IP over TCP tunnels suck big time.



  • By suck, you mean blow?  Like huge latency?

    There is also this, which I plagiarized…

    SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem



  • Maybe there is no support for SSTP because you can run OpenVPN on low ports or TCP, and it's not Microsoft's standard…



  • I can understand the limitations on SSTP due to bandwith-issues and so on, and I've tried using OpenVPN on lower ports, the only problem is that the Client that you can extract still uses high ports for initial communication.

    Tried IPSec now, but I Guess I have to fiddle with it to make it work.


  • Banned

    @Slasky:

    the only problem is that the Client that you can extract still uses high ports for initial communication.

    Huh? Pretty much everything uses high ports as source ports. Ports <1024 are generally reserved for users with special permissions on the sane part of OSes. What insane firewall are you being behind? You cannot even have a working web browser if you block those.


  • LAYER 8 Netgate

    The only port you should be concerning yourself with on OpenVPN is the destination port the server listens on.  The other side is "random."



  • @doktornotor:

    @Slasky:

    the only problem is that the Client that you can extract still uses high ports for initial communication.

    Huh? Pretty much everything uses high ports as source ports. Ports <1024 are generally reserved for users with special permissions on the sane part of OSes. What insane firewall are you being behind? You cannot even have a working web browser if you block those.

    To answer Your question: My workplace have 2 or 3 firewalls in Place between the local net and internet. One of those Blocks any high-port, to Block any unwanted traffic thats not generally approved. Therefore the need for a sourceport beneath 1024


  • LAYER 8 Netgate

    That must work great.

    You can put these in your advanced settings when you export client configs:

    –port port
        TCP/UDP port number for both local and remote. The current default of 1194 represents the official IANA port number assignment for OpenVPN and has been used since version 2.0-beta17. Previous versions used port 5000 as the default.
    --lport port
        TCP/UDP port number for bind.
    --rport port
        TCP/UDP port number for remote.

    You could also add them in the advanced section on the client if you've already exported.



  • @Slasky:

    Under IPsec tab then?

    And why isnt SSTP supported? Many hotels or workplaces Lock every port over 1024, rendering most of these VPN tunnels useless

    Two things:
    1. You can change what the port number is, I do this when I want separate OpenVPN instances over the same wan IP.

    2. Why would you EVER use a Tijuana glory hole when you've probably got a perfectly good flesh light in your pocket????? ie: You probably have a device that supports tethering. Public WiFi should never be used. Not only for the reasons you specified, but who else are you sharing that network with? Vendor redirects and ad injections are nightmares as well.


  • Banned

    @Slasky:

    @doktornotor:

    @Slasky:

    the only problem is that the Client that you can extract still uses high ports for initial communication.

    Huh? Pretty much everything uses high ports as source ports. Ports <1024 are generally reserved for users with special permissions on the sane part of OSes. What insane firewall are you being behind? You cannot even have a working web browser if you block those.

    To answer Your question: My workplace have 2 or 3 firewalls in Place between the local net and internet. One of those Blocks any high-port, to Block any unwanted traffic thats not generally approved. Therefore the need for a sourceport beneath 1024

    Managed by idiots? As said, this breaks even simple web browsing.



  • Well it might be a layer 7 firewall, allowing high ports from certain programs, but blocking from others.

    Because web-browsing is working fine

    But thanks for the suggestions, gonna try out some of them and look at wireshark and firewall logs to see what happens.


  • LAYER 8 Netgate

    best vpn for windows, iphone, android and many others, indeed.

    Hates me some spammers, precious.



  • The best vpn is the one where you own both ends.  Server and client.


Log in to reply