Re: [Ilugc] OpenVPN's greatness
Thanks man. I am new to linux, all of your posts are making me so happy. Can some one pls post about redhat topics with regards M. A. Swqminadane -Original message- From: Girish Venkatachalam Sent: 13/05/2012, 10:25 am To: Indian Linux User Group Chennai Subject: [Ilugc] OpenVPN's greatness Dear Lug, My VPN hacking is mostly over and dynamic DNS issue I had is mostly taken care of. In that I recognized that for stable site to site VPNs a good IPsec based VPN implementation like what is found in stock OpenBSD is suitable. When you want interoperability between different operating systems or between different VPN implementations then OpenVPN is the way to go. It is not as I first thought a simple popular SSLVPN implementation. It is lot more than that. It is 100% open source and you can customize it to make commercial variants out of it and the quality and detail shows. It is fantastic and you don't have the normal issue of two layers of TCP stacked on top of one another. It uses UDP port 1194 and UDP is nothing but another IP layer when it comes to packet header and protocol overhead. OpenVPN, a 100% open source free software actually helps you do amazing things just like qemu which is also 100% open source and is incredibly convenient for virtualization. Essentiall OpenVPN is found in all UNIX platforms,Windows and Mac. The installer I created is only 370KB. And using that you can connect to any OS. This means that if you have a VPN endpoint based on some commercial product and you want to access that from the wild, then all you have to do is run OpenVPN client on your Windows or Linux desktop and run the OpenVPN server inside the network protected by the commercial VPN box. But to get that working you have to port forward UDP port 1194 to that machine. OpenVPN has several facilities to do multiple client VPNs, it can get you up and running with just a single secret key for testing and learning and you can also do sophisticated routing manipulations(remember this is user space routing), and you can periodically ping to ensure uptime and so on. It is endlessly configurable and highly sophisticated. It makes me wonder how talented the author James Yonan must be. Here is the server configuration for multiple clients. # cat server.conf dev tun0 tls-server ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem mode server server 10.4.0.0 255.255.255.0 ifconfig-pool-persist pool.txt push route 172.16.0.0 255.240.0.0 client-to-client ping 10 ping-restart 120 push ping 10 push ping-restart 60 verb 5 Remember the local network behind the VPN is 172.16.0.0/12 here. You should change it in your case. And the client configuration is : # cat client.conf remote 123.201.6.8 dev tun0 nobind tls-client ca ca.crt cert g3vpn.crt key g3vpn.key pull verb 5 This is the client config which can connect to the server. The remote ip is the public IP of the server VPN node. Remember for each client, a new keypair ought to be created. Using this you can run a commercial grade enterprise class VPN service with just these commands: # openvpn --config server.conf --daemon on the server and # openvpn --config client.conf But the story does not end here. In order to get this working you have to have the certificates, dh1024.pem and keys. -Girish -- Gayatri Hitech http://gayatri-hitech.com ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [Ilugc] OpenVPN's greatness
Hi, Thanks for the detailed information. personally I use strongswan for ipsec vpn, I will try openvpn.. thanks suresh ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [Ilugc] OpenVPN's greatness
On Sun, May 13, 2012 at 5:27 PM, swaminadane...@gmail.com swaminadane...@gmail.com wrote: Thanks man. I am new to linux, all of your posts are making me so happy. Can some one pls post about redhat topics with regards M. A. Swqminadane Thanks. Let us wait and see if your interest will sustain for 10 years. Then we have gotten somewhere. I only normally met 22 year old kids in LUG. No experienced hands. Nobody wants to study beyond 30 , but they are very interested in *** even when they are 80. This is very interesting no? ;) -Girish ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [Ilugc] OpenVPN's greatness
On Sun, May 13, 2012 at 6:06 PM, Suresh Kumar sureshkumar...@gmail.com wrote: Hi, Thanks for the detailed information. personally I use strongswan for ipsec vpn, I will try openvpn.. You should try OpenBSD. It is not written in some alien language, Linux is not the only OS out there. There are only two people in LUG who talk about OpenBSD. And I have been in LUG for more than 6 years. Not a single soul has learnt it. Sigh. -Girish ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [Ilugc] OpenVPN's greatness
Hi boss, am 36, and am interested to learn since am 25, but situation makes me to take sooo lng. :) with regards M. A. Swaminadane -Original message- From: Girish Venkatachalam Sent: 13/05/2012, 6:32 pm To: ILUG-C Subject: Re: [Ilugc] OpenVPN's greatness On Sun, May 13, 2012 at 5:27 PM, swaminadane...@gmail.com swaminadane...@gmail.com wrote: Thanks man. I am new to linux, all of your posts are making me so happy. Can some one pls post about redhat topics with regards M. A. Swqminadane Thanks. Let us wait and see if your interest will sustain for 10 years. Then we have gotten somewhere. I only normally met 22 year old kids in LUG. No experienced hands. Nobody wants to study beyond 30 , but they are very interested in *** even when they are 80. This is very interesting no? ;) -Girish ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [Ilugc] OpenVPN's greatness
On Sun, May 13, 2012 at 6:37 PM, swaminadane...@gmail.com swaminadane...@gmail.com wrote: Hi boss, am 36, and am interested to learn since am 25, but situation makes me to take sooo lng. :) with regards M. A. Swaminadane Sorry did not mean to hurt. I am generally frustrated with not finding any useful technical material in our geography that is all. Nothing personal. Best of luck. -Girish ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
[Ilugc] Introduction to firewalls
Although my company has no firewall product yet I have a customer who uses our firewall. This sounds crazy no? Yet it is indeed crazy. What I thought was a basic firewall is different from what I now think. And I think in a few months time I might end up building what is known as UTM. UTM stands for unified threat management. It manages all kinds of threat, snort IDS, IPS, spam control, port and site blocking et al. But then a firewall is a combination of not just active functions like this. You need certain passive monitoring facilities like network monitoring. It is not just SNMP stuff. You have a Cisco open standard called Netflow. That helps you collect packet flows and display. I have never manged to get it working. A firewall has to be able to monitor the goings on in the network which is basically nothing but various kinds of traffic. A glorified tcpdump you can say. Now it also needs various reports and graphs. Easily managed with a little bits of rrdtool magic and SQLite database manipulations. In other words a firewall is expected to give adequate active protection as well as a dashboard of the local network. Of course firewalls should have VPN and ISP link load balancer feature too. I believe this is part of the UTM concept since everyone in the market seems to be quite dumbfounded by the firewall term, it is almost as abused as the word sex. It is used for anything and everything. But in reality it is only concerned with basic port and IP blocking. But that is a text book definition which nobody is going to understand. It protects your network alright. And that is what my first firewall deployment attempted to do. Block all packets and allow only explicitly allowed traffic. But it crumbled down. Why? Because a basic IP based kernel firewall does not cut it. Nowadays every bank, e-mail site and nearly anyone with money goes for a pool of IP addresses for their site. If it is linkedin or facebook you are toast not to mention Google. So you have to do what is known as URL blocking or URL filtering. Now squid is what comes to mind. But I don't like it. For whatever reason. Squid has time based blocking, caching and so on. I ended up using an open source tool called tinyproxy which does excellent URL filtering although it is not very stable. It keeps crashing. But I can manage it. A basic URL filter takes a HTTP URL and inspects to see if it is allowed or not. Now the DNS backend takes care of the IP pool problem I spoke of above. The URL is what is inspected to do allow/deny in userland. This has been a big relief for me. Now this works only for web URLs. What about HTTPS? What about other protocols like FTP and p2p traffic? What about IM? There is a tool called imspector which is a C++ open source project that can help you log your chat messages. Then you have to do what is known as content filtering. Whenever some customer asks me this I stare blankly. What does this mean? You mean inspect every damn packet to look into what it contains? Read every e-mail at wire speed? I just dunno how to do it. Perhaps later. Normally firewalls come with multiple WAN ports and multiple LAN ports. They are able to do certain WiFi AP functions like RADIUS authentication and stuff known as captive portal. Check out the pfSense project which is a FreeBSD based firewall , open source. I have to take dinner. Moreover this mail has gotten too long and too broad. I will send another to deal with this topic again. -Girish -- Gayatri Hitech http://gayatri-hitech.com ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [Ilugc] OpenVPN's greatness
On Sun, May 13, 2012 at 6:34 PM, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: You should try OpenBSD. It is not written in some alien language, Linux is not the only OS out there. There are only two people in LUG who talk about OpenBSD. And I have been in LUG for more than 6 years. Not a single soul has learnt it. May be because it's a LINUX user group? :) -- Vignesh Nandha Kumar http://vigneshnandhakumar.in ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc